2021-04-21 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
2.  
3. HANCITOR BUILD NUMBER
4. BUILD=2104_mmvm
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got invoice from DocuSign Signature Service
11. You got notification from DocuSign Electronic Service
12. You got notification from DocuSign Electronic Signature Service
13. You got notification from DocuSign Service
14. You got notification from DocuSign Signature Service
15. You received invoice from DocuSign Electronic Service
16. You received invoice from DocuSign Electronic Signature Service
17. You received invoice from DocuSign Service
18. You received invoice from DocuSign Signature Service
19. You received notification from DocuSign Electronic Service
20. You received notification from DocuSign Electronic Signature Service
21. You received notification from DocuSign Service
22. You received notification from DocuSign Signature Service
23.  
24. SENDERS OBSERVED
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59. [email protected]
60. [email protected]
61. [email protected]
62. [email protected]
63. [email protected]
64. [email protected]
65. [email protected]
66. [email protected]
67. [email protected]
68. [email protected]
69. [email protected]
70. [email protected]
71. [email protected]
72. [email protected]
73. [email protected]
74. [email protected]
75. [email protected]
76. [email protected]
77. [email protected]
78. [email protected]
79. [email protected]
80. [email protected]
81. [email protected]
82. [email protected]
83. [email protected]
84. [email protected]
85. [email protected]
86. [email protected]
87. [email protected]
88. [email protected]
89. [email protected]
90. [email protected]
91. [email protected]
92. [email protected]
93. [email protected]
94. [email protected]
95. [email protected]
96. [email protected]
97. [email protected]
98. [email protected]
99. [email protected]
100. [email protected]
101.  
102. MALDOC LANDING PAGE URLS
103. https://docs.google.com/document/d/e/2PACX-1vQa2lHec3aZnDrLASlpJANv574j5N7zAEvEbdf5y4rjRM_z1zSgoTiZ2GP4pAdYKOeuj4o-gAIDGGcv/pub
104. https://docs.google.com/document/d/e/2PACX-1vQdEBn0WvNfP9CRUjnQx2x01YkjNbb0Vhi1OENoHIQKgLtSZtUgN1UL5bVWxImqWPzQ21HURkE5fVhf/pub
105. https://docs.google.com/document/d/e/2PACX-1vQEa0zlAHYVsGyemrGwIW_fOKwxrMKBHEF9Sdm1uKeGcrar1deBmB-eJRMUiwOWW1MS5ggEkDHQDYNM/pub
106. https://docs.google.com/document/d/e/2PACX-1vQfO-ruwcykeoPRw7PfH2LPcPWqTpv00D5O38Km_asVhQFG69LE9MM_7cVoorE99ZRsNP0dJkDskHzC/pub
107. https://docs.google.com/document/d/e/2PACX-1vQh35a9V8flfaWkal1nkqiEnZB6_ZwM06bjeGN4lrmhuqm9b8vP0e8innfjhSlpzCBfmDz3uZnyZzpd/pub
