Threat Intelligence – Bazarcall & Hancitor Latest IOCs

0

Credits : Research by ExecuteMalware

Indicators of Compromise

THREAT IDENTIFICATION: BAZARCALL


SENDER EMAILS
[email protected] [.]mom-food-fitness [.]com
[email protected] [.]com
[email protected] [.]com

SUBJECTS
Free trial period for ############# comes to the end in three days
Your free trial ############ is about to end!
Thank you for using your free trial ############ [.] Time to move on!

LURE PHONE NUMBER
+1 (209) 554 3767

MALDOC LANDING PAGE URLS
https://bookpoint [.]us
https://bookspoint [.]us
https://pointbook [.]us
https://pointbooks [.]us
https://subsbookpoint [.]us

MALDOC DOWNLOAD URLS
https://bokpoint [.]xyz/unsubscribe
https://bokspoint [.]xyz/unsubscribe
https://pointbok [.]xyz/unsubscribe
https://pointboks [.]xyz/unsubscribe

MALDOC (XLSB) FILE HASHES
759b9d6d287e240dc4a9a1564043e4d5
6740ff5b4d99d21c8ae34f2bf5b4cd71
4de36ea29963104bac17ee17176b0c6b
06ffd88bb900090461f59cdabed2d252
04023332ae2160489d04446a4f539fc7

PAYLOAD DOWNLOAD URLS
Unknown

PAYLOAD FILE HASHES
Unknown

ADDITIONAL FILE HASHES FROM PAYLOAD DOMAIN
569390 [.]ui
c7a8147760434d6eca16d8e27dce2bcf

