2021-04-14 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR
2.  
3. HANCITOR BUILD NUMBER
4. &BUILD=1404_cms3
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got invoice from DocuSign Signature Service
11. You got notification from DocuSign Electronic Service
12. You got notification from DocuSign Electronic Signature Service
13. You got notification from DocuSign Service
14. You got notification from DocuSign Signature Service
15. You received invoice from DocuSign Electronic Service
16. You received invoice from DocuSign Electronic Signature Service
17. You received invoice from DocuSign Service
18. You received notification from DocuSign Electronic Service
19. You received notification from DocuSign Electronic Signature Service
20. You received notification from DocuSign Service
21. You received notification from DocuSign Signature Service
22.  
23. SENDERS OBSERVED
24. amxbite@1aaaoftexas.com
25. begtak@1aaaoftexas.com
26. bu@1aaaoftexas.com
27. e@1aaaoftexas.com
28. eviykus@1aaaoftexas.com
29. ewh@1aaaoftexas.com
30. fgeejw@1aaaoftexas.com
31. fygux@1aaaoftexas.com
32. gotdu@1aaaoftexas.com
33. gvuwva@1aaaoftexas.com
34. hekqat@1aaaoftexas.com
35. huu@1aaaoftexas.com
36. j@1aaaoftexas.com
37. jju@1aaaoftexas.com
38. kozry@1aaaoftexas.com
39. lohpa@1aaaoftexas.com
40. ltclyc@1aaaoftexas.com
41. mjtvuub@1aaaoftexas.com
42. mzampui@1aaaoftexas.com
43. n@1aaaoftexas.com
44. nietoje@1aaaoftexas.com
45. nogea@1aaaoftexas.com
46. nyjodok@1aaaoftexas.com
47. o@1aaaoftexas.com
48. p@1aaaoftexas.com
49. pfomuin@1aaaoftexas.com
50. psablai@1aaaoftexas.com
51. pyypxom@1aaaoftexas.com
52. qeade@1aaaoftexas.com
53. qeokpx@1aaaoftexas.com
54. ri@1aaaoftexas.com
55. sikyfo@1aaaoftexas.com
56. spkymyz@1aaaoftexas.com
57. uosyiim@1aaaoftexas.com
58. uudayql@1aaaoftexas.com
59. v@1aaaoftexas.com
60. vagocu@1aaaoftexas.com
61. vubjxhe@1aaaoftexas.com
62. xqicenn@1aaaoftexas.com
63. xupocus@1aaaoftexas.com
64. yxuoeqh@1aaaoftexas.com
65. zitihyv@1aaaoftexas.com
66. zx@1aaaoftexas.com
67.  
68. MALDOC LANDING PAGE URLS
69. https://docs.google.com/document/d/e/2PACX-1vQ-224H9A6iDAQ6U-l03Itt3SvGJ393W3UZnUo84oGuRyI9VDDSRv8Jqjadj0_xeXjhUJX1xdBdwZiv/pub
70. https://docs.google.com/document/d/e/2PACX-1vQiXIwZq6O-2mqxpqYhZDhKlJJV97yBKo73IgwIrUkC3YJ1rLAQOgkVz5FNfacYRRw1RoOFjeF7O42R/pub
71. https://docs.google.com/document/d/e/2PACX-1vQqCOQq2I-op4sQ-v71x0GPo_g8D68cB2nLa-7iFP_ef6QFKOl_lURZaX26kE71nMETKNsrTNg41-mg/pub