108. https://docs.google.com/document/d/e/2PACX-1vQHcrYLhbekiuMnEiD3Nb0hYNUQ7_1oFHe47kZlxe2i1p8B7jlv1sI79IuoPQBwrkZYF6vTqWpjqivf/pub
109. https://docs.google.com/document/d/e/2PACX-1vQISxZrfByci4x75sRWCca0urG52NnugelbV5qere56_QB2jD9AvDjxOWuWUHFbPWS6L9-hHB-BYxIq/pub
110. https://docs.google.com/document/d/e/2PACX-1vQl6loBT1Qe31USrvN_SRBD3WGbmDs_Bw_TDGdwbh6xZsSwp_sUnEE7dSwswUk7IeesMTle5yXysegg/pub
111. https://docs.google.com/document/d/e/2PACX-1vQOnrn9q5CIDsk44vRNJcQRDwDiUT3zGyzId26TORz0FwJVq6nBs1kgzTQAS1iWQswgu8wIbLBOR87C/pub
112. https://docs.google.com/document/d/e/2PACX-1vQpjNlornWkq1buphnSR20lu_Hfws7kptX5TROer5Yco9Hkn0z3C-aR1KwuGTiJhMFgnc2XRAWo0mo1/pub
113. https://docs.google.com/document/d/e/2PACX-1vQwI2O6z1_v2dWXrfVa4KD_jaR6-UlYNIFXWto96jxDNMIpgW1WxmgU2uwLjVFmaqpLOIpR4LeEFjch/pub
114. https://docs.google.com/document/d/e/2PACX-1vQXNV5a5h1NyQ1yq4_45DV24WWxRZJSJ_S17opfHzoAmX4iJxuiFOo4NB2hffB_h2DzLCtcscs8hxcQ/pub
115. https://docs.google.com/document/d/e/2PACX-1vR2v41XfMLXw6EgXwtZd6h2_HvVB6Q7JBxUptYO5EYT_N1tSPl0wKKmT5l99qNgpkE8TVmJd3G0jmPp/pub
116. https://docs.google.com/document/d/e/2PACX-1vRAGWzf1uzxhP5eNGOw23yOuaxaj-nTi-d1jJ2hFT74xiBGxMsAXpIPCNAfhr9rEVFJxiawAtdnzhs5/pub
117. https://docs.google.com/document/d/e/2PACX-1vRBCTLEtArIY9Mx74OcJIy_suY3dm4Xp3B2oi7ANYd3HxoIpZaWkYmDh6zfisNKpECCBZLEn-OJCNyI/pub
118. https://docs.google.com/document/d/e/2PACX-1vReoezs5sDLT2VJlMqgQVlmhK8HfcCxtLpdsAmST6ISu9ua0g5jE5f0VKlRmT3KDO5QW2-mJ3Bo_vTd/pub
119. https://docs.google.com/document/d/e/2PACX-1vRLgwm6BEmaW0oNXqXm3qzYa3QJvLNOE92MLl8qqHgfGynI39jZ8cM8uaO-Jgolg93dk4q9kAHhIJCv/pub
120. https://docs.google.com/document/d/e/2PACX-1vRlzXnXl36ULudYzNy1sKnUkSfcfTNfc2jRjHlutIwlcK8VlxDMTaUcrbTKilfYctq-6RpAG09qXU6Z/pub
121. https://docs.google.com/document/d/e/2PACX-1vROu-maSYq19ditdu6FuN_vSa-6e8-pO0_wQGkEdJcFQwKHX7gvnjeTD8azWX_tI2AHqqkwR_SJ9lCM/pub
122. https://docs.google.com/document/d/e/2PACX-1vRRTp08k8UdPWUcy9Yj_6cefz3LCzEdQq_oKkStjuMwqvx0A0R_MTcFP2nALLoFkOGelSsgm6c0mi0H/pub
123. https://docs.google.com/document/d/e/2PACX-1vRT2ZJJvO1E9PpSMlPL-wqMMG0-2y_CNg69nQd_HYP9xPh21TOuAYkuHxbbvD9g1Nz4ZraPQa25Cu-0/pub
124. https://docs.google.com/document/d/e/2PACX-1vRw1edhLCIqUWnA6Dq92xEdlSZk_kHWNpmRpuEyPNxIMfpar0L7Z53Tk_lKMfyX3aKe8BKStm67J2TP/pub
125. https://docs.google.com/document/d/e/2PACX-1vRyJXRwh1FyCeKdNAqN9xrfFIx3S-rSh9pC_OHpbDDpmxQHcBBmKH7mmyY-eKzwmbAi3KS7JYDDttcM/pub
126. https://docs.google.com/document/d/e/2PACX-1vS5vpJw__m2JLmyUFikO55zLW25S6riKy1I8E4xRLMu12Qz4RwmVJBa2gegJB5MvN2IE0ca5vCgzjyH/pub
