2021-03-01 Hancitor with Cobalt Strike IOCs

1. THREAT IDENTIFICATION: HANCITOR
2.  
3. HANCITOR BUILD
4. BUILD=0103_jepskew
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got notification from DocuSign Electronic Service
9. You got notification from DocuSign Service
10. You got notification from DocuSign Signature Service
11. You received invoice from DocuSign Electronic Service
12. You received invoice from DocuSign Electronic Signature Service
13. You received invoice from DocuSign Service
14. You received notification from DocuSign Signature Service
15.  
16. SENDERS OBSERVED
17. [email protected]
18. [email protected]
19. [email protected]
20. [email protected]
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34.  
35. MALDOC LANDING PAGE URLS
36. https://docs.google.com/document/d/e/2PACX-1vQ1BBFmsSzUwpCZ-Uja7NHss8TYWEzJ_34oUPH83iem-_nwfFSWx4fL55yiOo5dl_0iKlduWyyYWTRo/pub
37. https://docs.google.com/document/d/e/2PACX-1vR0__W8JBBAqUKv4cCPNpPkJg8viAGgsChkS6DQMeNH0U-rcnjezW1HTidjvcnBI1TYiVPMPDVIUoHQ/pub
38. https://docs.google.com/document/d/e/2PACX-1vRGkFAdGp3mXtlBv5D8P41ClN69-vnvScwD_ZOauh7MlK41TfP6tluhhUlDAqpnXQjeWcBUnaapRgW6/pub
39. https://docs.google.com/document/d/e/2PACX-1vRi0Ovc9gOO8byt1z8pTYhlgpVXjHjMzJPU7S-9IygNuDD7XW_4H2Sv60CM6b1xVh9G2ebf_E8c6wBx/pub
40. https://docs.google.com/document/d/e/2PACX-1vRiA8cNdUVs-m5sq-Q_s5-paQVU1u0IfIg9-loXJjHqTcXEi9daJYw3nFYkkE10rAbRdGJMwTt2kIgg/pub
41. https://docs.google.com/document/d/e/2PACX-1vRxaJV_jRNas-jKbTQwFRU9-NC4_toXqpTveUjzeZUIhxVYBwOU8gMI5Lzpv1aOy9hTaSuAMZpXqk3f/pub
42. https://docs.google.com/document/d/e/2PACX-1vRxYpQ_bnUJfGnjA052uiEXM4ZxU_lUB4evRC2R95Okt4_i1ffM23S_AB4fPC6S4NChmpKzYQtQW8z5/pub
43. https://docs.google.com/document/d/e/2PACX-1vS_DkYI_GouxsICJqTb6y9mL1zB2lgcUi2k-2NWRqo9lxtswXHgkMBtBFgpMe7OBSrzPBAHL7nYZ0bX/pub
44. https://docs.google.com/document/d/e/2PACX-1vSFTUvqL6a0ot_nKE8asntyX8JP36imF5aV0hPYQERVCHW93GklFnv3pD5SCC3iBlxydqzCYguakDEF/pub
45. https://docs.google.com/document/d/e/2PACX-1vSLQMLDzGHCZ55B8kuzEeDCzm7LWuJxeU07FuUj217O9ieC-kewtDAxeQ8iMmggGCEFbNTlwxftFekU/pub
46. https://docs.google.com/document/d/e/2PACX-1vSnLI_zroqVc45v0qVIgq4NS18rGDL1_tfcGTf2rD277XrRhEuEwvQEBuIPRc9wilU7X6RtPBpTbY4r/pub
47. https://docs.google.com/document/d/e/2PACX-1vSOShpI-Zj4HZxdkssmk72EfxAabzii42omy1dQixWt3MERVhgFr-rGZvtOn3nwbSJK4CpPdSVw5165/pub
48. https://docs.google.com/document/d/e/2PACX-1vTCp9Qx5lwEGH28FcUHYLUgG_k6-2rqKoVZHnjH8qPQVFAm4hH_Z3qPhcxD6PL9bxH2MD4iN2GlBazY/pub
49. https://docs.google.com/document/d/e/2PACX-1vTdzsjFl3gZZx2A0apd_kKexsNP2HlEro-IVlRC3CJ3lwd5R04cD69yoZmxE2l4P7va_AvwRKZkYnZ5/pub
50. https://docs.google.com/document/d/e/2PACX-1vTi_7pKKEYNftGgONZ4ET5A2r_9J2KEiXOoncNg0QUpPC8NJvD6zOFC5ATANv1o3iNm_YpxSlyic7p6/pub
51. https://docs.google.com/document/d/e/2PACX-1vTqWgR7_-sp6OwZIHiqia9DQoAfwCaD6FquL1QkUIokf_ZER3DLn04a7_2GeBJlC-hzYyj6VlXVED4K/pub
52.  
53. MALDOC DISTRIBUTION URLS
54. http://kiehlturkey.com/endoenzyme.php
55. http://kiehlturkey.com/underclothes.php
56. https://bgurbanglam.com/scheme.php
57. https://bgurbanglam.com/stuck.php
58. https://connect.rio.br/forage.php
59. https://crm.basilrealty.in/germany.php
60. https://crm.basilrealty.in/sophist.php
61. https://losgedeones.com/stimulated.php
62. https://notredame.netafrica-sarl.com/catastrophe.php
63. https://notredame.netafrica-sarl.com/estimation.php
64. https://webworks.nepila.com/peculation.php
65. https://webworks.nepila.com/readies.php
66.  
67. basilrealty.in
68. bgurbanglam.com
69. connect.rio.br
70. kiehlturkey.com
71. losgedeones.com
72. nepila.com
73. netafrica-sarl.com
74.  
75. HANCITOR MALDOC FILE HASHES
76. 4fa931626b5cfaa706213db17d0c61dc
77. 609d8d63f5a483b4e333d54aa9e5c60b
78. 693fa214e73716254347f33f0c50a289
79. 6b5e020928e890335ec896cf9037e144
80. 8932fef09da75fa3b39382fb861bedf1
81. d996737591be99bf9a3085dcda2cd81f
82. de6deb3c6429e930ce2edb82ce788dbf
83.  
84. HANCITOR PAYLOAD FILE HASH
85. Static.dll
86. 8d54e98795c459e0263c1d40cbdfc9f8
87.  
88. HANCITOR C2
89. http://ementincied.com/8/forum.php
90. http://watoredprocaus.ru/8/forum.php
91. http://noriblerughly.ru/8/forum.php
92.  
93. FICKER STEALER PAYLOAD URLS
94. http://mymooney.ru/6fwedzs3w3fg.exe
95.  
96. FICKER STEALER FILE HASH
97. 6fwedzs3w3fg.exe
98. 77be0dd6570301acac3634801676b5d7
99.  
100. FICKER STEALER C2
101. http://sweyblidian.com
102.  
103. COBALT STRIKE PAYLOAD URLS
104. http://mymooney.ru/0103.bin
105. http://mymooney.ru/0103s.bin
106.  
107. COBALT STRIKE FILE HASHES
108. 0103.bin
109. 51e57f45762d279776b98d27f415ce6c
110.  
111. 0103s.bin
112. ab918b8f731858bef1b8994608ffb66d
113.  
114. COBALT STRIKE TRAFFIC
115. http://45.63.69.93/Qn7f
116. http://45.63.69.93/cx
117.