72. https://docs.google.com/document/d/e/2PACX-1vQTJGF_WMM2rr4Ix_8zAqlXQSOwIWsW5i8pJkwRUQ1_gvteHKzzhhYLcaQq6c1XDPr296DKRggA1MPr/pub
73. https://docs.google.com/document/d/e/2PACX-1vQyaQ9UBucuBhoOwDdv4zMc56MBN3QIybWotravTPfuB9e_BiQvcs2t9ek1fpLaXUyqw8yR3i59r7rb/pub
74. https://docs.google.com/document/d/e/2PACX-1vR2p_LXhFiLmbvMlVvvkpENTyzTnHNZy9v95P9AGp0aa_rEuXFYunqYdR96dGRrpiPivdpLEt9i9Wez/pub
75. https://docs.google.com/document/d/e/2PACX-1vR6iFZpo_hum1YnN1J0_Pl2D3FFA-TB94Hm6DPy1eKC4aJEcp_AurcquA-Ajr1MpbgBeE0J-kTBojyH/pub
76. https://docs.google.com/document/d/e/2PACX-1vR71RnzzketwEfW9Zue4V1y1RsE7brU6B0_DGjzWvVgw8V2Lwfc8SeOz8L5uI8h5ZTmFzUnv7HwDSo9/pub
77. https://docs.google.com/document/d/e/2PACX-1vRGNG8LoZZ2_X62k5bZTslZ53xjit7BNQnSaklEBLA0UVXp8qWS7Ts8oNJyOK1Lf4lUyeg7awK7cQqf/pub
78. https://docs.google.com/document/d/e/2PACX-1vRhg3gW_JTA57qulB791mavWthd9iNgl7t-HNco2Ecw5XbE45KZya3UixDnEFjUaRGKlaeUwAfJRu1d/pub
79. https://docs.google.com/document/d/e/2PACX-1vRkusDQTwwkAoNZW9QudDYX9MyXhRV9DkutqS3Y84nD1B2MFxu8hU5pTz4Z6mlyhsiHM2DT1OHnq36A/pub
80. https://docs.google.com/document/d/e/2PACX-1vRMIB1sttREz2KvN-R-1x5vrEr9k6WVCSaaWDOhxogQQTNWlWEI8VNNU_yti_UtL3cXIwt-uTZb59S_/pub
81. https://docs.google.com/document/d/e/2PACX-1vRMZaziwudwRZYeaANdYES293p_T2e4ov3ug8cfw1VHKt8bfCuZLnG4zxLCbOdaiUDX1QHNxj_tysRY/pub
82. https://docs.google.com/document/d/e/2PACX-1vRnNp2lfALCZs6iRZx_nCNrRfaFES7Kh_fCxD1mSrjpukhD3hslGSnSRnW76b7aiuYhqGKVoiJLYTAP/pub
83. https://docs.google.com/document/d/e/2PACX-1vRsM4dmcGR3H4JQP_tsOAWJFb9Ve26gokFx6oy-gl1W_DdxZMsszEirAUEijF2DiR9DskIuAfUlTSVa/pub
84. https://docs.google.com/document/d/e/2PACX-1vRUzSaJL3XlseYzQ63NwOXFyV7IOq_RHeswm93MRDBgmuR6R2VZeSP_f5-rnTOVY-q9O1RJ_Mfn-qB7/pub
85. https://docs.google.com/document/d/e/2PACX-1vSdKkvy22cOYiCGIwvp4df0rNoPvHnKRtiA2isNMQ1pOMzy5iH5v_8vrbNzbQFgu5TDh6S-M7QrJu98/pub
86. https://docs.google.com/document/d/e/2PACX-1vSgex8_vX-681ByTpjhpA_-yXkYu1FW3aiibkSLThyStLge9b0wz30-W0lhVUowCYN3nPRK-xzW24uc/pub
87. https://docs.google.com/document/d/e/2PACX-1vSwJaRlXz2WZAM0NkMpiN3QmBOUi78Uxn-no2X4oQkgwF2Oy7twgOsSdM7JqA_vSZ6sAc3JOSnYu6Xc/pub
88. https://docs.google.com/document/d/e/2PACX-1vSZs-QkOj-4-ItQ5ca3208-EU4IEuy6_j0P9omwb2RPH1pbLdaLVwM5HkBrw1FzP2qkEDVV0qBZRfRE/pub
89. https://docs.google.com/document/d/e/2PACX-1vSzwnAaqGk9A0xjUcnF7BDylSrreBqpekwR53_QNEaUpZRf94kwKCqf5Yxh7bgd6FycsV8c4CRvGuso/pub
90. https://docs.google.com/document/d/e/2PACX-1vTavxc7NWrBJcldmMvsiA9obUhd8dBLPKSS3fKAWYFFoGd4m8XA9dGbOnbxPb-n6XYh_R_sUmIfyjHp/pub