127. https://docs.google.com/document/d/e/2PACX-1vS7EWKL4YkJy154I9dUo1jOKVMwsiEGfBEVLMyCCR2Ibchmlu4Q4BsRDs1N1IFTCnZCR6-GxpZp00-9/pub
128. https://docs.google.com/document/d/e/2PACX-1vS9uhdbHrieXFlHrbXqC_FbaOGlKWFmnFuHrILrzmhz9OfrWiD2XuY5JBlj2Qu8CDevKxxqRflBtBDv/pub
129. https://docs.google.com/document/d/e/2PACX-1vSBInSakIkxFrMcLsoS-DLw8ZMMu5fu3UJVvc9n2fQd4XJi65Ezwrn1zlWoCREtvomMqTpsxxdrabHb/pub
130. https://docs.google.com/document/d/e/2PACX-1vSDN9xAIsJNYpp_ICrdeHEP2ExvLd-nmxABd03U2Eq6IeuUxjFdCc8OG87Xm_IH8Xe2FZRdcyenUQyJ/pub
131. https://docs.google.com/document/d/e/2PACX-1vSEDJ9Fy72QCFFY7s0NKH5XA-NB10WY61P7ZiPQDnT7DVmH5YM957TxrgHE7sH40biZG8pp5H_9qKQR/pub
132. https://docs.google.com/document/d/e/2PACX-1vSKL0lLBrwM4uxQJ0Rg5xkWENdA6jQaCf-7E1CCg6j6VFvPN1Z8KodWFpgoazVoj1jcJ5zuqX58Qokb/pub
133. https://docs.google.com/document/d/e/2PACX-1vSkTFbot3U3572aLoJnP4WFckj5wdiS3d_wDlrYVWtS2uOfNAnQsdG761lQV1pH1lecvPsbWRJTvNO5/pub
134. https://docs.google.com/document/d/e/2PACX-1vSM879svKlBvmYIytybeF1f2hHzOiFkb9pjcgN2-341U7zYNpv7UtCSzlklg9tO1b8aMLceF2CIDyWL/pub
135. https://docs.google.com/document/d/e/2PACX-1vSPd4xYMdpZFjT1emIk5FZvst5-dxpTEb4_nWxhh-3yOw3mwmmtnI587kFjpKiKo_HacJQlilGab0JZ/pub
136. https://docs.google.com/document/d/e/2PACX-1vSPV0SOHQVTF8KWc-mYD-MMKXqO0I6YEJTgh_tY3BbeuanKiUedMCxT_ukLosiXu2P_nCSctu85Kciz/pub
137. https://docs.google.com/document/d/e/2PACX-1vSu-rx1O-449oVuKPQ1LnYu0oYWPWMMX8ZaZL-nK23_rgOXH8GS4wwrcc4_FZRyP7eO6ydVPB6_Necn/pub
138. https://docs.google.com/document/d/e/2PACX-1vSUfRJSOiGSp3u9owyx4TiDOXMYvsEBbBaH_PwxDqRAaP_phSgwEVOEx6jPsbFVWP58E63XJXEEIbc8/pub
139. https://docs.google.com/document/d/e/2PACX-1vSUhKkE-N6eWH7ErUNgIUkfAs2jWD8xlxjVjwlYR9XfhytvoYsd53WG6equB41BfqSa8l64LEwk5VJC/pub
140. https://docs.google.com/document/d/e/2PACX-1vSupd7_rLVbmVjH7wX0RGZJmmaC64o-jy5wlY-w8yuTdh1yUPobB9jrbglhASsTyZdpYRGsiW5-SbMC/pub
141. https://docs.google.com/document/d/e/2PACX-1vT7rLG2XliW2GCkXflTxbY1h49-WQmpt5k8nmqIEY4zDp-2nh0rXHc7KZpS56f-1NONKWBzMO_pzJUk/pub
142. https://docs.google.com/document/d/e/2PACX-1vT97j6fwNrBGgW0SS9SYW_pZpc07QgeRLpDW4vTHzo1VDEeQH6mBESvuR632JMxyQ-xk3oNYhRTBF8I/pub
143. https://docs.google.com/document/d/e/2PACX-1vTbipHF2eY1qSkQlVqA_MUBRCi-XIRersQ9nEJsHfK7ekWhR9cmZIPDJYvh1YA_erVyNdm491dM8bYv/pub
144. https://docs.google.com/document/d/e/2PACX-1vTdMUal8BN-eYyMLNzboRWxx_XcOyDPYBpjtuTltKukVfVvuhAsjqScV98b_CXvTbXkzRe_EE0hrt-t/pub
145. https://docs.google.com/document/d/e/2PACX-1vThlseMwnpDOxvxTS07uvFWn3KXSW9OCW-4oENqoodMn6Puz_7gRfxsdTKPARZppyuiHhWvu5D3R-Oi/pub
146. https://docs.google.com/document/d/e/2PACX-1vTkOs626eYb-x8Vr5Arjf2yfCi63piUGrja5Ge8aNBm3OEM8gxy1223rSK2VaQr1s2T588bYCA7nVgH/pub
