Threat Intelligence – Hancitor & Bazarcall Latest IOCs

0

Credits : Research by ExecuteMalware

Indicators of Compromise

THREAT IDENTIFICATION: HANCITOR

HANCITOR BUILD
BUILD: 2903_21387h

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
b@fargoforecast [.]com
buohos@fargoforecast [.]com
dziizyx@fargoforecast [.]com
etmaoqe@fargoforecast [.]com
foqaes@fargoforecast [.]com
g@fargoforecast [.]com
gmcuwsi@fargoforecast [.]com
huvejay@fargoforecast [.]com
i@fargoforecast [.]com
jasoimb@fargoforecast [.]com
jumyba@fargoforecast [.]com
kil@fargoforecast [.]com
lezyytu@fargoforecast [.]com
neuemrp@fargoforecast [.]com
nlwl@fargoforecast [.]com
nuvkixy@fargoforecast [.]com
nuwaemx@fargoforecast [.]com
opemcei@fargoforecast [.]com
potoike@fargoforecast [.]com
umguva@fargoforecast [.]com
voerqe@fargoforecast [.]com
wycodd@fargoforecast [.]com
y@fargoforecast [.]com

MALDOC LANDING PAGE URLS
https://docs [.]google [.]com/document/d/e/2PACX-1vQ1k5haNY3R3DYdn4KoE3WOWJ_0YbFYYpoI–8Pr__v-3trX-Sg4KOVXJSgLZKWP_Mr7gHOIEzun1e7/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQ1KAK7aaqzgKFJkCXrYTOcft-AFuS7LxQEYNTSklrAo-Hwxir8iAiD89s7t97UUFWZfajga79ntRaw/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQMw5Ox8cjE4orkyf060C6LjyHeUgoco7kI5NVedLK_QgPvJRgShjqMUXIosfmtLmjm41FwuAB5RHob/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQoG6vVOGpLgZyY5cggjzHNaGwqt-M4ysHkK5bVmn6NNSbisNeCUbhq2l_tXnY1cgDI5qFZT5FpUR22/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQwGz-YYSXW8Gy603rOoZXOCj4oza87GANBvZn-gW92UKzk0XZliyDizziOe7_W4XcyJ3ojyMssz5Li/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQWIIBWB8IVZvm-d80llrww4_pIQzGb_skH4fVirRfkUjC3hZc9I9b_yuS89dtSFx3mocsS47heNfiP/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRfclJ-5wm88C7kfUmrxIYAZyIc32NTQJZGwOpT4wNLsJjlH7TYL-AGhE98XVtT2EmKH6Z_J7BalRbI/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRM820mzzUiMnq8fNVUlj-Y0-qvmrdCsvnLNkgRQu1pMwzbAgmKTdpGqPf5RlR5Gq1-s1hiQVmcFa6Y/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRTsKwyv9_Mlv70s15f5OvEqWr8TjkYubswwcjxwv6BQ5d1mXDflfZ7P3N6ELIbFfY6Nbvhb48U4mZ-/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRtzzvX7R5nATANdr3E67WE-_UFTRzuxtBHNVfOI6ew6kLbOMQUDmWCiV4d1w7TsrchxhppYZ_D9WVv/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRudi0dfzvK6TV586FWkJo3UiuqXByg-sK2lHFwbuH7QLi7xgj9_aXY7qE7jJknJEE2DaC_KRgwIVvo/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vS_1zHfjW9Z7PXSgGYu_t8BaBZ3Lo0EauSBjSe2e9vCqz2CATpIRoVVPCvQUJvUS4IrFVTanKV2ZpFJ/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSKSYNEgU5H8pcIXVLkyXTnM_GMy4KGj1rycaEJZlEDtGjzgc96ZdMgNDLYSG95wfJX5npjLcxXpOfW/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vT2gTBGFNVb9Jer7vMQfiYVvlVCp18Q56Uf0wpU2oHDYxOyolZP8hR98XkqunQXfpKafWXO6scmEVGA/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vT4cKVYcBgq7bhS4sRZy0uEhmmAGqdE4YRZAhbwii_mOVfPS3JJxIaK6BR72PdPAKGyjudYez34K4jI/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTOF0TUFykX588-rc_a7rHZ0r2G72MKHKX7MYjL4XKnQIDJqJYrNuemN2uYFH8mPZkiqbK-jtM0x25L/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTPOf_OxJTqxaPDirVmUIjwpWSADfGpdJCmTzyP2eksu3sa2YntM3T5Un1eYtjXzmnK2xd5oitPlaoJ/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTwUTDdPyAtmnrIB7S32qKVsw6QVuHrKB11vhKn1BMv-9FugDuMsJFbNfbtGap245LwMBhLlXBjjNfB/pub

MALDOC DISTRIBUTION URLS
http://necocheasexshop [.]com/reversibility [.]php
http://necocheasexshop [.]com/subnormality [.]php
http://razwerks [.]com/crier [.]php
http://razwerks [.]com/epicurean [.]php
http://tlfthelifefactory [.]com [.]au/aquiculture [.]php
http://tlfthelifefactory [.]com [.]au/cyanosis [.]php
http://tlfthelifefactory [.]com [.]au/explored [.]php
http://tlfthelifefactory [.]com [.]au/wizened [.]php
https://demas [.]tech/arraigned [.]php
https://demas [.]tech/bleeder [.]php
https://demas [.]tech/defecated [.]php
https://demas [.]tech/goldfish [.]php
https://emiratesminning [.]com/ext [.]php
https://record-israel [.]co [.]il/prothalamion [.]php
https://uniquewebservice [.]com/shovelsful [.]php
https://www [.]oacts [.]com/forehand [.]php
https://www [.]razwerks [.]com/maxim [.]php
https://www [.]razwerks [.]com/workaholism [.]php

demas [.]tech
emiratesminning [.]com
necocheasexshop [.]com
razwerks [.]com
record-israel [.]co [.]il
tlfthelifefactory [.]com [.]au
uniquewebservice [.]com
oacts [.]com