91. https://docs.google.com/document/d/e/2PACX-1vTDBAHr0CwfmYca9m-w0gxuVxXvrHRRiUb_MH7vxfN1lHsyaOtOyAlqr4eW1TWjYfF3UyxIGicl39N_/pub
92. https://docs.google.com/document/d/e/2PACX-1vTIvRH5DQv2UZjyfFcucJHhrbhCVCX311_1dvv4PMOTrgAKZe_SkadR3EDfYEWRpaFaXMwjJg-LJ-AB/pub
93. https://docs.google.com/document/d/e/2PACX-1vTKJU-kDUo2CEx3IUIw_k-3tHfx1LDUZIRa7edF2wrMc5IEulqBe_uQzg34ir5YJJqD0OziimIeIiZD/pub
94. https://docs.google.com/document/d/e/2PACX-1vTMn7m538M-Qw07_R24RizjPtkMRRJcTh09OsV-YMjzQ2iQwc_MFUylxNSvt4AGRfqkj2dwOaS7zXHU/pub
95. https://docs.google.com/document/d/e/2PACX-1vTnDIwoEtUVlS9BXCnG6HbRxdN9PHkYeGETWjabtpP2ADwxTQXSdvNEDkrdVCXgZ-McY1axdzTnit-W/pub
96.  
97. MALDOC DISTRIBUTION URLS
98. http://3.133.244.105/sedentariness.php
99. http://somdeeppalace.com/comer.php
100. https://aarambhaad.com.np/anointment.php
101. https://citricadvertising.com/purgation.php
102. https://citricadvertising.com/snuffbox.php
103. https://impactmarketingservice.in/fuchsine.php
104. https://impactmarketingservice.in/whipsaw.php
105. https://itco.pe/shelly.php
106. https://merinocraft.ro/tearing.php
107. https://merinocraft.ro/unbroken.php
108. https://natural-healing-central.com/factorization.php
109. https://www.educacionvirtualavanzada.mx/inexact.php
110. https://xtracomsolutions.com/indispensable.php
111.  
112. aarambhaad.com.np
113. citricadvertising.com
114. impactmarketingservice.in
115. itco.pe
116. merinocraft.ro
117. natural-healing-central.com
118. somdeeppalace.com
119. educacionvirtualavanzada.mx
120. xtracomsolutions.com
121.  
122. HANCITOR MALDOC FILE HASHES
123. 1193060c6c356ad35f3f1b778875f4de
124. 19ecb07f51990d8392d06d7ed6f14c0b
125. 2ab27e26b3643139a9d8cb99ba60738d
126. 2ac587024def64ac26a7cf94e5741644
127. 47a7996165733631a1f5b269e39bbd09
128. 5edba41a1dd5184586b1251670bf19dc
129. 60201a46d43c5da51c6ae5aa0329439d
130. c1f0fecc46b150bbf46e03134b5454d1
131. c8a7735dcc286e70031983c5bb419f0b
132.  
133. HANCITOR PAYLOAD FILE HASH
134. edge.dll
135. e5cf2f65aeb1ff4d8e40b0e73860cb75
136.  
137. HANCITOR C2
138. http://dingulbolies.com/8/forum.php
139. http://culadinces.ru/8/forum.php
140. http://coliessrass.ru/8/forum.php
141.  
142. FICKER STEALER PAYLOAD URL
143. http://qm30098.ru/6jkiojdfssd.exe
144.  
145. FICKER STEALER FILE HASH
146. 6jkiojdfssd.exe
147. 77be0dd6570301acac3634801676b5d7
148.  
149. FICKER STEALER C2
150. http://sweyblidian.com
151.