API tools faq
paste
ExecuteMalware

2021-07-22 Hancitor IOCs

ExecuteMalware
Jul 22nd, 2021
16,418
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.02 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
  2.  
  3. HANCITOR BUILD NUMBER
  4. BUILD=2207_xwpi67
  5.  
  6. SUBJECTS OBSERVED
  7. You got invoice from DocuSign Electronic Service
  8. You got invoice from DocuSign Electronic Signature Service
  9. You got invoice from DocuSign Service
  10. You got invoice from DocuSign Signature Service
  11. You got notification from DocuSign Electronic Service
  12. You got notification from DocuSign Electronic Signature Service
  13. You got notification from DocuSign Service
  14. You got notification from DocuSign Signature Service
  15. You received invoice from DocuSign Electronic Service
  16. You received invoice from DocuSign Electronic Signature Service
  17. You received invoice from DocuSign Service
  18. You received invoice from DocuSign Signature Service
  19. You received notification from DocuSign Electronic Service
  20. You received notification from DocuSign Electronic Signature Service
  21. You received notification from DocuSign Service
  22. You received notification from DocuSign Signature Service
  23.  
  24. SENDERS OBSERVED
  25. [email protected]
  26. [email protected]
  27. [email protected]
  28. [email protected]
  29. [email protected]
  30. [email protected]
  31. [email protected]
  32. [email protected]
  33. [email protected]
  34. [email protected]
  35. [email protected]
  36. [email protected]
  37. [email protected]
  38. [email protected]
  39. [email protected]
  40. [email protected]
  41. [email protected]
  42. [email protected]
  43. [email protected]
  44. [email protected]
  45. [email protected]
  46. [email protected]
  47. [email protected]
  48. [email protected]
  49. [email protected]
  50. [email protected]
  51. [email protected]
  52. [email protected]
  53. [email protected]
  54. [email protected]
  55. [email protected]
  56. [email protected]
  57. [email protected]
  58. [email protected]
  59. [email protected]
  60. [email protected]
  61. [email protected]
  62. [email protected]
  63. [email protected]
  64. [email protected]
  65. [email protected]
  66. [email protected]
  67. [email protected]
  68. [email protected]
  69. [email protected]
  70. [email protected]
  71. [email protected]
  72. [email protected]
  73. [email protected]
  74. [email protected]
  75. [email protected]
  76. [email protected]
  77. [email protected]
  78. [email protected]
  79. [email protected]
  80. [email protected]
  81. [email protected]
  82. [email protected]
  83. [email protected]
  84. [email protected]
  85. [email protected]
  86. [email protected]
  87. [email protected]
  88. [email protected]
  89. [email protected]
  90. [email protected]
  91. [email protected]
  92. [email protected]
  93. [email protected]
  94. [email protected]
  95. [email protected]
  96. [email protected]
  97. [email protected]
  98. [email protected]
  99. [email protected]
  100. [email protected]
  101. [email protected]
  102. [email protected]
  103. [email protected]
  104. [email protected]
  105. [email protected]
  106. [email protected]
  107. [email protected]
  108. [email protected]
  109. [email protected]
  110. [email protected]
  111. [email protected]
  112. [email protected]
  113. [email protected]
  114. [email protected]
  115. [email protected]
  116. [email protected]
  117. [email protected]
  118. [email protected]
  119. [email protected]
  120. [email protected]
  121. [email protected]
  122. [email protected]
  123. [email protected]
  124. [email protected]
  125. [email protected]
  126. [email protected]
  127. [email protected]
  128. [email protected]
  129. [email protected]
  130. [email protected]
  131. [email protected]
  132. [email protected]
  133. [email protected]
  134. [email protected]
  135. [email protected]
  136. [email protected]
  137. [email protected]
  138. [email protected]
  139. [email protected]
  140. [email protected]
  141. [email protected]
  142. [email protected]
  143. [email protected]
  144. [email protected]
  145. [email protected]
  146. [email protected]
  147. [email protected]
  148. [email protected]
  149. [email protected]
  150. [email protected]
  151. [email protected]
  152. [email protected]
  153. [email protected]
  154. [email protected]
  155. [email protected]
  156. [email protected]
  157. [email protected]
  158. [email protected]
  159. [email protected]
  160. [email protected]
  161. [email protected]
  162. [email protected]
  163. [email protected]
  164. [email protected]
  165. [email protected]
  166. [email protected]
  167. [email protected]
  168. [email protected]
  169. [email protected]
  170. [email protected]
  171. [email protected]
  172. [email protected]
  173. [email protected]
  174. [email protected]
  175. [email protected]
  176. [email protected]
  177. [email protected]
  178. [email protected]
  179. [email protected]
  180. [email protected]
  181. [email protected]
  182. [email protected]
  183. [email protected]
  184. [email protected]
  185. [email protected]
  186. [email protected]
  187. [email protected]
  188. [email protected]
  189. [email protected]
  190. [email protected]
  191. [email protected]
  192. [email protected]
  193. [email protected]
  194. [email protected]
  195. [email protected]
  196. [email protected]
  197. [email protected]
  198. [email protected]
  199. [email protected]
  200. [email protected]
  201. [email protected]
  202. [email protected]
  203. [email protected]
  204. [email protected]
  205. [email protected]
  206. [email protected]
  207. [email protected]
  208. [email protected]
  209. [email protected]
  210. [email protected]
  211. [email protected]
  212.  