147. https://docs.google.com/document/d/e/2PACX-1vTlTg5j2mQR_LH5rWjHtnua6wv-fXKtoxAdsgmyJkIQYTJtNpxFGodLdcS_n2RsISKQAweL6d_Q3Gyg/pub
148. https://docs.google.com/document/d/e/2PACX-1vTmtVCeUGuj9SZBiwrInw2hMU55FaIgmO2BQBOVBQHcaV-T_AYQeM9Tow-_gY6bMhxFYjrvLFHRUNQG/pub
149. https://docs.google.com/document/d/e/2PACX-1vTONk1Gncg3V7aohk6stjUdWuui2mOPOPWPyaKT00lr0rPt0Z6uDrHF_d7Xmrc8Zk5QJujg2A9GHu1l/pub
150. https://docs.google.com/document/d/e/2PACX-1vTqsSez9S1wkA6lJM1f3YLC1pEsj-cqgqfskaeYLchE0sVVwCvCwlj5Zp8m3EpfQsBQ5X3_57oZ9P_Z/pub
151. https://docs.google.com/document/d/e/2PACX-1vTu46shua6yyuorCW5oPyk5ZWPZWS_gefOhO8lTGe21dKWfLjipuX9F_VFmRzWD-i9iqZALwzKRIKo6/pub
152. https://docs.google.com/document/d/e/2PACX-1vTxCO4pUWdniWhJdu5xUjLoRvgLjQgqbKpAkx6QJUBXwrQOXCH8wLgzrrCWiFTzHtD4noC856HjC4Ip/pub
153.  
154. MALDOC DISTRIBUTION URLS
155. http://alltestagain.lukehadaj.com.au/odorless.php
156. http://alltestagain.lukehadaj.com.au/standalone.php
157. http://ecofiltroform.triciclogo.com/warner.php
158. http://folstop.com/subchapter.php
159. http://folstop.com/valve.php
160. http://ingenier.co.cr/dangle.php
161. http://kensingtonglobalservices.co.uk/deceive.php
162. http://swsgroup.sws-group.net/beatitude.php
163. http://swsgroup.sws-group.net/vs.php
164. http://tonmatdoanminh.com/firebrick.php
165. http://www.e-voks.dk/whop.php
166. https://3g-electronic.net/bloodstain.php
167. https://3g-electronic.net/shot.php
168. https://3g-electronic.net/usher.php
169. https://allendostmen.com/invest.php
170. https://aquamarket.com.ec/sergeantship.php
171. https://chandlerfla.net/mitosis.php
172. https://chandlerfla.net/psychical.php
173. https://codesterio.com/stank.php
174. https://contentconsultants.in/mitre.php
175. https://design.wyloutgroup.com/supressed.php
176. https://facturasenlineamarx.com/inflammation.php
177. https://facturasenlineamarx.com/tacitly.php
178. https://henkvandenakker.name/philippine.php
179. https://istgahbazi.ir/led.php
180. https://manufacturing.wyloutgroup.com/jingle.php
181. https://primeservmanpower.com/transductor.php
182. https://rubinet.com.br/debilitating.php
183. https://socialpromotion.store/herself.php
184. https://starreachersng.com/acrimonious.php
185. https://tsbo.company/banning.php
186. https://viveroscamila.cl/applicator.php
187. https://viveroscamila.cl/discretion.php
188. https://www.ceethoglobal.com.ng/campus.php
189. https://www.ceethoglobal.com.ng/potion.php
190. https://www.hellosiroco.com/adrenaline.php
191. https://www.hellosiroco.com/improvable.php
192.  
