2021-01-14 Hancitor IOCs

1. THREAT ATTRIBUTION: HANCITOR
2.  
3. SUBJECTS OBSERVED
4. You got invoice from DocuSign Service
5. You got notification from DocuSign Service
6. You got notification from DocuSign Signature Service
7. You received invoice from DocuSign Service
8. You received invoice from DocuSign Signature Service
9. You received notification from DocuSign Service
10. You received notification from DocuSign Signature Service
11.  
12. SENDERS OBSERVED
13. goiakjy@sharprealtysolutions.com
14. huuytoe@sharprealtysolutions.com
15. id@sharprealtysolutions.com
16. ounvcyy@sharprealtysolutions.com
17. reaol@sharprealtysolutions.com
18. uazevoc@sharprealtysolutions.com
19. xijcu@sharprealtysolutions.com
20.  
21. MALDOC LANDING PAGE URLS
22. https://docs.google.com/document/d/e/2PACX-1vQrsajDDWi3RDSNnrfo-YBK3o8M1qcxr_7NA1IKf8Ie-2r4DL3vvdKJN11Uz8655EML5KWA8k6zdQNr/pub
23. https://docs.google.com/document/d/e/2PACX-1vRYgEBKz-gGscy6RrN3ojEQZySCjd9W2DEK26Kt2iQA7wLYLMAAjhV2fGbQzxyYEAUIn6DENCmfB7JC/pub
24. https://docs.google.com/document/d/e/2PACX-1vSftRKJ-9CEZdxDN-LbRcOsvGcYLvMqTOGbo_O2C9Q7YRk8CjZOpkAyImFBRdlPebs026SaBw7HtYzz/pub
25. https://docs.google.com/document/d/e/2PACX-1vSmjjhYQJEQGpLsJlNY7JiVi7ukBdSBybaImLKZGqU4pp-MMOueRobmDqb4xoWyiGZsVpw6JsN1T5jY/pub
26. https://docs.google.com/document/d/e/2PACX-1vSZKriH1jwptwrQ9vr_IGL5VVqfaqH_9a7oxEGuXKeUiUIt8bJw61MhGxP4jyLYk5nlAVRMyA9pPQ5F/pub
27. https://docs.google.com/document/d/e/2PACX-1vTGdcYDC6hECuuKHkIBQ0dSlxDZa_kggg9t79NCwtxRVeyhrL2WKLRzAGG51YryF82rscjxqglBgdi1/pub
28. https://docs.google.com/document/d/e/2PACX-1vThX9DBxtjllqAUgfSM7K2TEvSOxIiDEGPusoYcb_MvbhmIFiNLFKzmqP0hXG30BkeglfMufSs8ovcK/pub
29.  
30. MALDOC DISTRIBUTION URLS
31. https://codeandcreate.gila.su/suited.php
32. https://codesterio.com/interpolation.php
33. https://codesterio.com/unclear.php
34. https://creativeumrahbooking.creativeintertech.ca/milligram.php
35. https://infine.in/pelvis.php
36. https://infine.in/pelvis.php
37. https://prueba.viarescate.com/usage.php
38. https://wedding.klikvidio.com/gynecology.php
39.  
40. codesterio.com
41. creativeintertech.ca
42. gila.su
43. infine.in
44. klikvidio.com
45. viarescate.com
46.  
47. HANCITOR MALDOC FILE HASHES
48. 0114_80556334.doc
49. b39c7ad51b207a44df39c657993d194f
50.  
51. HANCITOR PAYLOAD FILE HASHES
52. W0rd.dll
53. 8a3fec8c65a30a99699d6898e61ee775
54.  
55. HANCITOR DOWNLOAD URLS
56. None - embedded .dll file
57.  
58. HANCITOR C2
59. http://ocifirtaterity.com/8/forum.php