  213. MALDOC PROXY DISTRIBUTION URLS
  214. http://feedproxy.google.com/~r/ayrhs/~3/S-yTrf1uOo0/totter.php
  215. http://feedproxy.google.com/~r/cmdakn/~3/uoFf178aYac/elliptical.php
  216. http://feedproxy.google.com/~r/dgikzcnor/~3/depn2WJFsvs/predesigned.php
  217. http://feedproxy.google.com/~r/dprtbwpc/~3/pHTHay1Iyt0/grumpy.php
  218. http://feedproxy.google.com/~r/ebsuejssfi/~3/I_DXRad9XWM/verve.php
  219. http://feedproxy.google.com/~r/edcpnihcbt/~3/AFl4Gp6Bx3Y/delftware.php
  220. http://feedproxy.google.com/~r/ewzfasb/~3/TOQZu5H4GMI/decorating.php
  221. http://feedproxy.google.com/~r/hijiy/~3/sCjdavfvXsE/sinus.php
  222. http://feedproxy.google.com/~r/hrkgwqqtkoi/~3/PVYN0GNVBT0/scarecrow.php
  223. http://feedproxy.google.com/~r/ifytrzcypuu/~3/uxVujiVWgZY/peptide.php
  224. http://feedproxy.google.com/~r/iwapvoqg/~3/hfwKQfHNFJc/
  225. http://feedproxy.google.com/~r/jfgdoxqfq/~3/POEbYBEVmB0/
  226. http://feedproxy.google.com/~r/kylstdr/~3/kWt5v9NSjYY/undeceive.php
  227. http://feedproxy.google.com/~r/lavbqitdnbk/~3/Xnq66LBnOC4/sybarite.php
  228. http://feedproxy.google.com/~r/mowlmezp/~3/Vjj0go84O6w/autograph.php
  229. http://feedproxy.google.com/~r/mvjmyhv/~3/qaokC6dycZU/insulting.php
  230. http://feedproxy.google.com/~r/nagalfvoqgs/~3/N7y4kJwz_bU/continuing.php
  231. http://feedproxy.google.com/~r/nylmfk/~3/WQQLRgDLEXg/lubrication.php
  232. http://feedproxy.google.com/~r/pvqhnlp/~3/AMOYecAhYXc/rationalisation.php
  233. http://feedproxy.google.com/~r/pznuiidxa/~3/qvDO2lSjx4U/spellbind.php
  234. http://feedproxy.google.com/~r/rqskiat/~3/VRsE7WYwpEY/pregant.php
  235. http://feedproxy.google.com/~r/tjvngraagv/~3/UiWP1saD5Ec/narrow.php
  236. http://feedproxy.google.com/~r/vgbiwlr/~3/M8EKXahjplk/
  237. http://feedproxy.google.com/~r/vvoyowskbaz/~3/qaokC6dycZU/insulting.php
  238. http://feedproxy.google.com/~r/xeaeloijs/~3/s2AhoMvK-1U/
  239. http://feedproxy.google.com/~r/xeaeloijs/~3/s2AhoMvK-1U/scarcity.php
  240. http://feedproxy.google.com/~r/xkabdkksu/~3/lv8sJhvfER8/secede.php
  241. http://feedproxy.google.com/~r/xnaxhtzfbjp/~3/bY13LNDdYX8/meek.php
  242. http://feedproxy.google.com/~r/xogbt/~3/4zT14SDzhjw/existentialism.php
  243. http://feedproxy.google.com/~r/ymxms/~3/depn2WJFsvs/predesigned.php
  244. http://feedproxy.google.com/~r/zetxvxtiqrc/~3/3nxokZR2ng0/darn.php
  245. http://feedproxy.google.com/~r/zrgdjrcdzkm/~3/bAf7Su0FF8s/tens.php
  246.  
