Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
- HANCITOR BUILD NUMBER
- BUILD=2207_xwpi67
- SUBJECTS OBSERVED
- You got invoice from DocuSign Electronic Service
- You got invoice from DocuSign Electronic Signature Service
- You got invoice from DocuSign Service
- You got invoice from DocuSign Signature Service
- You got notification from DocuSign Electronic Service
- You got notification from DocuSign Electronic Signature Service
- You got notification from DocuSign Service
- You got notification from DocuSign Signature Service
- You received invoice from DocuSign Electronic Service
- You received invoice from DocuSign Electronic Signature Service
- You received invoice from DocuSign Service
- You received invoice from DocuSign Signature Service
- You received notification from DocuSign Electronic Service
- You received notification from DocuSign Electronic Signature Service
- You received notification from DocuSign Service
- You received notification from DocuSign Signature Service
- SENDERS OBSERVED
- a@alefmex.com
- abeobhu@alefmex.com
- afveu@alefmex.com
- amhgu@alefmex.com
- aqeduma@alefmex.com
- aw@alefmex.com
- azwylq@alefmex.com
- bakenhx@alefmex.com
- baxvn@alefmex.com
- bd@alefmex.com
- biliqji@alefmex.com
- bivoeon@alefmex.com
- biybuvy@alefmex.com
- boduuea@alefmex.com
- borhauf@alefmex.com
- buetolj@alefmex.com
- buqoua@alefmex.com
- byv@alefmex.com
- c@alefmex.com
- coqiufi@alefmex.com
- cywobu@alefmex.com
- d@alefmex.com
- dawzgb@alefmex.com
- dek@alefmex.com
- dilioy@alefmex.com
- dkf@alefmex.com
- dozixzs@alefmex.com
- dxunula@alefmex.com
- dyg@alefmex.com
- dyuw@alefmex.com
- dyxaniz@alefmex.com
- ebayiia@alefmex.com
- ehlzyut@alefmex.com
- eicoiu@alefmex.com
- ejbvafa@alefmex.com
- eo@alefmex.com
- eoear@alefmex.com
- eoiufi@alefmex.com
- epasu@alefmex.com
- equtoua@alefmex.com
- f@alefmex.com
- faaceof@alefmex.com
- fifyui@alefmex.com
- fomtkiy@alefmex.com
- ftxyyc@alefmex.com
- fvegyon@alefmex.com
- fyvucu@alefmex.com
- haiteha@alefmex.com
- haxeawe@alefmex.com
- hde@alefmex.com
- hjuwnba@alefmex.com
- hogurot@alefmex.com
- hohx@alefmex.com
- hpyknai@alefmex.com
- hufurib@alefmex.com
- hyc@alefmex.com
- hyuyyo@alefmex.com
- igiuoaa@alefmex.com
- ijybjqo@alefmex.com
- iluqd@alefmex.com
- ipquwap@alefmex.com
- iwigufy@alefmex.com
- iwlqefu@alefmex.com
- ixunekx@alefmex.com
- jhaisgg@alefmex.com
- johinhi@alefmex.com
- jqezcg@alefmex.com
- jtihkaw@alefmex.com
- juffsut@alefmex.com
- jufuzuv@alefmex.com
- jy@alefmex.com
- jyhjhwe@alefmex.com
- kayuwyl@alefmex.com
- keozoke@alefmex.com
- kinipal@alefmex.com
- knyaeyh@alefmex.com
- l@alefmex.com
- legiuf@alefmex.com
- lkoqyfl@alefmex.com
- llezypw@alefmex.com
- lndcoux@alefmex.com
- lpobxud@alefmex.com
- lupulmu@alefmex.com
- lyziseh@alefmex.com
- m@alefmex.com
- mapuaj@alefmex.com
- masyxe@alefmex.com
- memoa@alefmex.com
- mexabay@alefmex.com
- mfuh@alefmex.com
- mhcoe@alefmex.com
- mizsyyy@alefmex.com
- niuh@alefmex.com
- nu@alefmex.com
- nulndqi@alefmex.com
- nvovyig@alefmex.com
- o@alefmex.com
- odyac@alefmex.com
- ofwr@alefmex.com
- oigogu@alefmex.com