569390 [.]xlsb
260a8af59a31a82aa8f999760b8fcb66

569390 [.]pdi
260a8af59a31a82aa8f999760b8fcb66

Credits : Research by ExecuteMalware

Indicators of Compromise

THREAT IDENTIFICATION:  HANCITOR
 HANCITOR BUILD NUMBER
 &BUILD=0504_khrn7
 SUBJECTS OBSERVED
 You got invoice from DocuSign Electronic Service 
 You got invoice from DocuSign Service 
 You got invoice from DocuSign Signature Service 
 You got notification from DocuSign Electronic Service 
 You got notification from DocuSign Electronic Signature Service 
 You got notification from DocuSign Service 
 You got notification from DocuSign Signature Service 
 You received invoice from DocuSign Electronic Service 
 You received invoice from DocuSign Electronic Signature Service 
 You received invoice from DocuSign Service 
 You received invoice from DocuSign Signature Service 
 You received notification from DocuSign Electronic Service 
 You received notification from DocuSign Electronic Signature Service 
 You received notification from DocuSign Signature Service 
 SENDERS OBSERVED
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 MALDOC LANDING PAGE URLS
 https://docs [.]google [.]com/document/d/e/2PACX-1vQ9XcRcgT1n0O7_Ata3ZoR2ZSs7v7u6Q1TGVMsOKX1SXEdHWOI3uzhWWAY5A07RMRk3-ry3_e1RJ4Yy/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vQAI_OD4LRHilqUa8YupVfbR78HZIs6Usbh_gY7YgNsMGO5SLi65yDDnVS5I8_OM1yEqDbvYme4PbIR/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vQGtiAUMQPqK18942rGSNpYfkobPiQ0fsNv9eGdAnVixmPgfr24Fkulx0_lU42vHTD0Wm500hyV_h43/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vQJr9NtWzzmxkni7ckatWW5n5KZlCKuAyF20zLc40eHt9VcfRMfbxes8gVhva_oP-2x5onlwx9Z5jLc/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vQKtVWt7lmHmqvgT_3TbwVppRqZSDph1DlVO6sYAmPglPDFcc2_3II2j_pKx9X7SGY_slO-sb6fHIJO/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vQqTFHCCRDCxjDqC2ksjf1dF4ne0-zScp4SsH4VI2OjvyOXrLkJwgYtK426ZisxMaSj_lMW72-qeNII/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vRaSmtpv316Grxbq4k_Ao6ciz7Xq12KQDcnC-JmcVT1cXjVI3hw5EVkbA1Ie1putCixClriNjI79v-0/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vRDFpZMV2aSAm13Kla7MSDL1iEwlkNDq8rGsT3_8rAXF6gsaBQ84wU7RYB4mXEXsYq0gFDrLQGERnEl/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vRf7lFvJnnmvjBpQS2hBk16jA94_iHRnMs7_xYGcWvJRi-2dQCXHeaKfjj8lqDcUmG8MbU2_XyfMn-a/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vRgtRHpzv2mfl6Ii1z1V3saMlQiA4kRZbfMjd4glrDzXu4Mx7AO4RodFJgmJLcgOmgANDYsljDjYqNn/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vRJtXpsUCiHladmThehUuaGaPvNA9VkmgdqSlBKpCcNT93cqeOFb0gjoR5KutH7f5_oeCKUg4EZMlzl/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vRlEu9lSnGhf_x5JGkQJrFS5NWRi-88gXcAJa9yNdRzJoZm6FhGhM1mbMMTZo8HdZpHjLUv0WlKw0es/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vS1pEmY5kmv4V6sQ7UNUMcwk18gsp6ETFzv6DGecZOXU19VK5P_NAiLY8_6Alfhe_TNykfEygD3i_UU/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vSKOqk6ag67OHl2Mk54ADDVlXMdgwz_3Lqldx1EkPVehl9v_9ywxrqllLU4SjiZWSGSHGFJZb9bHG1p/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vSM6GKqOeWjEh2PfR_H0dP8bvcTxOfjXsqVVnDL29ceMmSF4kz2uaDrvjyt1LwGF8ukmsCY-sMa34YN/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vSOq6cS13HHkMKuFP8BKkZPed561DUyLwiskgy8uX02-6Uqei6imKgF8NS78Qv0r3WnjgROFbYgjyyD/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vSU1rJa3yMtW6vXeihCzK695N-spOphRfwQ1iCiTuv4W8hNg3JSFTsRIsggd7l6kzuFwiVB0jKa5Y3g/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vSw8vir5Y9plQkCuAxjgmVlTOnI671vIzs_6hLv4LM2MbxntUAtYjEudrkbM-Nmg6BZ1UH42GsOPBUy/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vT7Nfz2LlFfe4OzGrLP-F-tEZXR1UfqsDcEOxxDd2HEa39gwxQxmiFtsfsdgCKxJ_3kIalFwed9Us7B/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vT_q1IiiG31N5svdtCQuF91sQpC_8qKOKKqbf4WG_KOYr3tAsYOP0chCgznAn5jAUOBVKauu-9-N9Qi/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vTku9R9HwOVre3LgWrw-myaxun_eudBpgvFFt_5Jh_l1RK8C8j9950SlLlG0r2IbWoG-JN1QYvsYYtl/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vTqrWv-xt7Pe0yw22SdBCNHz3kXPWfqIoAPjbXHUE_sjUktRn7M8v-2d4g2jvyglSGt4EZGEXbecbXG/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vTtwsSk4MWtsc4zgz8ZYvLDsH2Q4dJ4NLGUpVZu5OpMxa9bJxJ2IPePfZHGV2Jw80BkO0Yav_bUe1Sk/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vTWADwvXDs2xfqC1DgH6RE7JJ_I0UAR1z9cF--Ta1tIhFHApIXg7lVLczwiOBfRhypgSwtGLOJprSMh/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vTyhCYxQ8-QiGYJIFiCg9eKeYOVmgs2ciXS4gSDsaXz7cQaa7vBTtmjzsoLn8ruSWDgtBLWqmkXXQp3/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vTzLp4KPycaBYR456_IfFi4gGPJT0wlvG7qRWRnFYtbf2qVkS2qYGS5ANYglmvqFIHAR6o5JqVhU8d9/pub
 MALDOC DISTRIBUTION URLS
 https://asianmedicaldevices [.]com/helper [.]php
 https://asianmedicaldevices [.]com/oriental [.]php
 https://asianmedicaldevices [.]com/sunstone [.]php
 https://dev [.]triamanggala [.]com/fulmar [.]php
 https://dev [.]triamanggala [.]com/smoother [.]php
 https://espectaculos [.]empresasuv [.]mx/incise [.]php
 https://hseconosur [.]com/student [.]php
 https://hseconosur [.]com/transhipment [.]php
 https://ieltsbritishcouncil [.]co/romanticize [.]php
 https://ieltsbritishcouncil [.]co/steamed [.]php
 https://loyalty [.]kkcoaches [.]co [.]ug/navigability [.]php
 https://loyalty [.]kkcoaches [.]co [.]ug/osteologist [.]php
 https://loyalty [.]kkcoaches [.]co [.]ug/quinbinary [.]php
 https://loyalty [.]kkcoaches [.]co [.]ug/racist [.]php
 https://metastudies [.]gr/croatian [.]php
 https://metastudies [.]gr/dropper [.]php
 https://operations [.]kkcoaches [.]co [.]ug/blinds [.]php
 https://operations [.]kkcoaches [.]co [.]ug/honing [.]php
 https://operations [.]kkcoaches [.]co [.]ug/paperless [.]php
 https://sma1sapuran [.]sch [.]id/outgrowth [.]php
 asianmedicaldevices [.]com
 empresasuv [.]mx
 hseconosur [.]com
 ieltsbritishcouncil [.]co
 kkcoaches [.]co [.]ug
 metastudies [.]gr
 sma1sapuran [.]sch [.]id
 triamanggala [.]com
 HANCITOR MALDOC FILE HASHES
 07ac3c85d62db7c650df8095aa693d0e
 364f80a5b16841597256388191a2981e
 6800a4b6c4f2f1bf98db25b2175ab1f9
 7bfa20649012bb4d7a38331cb1f1439d
 8e0ea61f2cf1c3b999f19184caffd82b
 914f4441e94cf5e2fcb1bed512ca9bc1
 94d5a498c40c795a24fc127db09e9806
 c9374d2cce44359478c4f56d2f0d67e1
 cefdb562f6972e78309b165b125f4055
 ee654e3a199b6ddd2da0dd7ad854ed80
 f98badc4dbe19eddac7464bca1933067
 fc7fac4b8e77b228f967cd25c39476fa
 HANCITOR PAYLOAD FILE HASH
 MsMp [.]dll
 3737ff2818c3648a90028e695bd0ad31
 HANCITOR C2
 http://cametateleb [.]ru/8/forum [.]php
 http://divelerevol [.]com/8/forum [.]php
 http://polionallas [.]ru/8/forum [.]php
 FICKER STEALER PAYLOAD URLS
 http://tren0 [.]ru/6jhuy675rt [.]exe
 FICKER STEALER FILE HASH
 6jhuy675rt [.]exe
 77be0dd6570301acac3634801676b5d7
 FICKER STEALER C2
 http://sweyblidian [.]com

Previous articleSSDEEP Hash – Threat Detection with Fuzzy Techniques
Next articleSolarwinds Hack – Mapping the Indicators to Mitre att&ck framework
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here