  247. MALDOC REDIRECT DOWNLOAD URLS
  248. http://alertas.jornadatrabalho.com.br/decorating.php
  249. http://likizoa-dumaszak.jornadatrabalho.com.br/lubrication.php
  250. http://likizoa-mge.jornadatrabalho.com.br/narrow.php
  251. http://likizoa-pedrotc.jornadatrabalho.com.br/tens.php
  252. http://likizoa-tac.jornadatrabalho.com.br/rationalisation.php
  253. http://onyx-medical.com/secede.php
  254. http://www.howtogethimbackpermanently.com/pregant.php
  255. http://www.howtogethimbackpermanently.com/totter.php
  256. http://www.howtogethimbackpermanently.com/verve.php
  257. https://d9tvsolutions.com/darn.php
  258. https://kalaaag.000webhostapp.com/elliptical.php
  259. https://kalaaag.000webhostapp.com/meek.php
  260. https://kitchenup.de/predesigned.php
  261. https://mailer.srkcommunication.biz/autograph.php
  262. https://mitarmilan.com/undeceive.php
  263. https://ndot.touchmediahost.com/continuing.php
  264. https://ndot.touchmediahost.com/insulting.php
  265. https://ndot.touchmediahost.com/spellbind.php
  266. https://service.easytrace.mn/grumpy.php
  267. https://sp.ncre.org.in/scarcity.php
  268. https://www.guongnoithat.com/singapore.php
  269. https://www.guongnoithat.com/unsinkable.php
  270. https://www.ivrvirtualsolutions.com/stinginess.php
  271.  
  272. 000webhostapp.com
  273. d9tvsolutions.com
  274. easytrace.mn
  275. guongnoithat.com
  276. howtogethimbackpermanently.com
  277. ivrvirtualsolutions.com
  278. jornadatrabalho.com.br
  279. kitchenup.de
  280. mitarmilan.com
  281. ncre.org.in
  282. onyx-medical.com
  283. srkcommunication.biz
  284. touchmediahost.com
  285.  
  286. MALDOC FILE HASHES
  287. 1664a21b31abc809b41ef04bef2b83d3
  288. 3a73e0e78a5f63c8aee74ad597723434
  289. 4942f8e35bde6d5e85139c848a8285c0
  290. 53f2b97c4464d8b58afa7077408dff3c
  291. 5bd6495094ee5223cab904288018b3ff
  292. a40f92fde968f6e24c723e31ba5ffefc
  293. b11b59f8b566048f4d57962eea548076
  294. c335b3485e963c1e0c058002470af76e
  295. d07e0a1c4e59611abb0d5ead73a8d2f2
  296. d1519ed8a42a01cfad099b7c3baa9f2b
  297. e28f4975d4f9b4169b94ac8e1e7a9532
  298. f9839343568f8220218732612ce7dbd3
  299.  
  300. HANCITOR PAYLOAD FILE HASH
  301. omsh.dll
  302. 7348620f737ec1b0997cae7548344f2c
  303.  
  304. HANCITOR C2
  305. http://aidgodown.ru/8/forum.php
  306. http://relifleappin.ru/8/forum.php
  307. http://tholeferli.com/8/forum.php
  308.  
  309. FICKER STEALER DOWNLOAD URL
  310. http://s0lom0n.ru/7hsjfd9w4refsd.exe
  311.  