HANCITOR MALDOC FILE HASHES
2c9a441be8cfb3aad3e11e0dead70f90
8368ff71e252a7f4f9cca096f960c372
8e14056b96b9707d4ecde884fcb8a48b
9421fadb1a0deea4af0d039df07602d9
94b64acb4498129f3551f48c8aad4ec4
9c6bdac4a903bc77f49e33ab6eecd6e9
c1f0517a9df9cbcfdb9bfc61c02b44e0
c87c6d11cd68e5090f4346daaaa88131
cd23383155515a64ac8329129bf4ec1d

HANCITOR PAYLOAD FILE HASH
Static [.]dll
e85bb81c96515538f804ef7230bb47a6

HANCITOR C2
http://probassita [.]com/8/forum [.]php
http://frobenalini [.]ru/8/forum [.]php
http://proubleblecilm [.]ru/8/forum [.]php

FICKER STEALER PAYLOAD URLS
http://clublifes [.]ru/6jiuu8934u [.]exe

FICKER STEALER FILE HASH
6jiuu8934u [.]exe
77be0dd6570301acac3634801676b5d7

FICKER STEALER C2
http://sweyblidian [.]com

Credits : Research by ExecuteMalware

THREAT IDENTIFICATION: BAZARCALL

NOTES:
I did not get a payload after the initial /campo/ url [.]
I saw failed DNS queries to 5 of the older web site domains
I did receive a few [.]exe files by manually visiting some newly found domains [.]

DNS QUERIES TO:
imerservice [.]net
merservice [.]org
icartservice [.]org
imedservice [.]org
icartservice [.]app

All returned “Server Failure”

SENDER EMAILS
icart@icart [.]com
inf@icartservice [.]com
info@icartservice [.]com
it@icartservice [.]com
service@icartservice [.]com
site@icartservice [.]com

SUBJECTS
Do you want to extend your free period 032911349855?
Do you want to extend your free period 032971082739?
Do you want to extend your free period 032992342492?
Do you want to extend your free trial 032914360334?
Do you want to extend your free trial 032929965053?
Do you want to extend your free trial 032960551023?
Thank you for using your free period 032911349855 [.] Time to move on!
Thank you for using your free period 032959551266 [.] Time to move on!
Thank you for using your free trial 032928460385 [.] Time to move on!
Thank you for using your free trial 032942918497 [.] Time to move on!
Thank you for using your free trial 032967802762 [.] Time to move on!
Thank you for using your free trial 032983352838 [.] Time to move on!
Your free period 032924713704 is almost over!
Your free period 032928460385 is about to be over!
Your free period 032931754105 is going to end!
Your free period 032937843104 is about to end!
Your free period 032942918497 is going to end!
Your free period 032943423209 is going to end!
Your free period 032945874491 is going to end!
Your free period 032959316990 is about to be over!
Your free period 032971082739 is about to end!
Your free period 032992342492 is about to be over!
Your free trial 032976172338 is going to end!
Your free trial 032990118057 is going to end!
Your free trial KMR59157203 is going to end!
Your free trial period 032901433429 is almost over!
Your free trial period 032926747691 is almost over!
Your free trial period 032991478849 is almost over!
Your free trial period 032995250960 is almost over!

LURE PHONE NUMBER
Not available

MALDOC DOWNLOAD URLS
https://buyimers [.]us/unsubscribe [.]html
https://geticart [.]us/unsubscribe [.]html
https://getmers [.]us/unsubscribe [.]html
https://gobcs [.]us/unsubscribe [.]html
https://goimed [.]us/unsubscribe [.]html

buyimers [.]us
geticart [.]us
getmers [.]us
gobcs [.]us
goimed [.]us

MALDOC FILE HASHES
01e837d28214d80ebd2b296c396b44ed
130893af30fcf98c0aa40aa046830aab
53a5ee3ae476003221d1c8dbb66f9002
53abb39593ba0a09f533b7c3be943095
86304059c0a7afb48f2cf6adde54ba0f
89ed9bbd3cc6ce767bdf1367ee7286d4
b7e521668beb98038c2cff9c6da9caa3
c73b781aeefa1ead369ed213578eba80
d27359706233d20207bc02e0a100bd42
dc2169f92205f6ed5e66fd475bb86b04
e6b545518ac11fc9b76182ce9ad120fa

PAYLOAD DOWNLOAD URLS
http://veso2 [.]xyz/campo/r/r1

ADDITIONAL PAYLOAD DOMAINS
gobcss [.]xyz
buymers [.]xyz
golmed [.]xyz
gtmers [.]xyz
igetcart [.]xyz
q1x250gr0ln2icfa [.]xyz
q2jac2w68xl5r2z [.]xyz
q3w52umx3kaa3u [.]xyz

ADDITONAL PAYLOAD FILE HASHES
1617039449 [.]exe
18a727ec5e32a9d13250578e93b3cc47

1617039629 [.]exe
2caa8c254710493f9d82331899d0bf31

1617039451 [.]exe
6535026f586eadf50f8f2d3dc8bab785

Previous articleThreat Intelligence – Bazarcall Malware Latest IOCs
Next articleURL Redirection – Prevention and Detection of Malicious Redirects
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here