- oinavyx@alefmex.com
- oinupeu@alefmex.com
- osjiw@alefmex.com
- osyiqy@alefmex.com
- pe@alefmex.com
- piiet@alefmex.com
- pimicz@alefmex.com
- piroqs@alefmex.com
- piso@alefmex.com
- pyiz@alefmex.com
- qavoya@alefmex.com
- qciekoe@alefmex.com
- qeqzunr@alefmex.com
- qficusq@alefmex.com
- qhsf@alefmex.com
- qndog@alefmex.com
- qocemox@alefmex.com
- qsguw@alefmex.com
- refyfyp@alefmex.com
- res@alefmex.com
- riqhkau@alefmex.com
- rjuzyqs@alefmex.com
- rmjepia@alefmex.com
- rodulyj@alefmex.com
- rypytem@alefmex.com
- sefokmi@alefmex.com
- seoubae@alefmex.com
- siczkyv@alefmex.com
- siizki@alefmex.com
- sku@alefmex.com
- slfua@alefmex.com
- sogiqip@alefmex.com
- sohif@alefmex.com
- syrf@alefmex.com
- tbuqeot@alefmex.com
- tieqi@alefmex.com
- trnuzy@alefmex.com
- tyhtuqg@alefmex.com
- uitaopg@alefmex.com
- umizeeb@alefmex.com
- umupez@alefmex.com
- uoijmty@alefmex.com
- uoquuma@alefmex.com
- upiwcki@alefmex.com
- upukyke@alefmex.com
- upuoylu@alefmex.com
- uqa@alefmex.com
- uqu@alefmex.com
- utzuaoh@alefmex.com
- uui@alefmex.com
- uvbwra@alefmex.com
- uvuerhv@alefmex.com
- vetivvn@alefmex.com
- vsanoem@alefmex.com
- vuaja@alefmex.com
- vytwcki@alefmex.com
- w@alefmex.com
- wgiaax@alefmex.com
- wgiyqep@alefmex.com
- wj@alefmex.com
- wnny@alefmex.com
- wqv@alefmex.com
- wytfxao@alefmex.com
- x@alefmex.com
- xeneseb@alefmex.com
- xevyefk@alefmex.com
- xiwoagc@alefmex.com
- xoila@alefmex.com
- xpenr@alefmex.com
- xupaaa@alefmex.com
- xwtexye@alefmex.com
- xy@alefmex.com
- xyqa@alefmex.com
- y@alefmex.com
- ybark@alefmex.com
- ydfmu@alefmex.com
- yenevna@alefmex.com
- yhu@alefmex.com
- yim@alefmex.com
- ypgiez@alefmex.com
- ypz@alefmex.com
- yui@alefmex.com
- zbxfeur@alefmex.com
- zg@alefmex.com
- zhoteve@alefmex.com
- zninz@alefmex.com
- zol@alefmex.com
- MALDOC PROXY DISTRIBUTION URLS
- http://feedproxy.google.com/~r/ayrhs/~3/S-yTrf1uOo0/totter.php
- http://feedproxy.google.com/~r/cmdakn/~3/uoFf178aYac/elliptical.php
- http://feedproxy.google.com/~r/dgikzcnor/~3/depn2WJFsvs/predesigned.php
- http://feedproxy.google.com/~r/dprtbwpc/~3/pHTHay1Iyt0/grumpy.php
- http://feedproxy.google.com/~r/ebsuejssfi/~3/I_DXRad9XWM/verve.php
- http://feedproxy.google.com/~r/edcpnihcbt/~3/AFl4Gp6Bx3Y/delftware.php
- http://feedproxy.google.com/~r/ewzfasb/~3/TOQZu5H4GMI/decorating.php
- http://feedproxy.google.com/~r/hijiy/~3/sCjdavfvXsE/sinus.php
- http://feedproxy.google.com/~r/hrkgwqqtkoi/~3/PVYN0GNVBT0/scarecrow.php
- http://feedproxy.google.com/~r/ifytrzcypuu/~3/uxVujiVWgZY/peptide.php
- http://feedproxy.google.com/~r/iwapvoqg/~3/hfwKQfHNFJc/
- http://feedproxy.google.com/~r/jfgdoxqfq/~3/POEbYBEVmB0/
- http://feedproxy.google.com/~r/kylstdr/~3/kWt5v9NSjYY/undeceive.php
- http://feedproxy.google.com/~r/lavbqitdnbk/~3/Xnq66LBnOC4/sybarite.php
- http://feedproxy.google.com/~r/mowlmezp/~3/Vjj0go84O6w/autograph.php
- http://feedproxy.google.com/~r/mvjmyhv/~3/qaokC6dycZU/insulting.php
- http://feedproxy.google.com/~r/nagalfvoqgs/~3/N7y4kJwz_bU/continuing.php
- http://feedproxy.google.com/~r/nylmfk/~3/WQQLRgDLEXg/lubrication.php
