2021-02-11 Hancitor IOCs

1. THREAT ATTRIBUTION: HANCITOR
2.  
3. HANCITOR BUILD
4. BUILD=1102_heid89
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Service
9. You got notification from DocuSign Electronic Service
10. You received invoice from DocuSign Electronic Service
11. You received invoice from DocuSign Service
12. You received notification from DocuSign Electronic Service
13. You received notification from DocuSign Electronic Signature Service
14.  
15. SENDERS OBSERVED
16. cib@speed-seo.net
17. d@speed-seo.net
18. docusign@speed-seo.net
19. ilyej@speed-seo.net
20. jekecej@speed-seo.net
21. o@speed-seo.net
22. omlzomu@speed-seo.net
23. wybywuq@speed-seo.net
24. yy@speed-seo.net
25.  
26. MALDOC LANDING PAGES
27. https://docs.google.com/document/d/e/2PACX-1vQ4zlANva-ByArvutGgGWkqEVjhSADzWI-ajC9Mmu0FTr1vE97GcVVM1bzoV_1k6ATPI14-FE4371tf/pub
28. https://docs.google.com/document/d/e/2PACX-1vQaH1t2kSkXqww4QuwPhh9bJQwm_wCm1ZqwucvDFUj_foijmq0IQVagkS3TmPAa9WCwa3vZBmSoV6zM/pub
29. https://docs.google.com/document/d/e/2PACX-1vQGZtB3Amd4t1DGX4A7HDvTAj90VEC0svJfQuxHD2H6sfa9PWIXlKP1TfALHpqh1vnlTo92RrkdMjpy/pub
30. https://docs.google.com/document/d/e/2PACX-1vQIKH6Ltkf-V6vG-uwoX95UCnYH_lmpUcOuZZot3FaUAuHdRTcSXixJr-_4DDbl9adz8grhtbHuMaX4/pub
31. https://docs.google.com/document/d/e/2PACX-1vQOWcl_1ZjWK8S4wyNSRPRT2ZuCQp-jKOecy5hJv2VM6Ja5Y6VdJ2Ox2Kx7H9fEbHlMZvSbfPYNXwZB/pub
32. https://docs.google.com/document/d/e/2PACX-1vRz4GAPn-56xHIIulKKCyccRPfPtRUM6n5_wiTBmt1-yFQynrYelXG8qsbDkP6Ef1aR9wg3b-DrGILP/pub
33. https://docs.google.com/document/d/e/2PACX-1vTZ6zsUV_lorDG9Hdi3eO50pVHq9z4g3fmfg6mUuAm_w2XE2Ote-mNGWt96ev_7rj0LMG71iKgwCH1P/pub
34.  
35. MALDOC DOWNLOAD URLS
36. http://artntainment.com/stereopsis.php
37. http://cloud.gespont.com/resources/lib/jquery-fileupload/server/php/files/martyr.php
38. http://somdeeppalace.com/rerecord.php
39. https://gih.implanags.gob.mx/appropriative.php
40. https://verkeersregelaars-stadskanaal.nl/quicklime.php
41.  
42. artntainment.com
43. gespont.com
44. implanags.gob.mx
45. somdeeppalace.com
46. verkeersregelaars-stadskanaal.nl
47.  
48. REDIRECT "PHISHING PAGE"
49. https://ėxprėss53.com/portal/authn/#/login?cache=20.40.33/?download=0211_4273419156334.doc
50.  
51. HANCITOR MALDOC FILE HASHES
52. 2356f21724d3ce192905741b1f0ee051
53. 36bcb1decfd3cbcd8b96ad1302400c4e
54. c7aadc3e47274a8acb8da6c640a7ab0d
55. e338ea131e6da5c6a2c878c836ec49a3
56. f7c69a156429dbfd18cfde65c158d2cb
57.  
58. HANCITOR PAYLOAD FILE HASHES
59. W0rd.dll
60. b318cc9f1ff841af11f7720f345e1243
61.  
62. HANCITOR C2
63. http://nuencres.com/8/forum.php
64. http://matuattheires.ru/8/forum.php
65. http://desuctoette.ru/8/forum.php
66.  
67. FICKER STEALER DOWNLOAD
68. http://myinstabuzzz.co/6hyuyj.exe
69.  
70. FICKER STEALER FILE HASHES
71. 6hyuyj.exe
72. 77be0dd6570301acac3634801676b5d7
73.  
74. FICKER STEALER C2
75. http://sweyblidian.com
76. http://185.100.65.29