  312. FICKER STEALER FILE HASH
  313. 7hsjfd9w4refsd.exe
  314. 270c3859591599642bd15167765246e3
  315.  
  316. FICKER STEALER C2
  317. http://pospvisis.com
  318.  
  319. COBALT STRIKE STAGER DOWNLOAD URLS
  320. http://s0lom0n.ru/2207.bin
  321. http://s0lom0n.ru/2207s.bin
  322.  
  323. COBALT STRIKE STAGER FILE HASHES
  324. 2207.bin
  325. aeadfa6eeab3d9c52ebff8c6aa41a833
  326.  
  327. 2207s.bin
  328. 765495a185b509ebbc3c263e0a421e18
  329.  
  330. COBALT STRIKE BEACON DOWNLOAD URL
  331. http://23.239.67.26/jVRJ
  332.  
  333. COBALT STRIKE BEACON FILE HASH
  334. jVRJ
  335. 3cb6a83bc0314055c2672d5ba066bce7
  336.  
  337. COBALT STRIKE C2
  338. http://23.239.67.26/j.ad
  339.  
  340. Additional Cobalt Strike URLs from strings in memory:
  341. https://23.239.67.26/i9Vd
  342. https://23.239.67.26/ga.js
  343.  
  344.  
  345. COBALT STRIKE BEACON CONFIG (extracted using Didier Stevens' 1768 Python script)
  346. File: jVRJ
  347. xorkey(chain): 0xbde0b35e
  348. length: 0x00033400
  349. payloadType: 0x10014fc2
  350. payloadSize: 0x00000000
  351. intxorkey: 0x00000000
  352. id2: 0x00000000
  353. Config found: xorkey b'.' 0x00030220 0x00033400
  354. 0x0001 payload type 0x0001 0x0002 0 windows-beacon_http-reverse_http
  355. 0x0002 port 0x0001 0x0002 80
  356. 0x0003 sleeptime 0x0002 0x0004 60000
  357. 0x0004 maxgetsize 0x0002 0x0004 1048576
  358. 0x0005 jitter 0x0001 0x0002 0
  359. 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a738cde75f1fbb1c18646c377e03016b162b12ba72bdf7dc36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  360. 0x0008 server,get-uri 0x0003 0x0100 '23.239.67.26,/j.ad'
  361. 0x0043 0x0001 0x0002 0
  362. 0x0044 0x0002 0x0004 4294967295
  363. 0x0045 0x0002 0x0004 4294967295
  364. 0x0046 0x0002 0x0004 4294967295
  365. 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
  366. 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
  367. 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
  368. 0x001f CryptoScheme 0x0001 0x0002 0
  369. 0x001a get-verb 0x0003 0x0010 'GET'
  370. 0x001b post-verb 0x0003 0x0010 'POST'
  371. 0x001c HttpPostChunk 0x0002 0x0004 0
  372. 0x0025 license-id 0x0002 0x0004 0
  373. 0x0026 bStageCleanup 0x0001 0x0002 0
  374. 0x0027 bCFGCaution 0x0001 0x0002 0
  375. 0x0009 useragent 0x0003 0x0100 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; Avant Browser)'
  376. 0x000a post-uri 0x0003 0x0040 '/submit.php'
  377. 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
  378. 0x000c http_get_header 0x0003 0x0200
  379. b'Cookie'
  380. 0x000d http_post_header 0x0003 0x0200
  381. b'&Content-Type: application/octet-stream'
  382. b'id'
  383. 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
  384. 0x0032 UsesCookies 0x0001 0x0002 1
  385. 0x0023 proxy_type 0x0001 0x0002 2 IE settings
  386. 0x003a 0x0003 0x0080 '\x00\x04'
  387. 0x0039 0x0003 0x0080 '\x00\x04'
  388. 0x0037 0x0001 0x0002 0
  389. 0x0028 killdate 0x0002 0x0004 0
  390. 0x0029 textSectionEnd 0x0002 0x0004 0
  391. 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
  392. 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
  393. 0x002d process-inject-min_alloc 0x0002 0x0004 0
  394. 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
  395. 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
  396. 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
  397. 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
  398. 0x0034 process-inject-allocation-method 0x0001 0x0002 0
  399. 0x0000
  400.  
  401.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!