- http://feedproxy.google.com/~r/pvqhnlp/~3/AMOYecAhYXc/rationalisation.php
- http://feedproxy.google.com/~r/pznuiidxa/~3/qvDO2lSjx4U/spellbind.php
- http://feedproxy.google.com/~r/rqskiat/~3/VRsE7WYwpEY/pregant.php
- http://feedproxy.google.com/~r/tjvngraagv/~3/UiWP1saD5Ec/narrow.php
- http://feedproxy.google.com/~r/vgbiwlr/~3/M8EKXahjplk/
- http://feedproxy.google.com/~r/vvoyowskbaz/~3/qaokC6dycZU/insulting.php
- http://feedproxy.google.com/~r/xeaeloijs/~3/s2AhoMvK-1U/
- http://feedproxy.google.com/~r/xeaeloijs/~3/s2AhoMvK-1U/scarcity.php
- http://feedproxy.google.com/~r/xkabdkksu/~3/lv8sJhvfER8/secede.php
- http://feedproxy.google.com/~r/xnaxhtzfbjp/~3/bY13LNDdYX8/meek.php
- http://feedproxy.google.com/~r/xogbt/~3/4zT14SDzhjw/existentialism.php
- http://feedproxy.google.com/~r/ymxms/~3/depn2WJFsvs/predesigned.php
- http://feedproxy.google.com/~r/zetxvxtiqrc/~3/3nxokZR2ng0/darn.php
- http://feedproxy.google.com/~r/zrgdjrcdzkm/~3/bAf7Su0FF8s/tens.php
- MALDOC REDIRECT DOWNLOAD URLS
- http://alertas.jornadatrabalho.com.br/decorating.php
- http://likizoa-dumaszak.jornadatrabalho.com.br/lubrication.php
- http://likizoa-mge.jornadatrabalho.com.br/narrow.php
- http://likizoa-pedrotc.jornadatrabalho.com.br/tens.php
- http://likizoa-tac.jornadatrabalho.com.br/rationalisation.php
- http://onyx-medical.com/secede.php
- http://www.howtogethimbackpermanently.com/pregant.php
- http://www.howtogethimbackpermanently.com/totter.php
- http://www.howtogethimbackpermanently.com/verve.php
- https://d9tvsolutions.com/darn.php
- https://kalaaag.000webhostapp.com/elliptical.php
- https://kalaaag.000webhostapp.com/meek.php
- https://kitchenup.de/predesigned.php
- https://mailer.srkcommunication.biz/autograph.php
- https://mitarmilan.com/undeceive.php
- https://ndot.touchmediahost.com/continuing.php
- https://ndot.touchmediahost.com/insulting.php
- https://ndot.touchmediahost.com/spellbind.php
- https://service.easytrace.mn/grumpy.php
- https://sp.ncre.org.in/scarcity.php
- https://www.guongnoithat.com/singapore.php
- https://www.guongnoithat.com/unsinkable.php
- https://www.ivrvirtualsolutions.com/stinginess.php
- 000webhostapp.com
- d9tvsolutions.com
- easytrace.mn
- guongnoithat.com
- howtogethimbackpermanently.com
- ivrvirtualsolutions.com
- jornadatrabalho.com.br
- kitchenup.de
- mitarmilan.com
- ncre.org.in
- onyx-medical.com
- srkcommunication.biz
- touchmediahost.com
- MALDOC FILE HASHES
- 1664a21b31abc809b41ef04bef2b83d3
- 3a73e0e78a5f63c8aee74ad597723434
- 4942f8e35bde6d5e85139c848a8285c0
- 53f2b97c4464d8b58afa7077408dff3c
- 5bd6495094ee5223cab904288018b3ff
- a40f92fde968f6e24c723e31ba5ffefc
- b11b59f8b566048f4d57962eea548076
- c335b3485e963c1e0c058002470af76e
- d07e0a1c4e59611abb0d5ead73a8d2f2
- d1519ed8a42a01cfad099b7c3baa9f2b
- e28f4975d4f9b4169b94ac8e1e7a9532
- f9839343568f8220218732612ce7dbd3
- HANCITOR PAYLOAD FILE HASH
- omsh.dll
- 7348620f737ec1b0997cae7548344f2c
- HANCITOR C2
- http://aidgodown.ru/8/forum.php
- http://relifleappin.ru/8/forum.php
- http://tholeferli.com/8/forum.php
- FICKER STEALER DOWNLOAD URL
- http://s0lom0n.ru/7hsjfd9w4refsd.exe
- FICKER STEALER FILE HASH