193. 3g-electronic.net
194. allendostmen.com
195. aquamarket.com.ec
196. ceethoglobal.com.ng
197. chandlerfla.net
198. codesterio.com
199. contentconsultants.in
200. e-voks.dk
201. facturasenlineamarx.com
202. folstop.com
203. hellosiroco.com
204. henkvandenakker.name
205. ingenier.co.cr
206. istgahbazi.ir
207. kensingtonglobalservices.co.uk
208. lukehadaj.com.au
209. primeservmanpower.com
210. rubinet.com.br
211. socialpromotion.store
212. starreachersng.com
213. sws-group.net
214. tonmatdoanminh.com
215. triciclogo.com
216. tsbo.company
217. viveroscamila.cl
218. wyloutgroup.com
219.  
220. HANCITOR MALDOC FILE HASHES
221. 057a528d5f6578b3d20956c53b71c105
222. 191fb95949d274f2d0c37133866974bc
223. 2556784b1def89645da5d4894f1a84c9
224. 4427ec7dc5ce591b43e147cc4a49ac1e
225. 4b6ec54804d7e223f62f4cd4fcc0262a
226. 4f94bb33078b82358cb34622c13accf6
227. 5655271154fa66162791f188e174369f
228. 5a58566397c5dab7cf6d5cc16db13f3a
229. 74591b1e85cbfc849a7f0db6872a1f54
230. 79ba2942cae8e8c010e715b1d8a5028f
231. 849ff5a22dc506937e8f6faff2e76114
232. 8b457f52ab30a3ff742443001df1be56
233. a240ab65fe550a5e864948ffe28b65e4
234. af0ec5ccac5c1c6d6bbd5ac174184a2f
235. b39ccc1a1d228a867dea7bd0a786d41c
236. be7b55bc9f0170d518ebd6b40a72adc5
237. f6307efab9d5abfe2bc4198b6520ca41
238.  
239. HANCITOR PAYLOAD FILE HASH
240. edge.dll
241. bfe1bf1aa88155a2f61f8bc7ba73bc8c
242.  
243. HANCITOR C2
244. http://lectionalt.com/8/forum.php
245. http://palimenciont.ru/8/forum.php
246. http://sidainopecelf.ru/8/forum.php
247.  
248. FICKER STEALER DOWNLOAD URLS
249. http://bambinoska.ru/6gfd33ghj.exe
250.  
251. FICKER STEALER FILE HASHES
252. 6gfd33ghj.exe
253. 77be0dd6570301acac3634801676b5d7
254.  
255. FICKER STEALER C2
256. http://sweyblidian.com
257.  
258. COBALT STRIKE STAGER DOWNLOAD URLS
259. http://bambinoska.ru/2104.bin
260. http://bambinoska.ru/2104s.bin
261.  
262. COBALT STRIKE STAGER FILE HASHES
263. 2104.bin
264. 3cd8759c6805f5ed97686f0d5d270203
265.  
266. 2104s.bin
267. f4693f6d469a9ede94f96aba5afe7f81
268.  
269. COBALT STRIKE BEACON
270. http://37.1.211.126/tV9Y
271.  
272. COBALT STRIKE BEACON FILE HASH
273. tV9Y
274. 4af1379c6f7ba6c703030ff5634f8d42
275.  
276. COBALT STRIKE C2
277. http://37.1.211.126/en_US/all.js