2021-06-22 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR
2.  
3. HANCITOR BUILD NUMBER
4. BUILD=2106_xhidt
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Signature Service
8. You got invoice from DocuSign Service
9. You got invoice from DocuSign Signature Service
10. You got notification from DocuSign Electronic Service
11. You got notification from DocuSign Service
12. You got notification from DocuSign Signature Service
13. You received invoice from DocuSign Electronic Service
14. You received invoice from DocuSign Electronic Signature Service
15. You received invoice from DocuSign Service
16. You received invoice from DocuSign Signature Service
17. You received notification from DocuSign Electronic Service
18. You received notification from DocuSign Electronic Signature Service
19. You received notification from DocuSign Service
20. You received notification from DocuSign Signature Service
21.  
22. SENDERS OBSERVED
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59.  
60. MALDOC PROXY DISTRIBUTION URLS
61. http://feedproxy.google.com/~r/afpavjrzsq/~3/tHOiExRei-g/digestible.php
62. http://feedproxy.google.com/~r/bkhasyobl/~3/WeIBU6KZXYk/digging.php
63. http://feedproxy.google.com/~r/buugwwqmgd/~3/fPSv3F8HzKk/dogwood.php
64. http://feedproxy.google.com/~r/bvbrkzjjuz/~3/yEzDDHR1wR8/columbus.php
65. http://feedproxy.google.com/~r/dxsbow/~3/S6h_71K466w/tamely.php
66. http://feedproxy.google.com/~r/eucmfnrduo/~3/uPiStd51NxE/surfeiting.php
67. http://feedproxy.google.com/~r/ezpazywgeqq/~3/oEO4H0zsVsc/slag.php
68. http://feedproxy.google.com/~r/jgfof/~3/X7EC-SZw2zc/buffoon.php
69. http://feedproxy.google.com/~r/jtupivnc/~3/WMrF0nEDtxQ/oscillated.php
70. http://feedproxy.google.com/~r/lrhearkwquj/~3/MXcwIvlGyko/selenology.php
71. http://feedproxy.google.com/~r/mfazpb/~3/_CpRojrSJAk/cubism.php
72. http://feedproxy.google.com/~r/mmahllh/~3/_OcWnYN0Mp4/escaped.php
73. http://feedproxy.google.com/~r/oifmjgou/~3/h-_2tzanl8Y/archbishopric.php
74. http://feedproxy.google.com/~r/phngfkgkxoi/~3/sfDO2k40ChA/curler.php
75. http://feedproxy.google.com/~r/pujvwj/~3/dYz3dayeyhE/as.php
76. http://feedproxy.google.com/~r/smlwbncw/~3/za2an2RFOh4/uncooked.php
77. http://feedproxy.google.com/~r/ttxdbqvqfd/~3/2B4FeTzJUwM/milk.php
78. http://feedproxy.google.com/~r/ufxfgoguir/~3/iJBUj6DZBSQ/annelid.php
79. http://feedproxy.google.com/~r/wwvevtycwkv/~3/bbV106ekAkg/offhand.php
80. http://feedproxy.google.com/~r/wxzthhfycuc/~3/JNPudq6MD6U/sortie.php
81. http://feedproxy.google.com/~r/zfofzz/~3/zxzTP3yfQqI/apeasement.php
82.  
83. MALDOC REDIRECT DOWNLOAD URLS
84. http://coba.msp-id.com/buffoon.php
85. http://dalaceducate.com/oscillated.php
86. http://firstaidbar.parachuteconsultingllc.com/columbus.php
87. http://floristeria-ilusion.com/annelid.php
88. http://floristeria-ilusion.com/escaped.php
89. http://floristeria-ilusion.com/offhand.php
90. http://luvurself.co.in/tamely.php
91. http://luvurself.co.in/uncooked.php
92. http://main.lahoreshoes.com/apeasement.php
93. http://main.lahoreshoes.com/digestible.php
94. http://main.lahoreshoes.com/milk.php
95. http://main.lahoreshoes.com/sortie.php
96. http://pamenagreens.com/as.php
97. http://pamenagreens.com/curler.php
98. http://parueltoys.com/surfeiting.php
99. http://sfl-condoexpert.com/cubism.php
100. http://test.ivoireboutik.ci/selenology.php
101. http://tutimovil.com/dogwood.php
102. http://www.amranhvac.com/archbishopric.php
103. http://www.amranhvac.com/digging.php
104.  
105. amranhvac.com
106. dalaceducate.com
107. floristeria-ilusion.com
108. ivoireboutik.ci
109. lahoreshoes.com
110. luvurself.co.in
111. msp-id.com
112. pamenagreens.com
113. parachuteconsultingllc.com
114. parueltoys.com
115. sfl-condoexpert.com
116. tutimovil.com
117.  
118. HANCITOR MALDOC FILE HASHES
119. 1a59ceac9950a65bfc6f1b48e90069cb
120. 1b078fa68ab61137698ec90b248b3a41
121. 253cd14997221a45cefc5af71899225c
122. 661addd0800c78c582a91971097436cb
123. 8edfb2978ec5d8bea344f66b08b52e4b
124. ad722cfceae43ac474649d028cd20078
125. d6537faa40b3a1f9aea71451daf4dfa7
126. e4b5102981531c4b23ddd286a10fbd74
127. e76139e98a50f583ddf813eba72340b3
128. ecc1216b4d36f5451a5abb2c54f4e7e5
129. f04b83f20d19dc41825c9b8faed3ddb8
130.  
131. HANCITOR PAYLOAD FILE HASH
132. kikus.dll
133. cc915aa31f31934ab132f45bf965d200
134.  
135. HANCITOR C2
136. http://vidompleury.com/8/forum.php
137. http://cobleignespos.ru/8/forum.php
138. http://moutraturche.ru/8/forum.php
139.  
140. FICKER STEALER DOWNLOAD URL
141. http://t578qnar.ru/7sdf45gsg.exe
142.  
143. FICKER STEALER FILE HASH
144. 7sdf45gsg.exe
145. 270c3859591599642bd15167765246e3
146.  
147. FICKER C2
148. http://pospvisis.com
149.  
150. COBALT STRIKE STAGER PAYLOAD URLS
151. http://t578qnar.ru/2206.bin
152. http://t578qnar.ru/2206s.bin
153.  
154. COBALT STRIKE STAGER FILE HASHES
155. 2206s.bin
156. 4dca76922be24b36a8060653f8862a00
157.  
158. 2206.bin
159. 9f6ce0d2896378d173db713033c6c955
160.  
161. COBALT STRIKE BEACON
162. http://45.136.113.163/KakE
163.  
164. KakE
165. aad493200a6a03e07968616d52124c97
166.  
167. COBALT STRIKE C2
168. http://45.136.113.163/push
169.