- 7hsjfd9w4refsd.exe
- 270c3859591599642bd15167765246e3
- FICKER STEALER C2
- http://pospvisis.com
- COBALT STRIKE STAGER DOWNLOAD URLS
- http://s0lom0n.ru/2207.bin
- http://s0lom0n.ru/2207s.bin
- COBALT STRIKE STAGER FILE HASHES
- 2207.bin
- aeadfa6eeab3d9c52ebff8c6aa41a833
- 2207s.bin
- 765495a185b509ebbc3c263e0a421e18
- COBALT STRIKE BEACON DOWNLOAD URL
- http://23.239.67.26/jVRJ
- COBALT STRIKE BEACON FILE HASH
- jVRJ
- 3cb6a83bc0314055c2672d5ba066bce7
- COBALT STRIKE C2
- http://23.239.67.26/j.ad
- Additional Cobalt Strike URLs from strings in memory:
- https://23.239.67.26/i9Vd
- https://23.239.67.26/ga.js
- COBALT STRIKE BEACON CONFIG (extracted using Didier Stevens' 1768 Python script)
- File: jVRJ
- xorkey(chain): 0xbde0b35e
- length: 0x00033400
- payloadType: 0x10014fc2
- payloadSize: 0x00000000
- intxorkey: 0x00000000
- id2: 0x00000000
- Config found: xorkey b'.' 0x00030220 0x00033400
- 0x0001 payload type 0x0001 0x0002 0 windows-beacon_http-reverse_http
- 0x0002 port 0x0001 0x0002 80
- 0x0003 sleeptime 0x0002 0x0004 60000
- 0x0004 maxgetsize 0x0002 0x0004 1048576
- 0x0005 jitter 0x0001 0x0002 0
- 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a738cde75f1fbb1c18646c377e03016b162b12ba72bdf7dc36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
- 0x0008 server,get-uri 0x0003 0x0100 '23.239.67.26,/j.ad'
- 0x0043 0x0001 0x0002 0
- 0x0044 0x0002 0x0004 4294967295
- 0x0045 0x0002 0x0004 4294967295
- 0x0046 0x0002 0x0004 4294967295
- 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
- 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
- 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
- 0x001f CryptoScheme 0x0001 0x0002 0
- 0x001a get-verb 0x0003 0x0010 'GET'
- 0x001b post-verb 0x0003 0x0010 'POST'
- 0x001c HttpPostChunk 0x0002 0x0004 0
- 0x0025 license-id 0x0002 0x0004 0
- 0x0026 bStageCleanup 0x0001 0x0002 0
- 0x0027 bCFGCaution 0x0001 0x0002 0
- 0x0009 useragent 0x0003 0x0100 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; Avant Browser)'
- 0x000a post-uri 0x0003 0x0040 '/submit.php'
- 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
- 0x000c http_get_header 0x0003 0x0200
- b'Cookie'
- 0x000d http_post_header 0x0003 0x0200
- b'&Content-Type: application/octet-stream'
- b'id'
- 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
- 0x0032 UsesCookies 0x0001 0x0002 1
- 0x0023 proxy_type 0x0001 0x0002 2 IE settings
- 0x003a 0x0003 0x0080 '\x00\x04'
- 0x0039 0x0003 0x0080 '\x00\x04'
- 0x0037 0x0001 0x0002 0
- 0x0028 killdate 0x0002 0x0004 0
- 0x0029 textSectionEnd 0x0002 0x0004 0
- 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
- 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
- 0x002d process-inject-min_alloc 0x0002 0x0004 0
- 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
- 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
- 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
- 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
- 0x0034 process-inject-allocation-method 0x0001 0x0002 0
- 0x0000
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement