Threat Intelligence – HANCITOR Malware Latest IOCs

0

Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing emails embedded with malicious links and weaponized Microsoft Office document contains malicious macro in it. As observed, Below are the latest indicators of compromise.


Credits : Research by ExecuteMalware

Indicators of Compromise

THREAT IDENTIFICATION: HANCITOR

HANCITOR BUILD NUMBER
&BUILD=0704_scxe

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com

MALDOC LANDING PAGE URLS
https://docs [.]google [.]com/document/d/e/2PACX-1vQ0IB4AW49Yrh1G0r4szTjX9iWYRWes1WK8Ko1_AARZOY7dxI4we4AcKX34EIHduxYN8AZhtcVuR5DI/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQ8sgMrw4Y6uzuy5Sct0vOFS4lHr_rj6-L4ld2qijj-xJNIPQAUxDpX5mxnNmxWhqd6YJbNBIiWstTi/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQ_usou7tDRcDZU8hx5Nc26wHDdlLXaGjp2cv8JHFPlZJbSf6GIZOKhgOwpoPr7xar6dz_wRJAxOWev/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQdn84kAA3U6gGp5LtHJ9_KpRNuhs-BcTf3EtJ8QDfJF5eX5rPN7gw421LKR-frCjzR-n5y2g53FBun/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQjBRR7kz1n0OqKPjirbg8O6CcBF0Ofhe636SBE-S-vKvcJKfc_gthWAWcRtyFh4EGRnswsRKb5Ss_k/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQwK0gtj7HiCdxp2H_DAL6Ufhuxpbdg8XmpGyi2hjD4eUdjBVk5W2WvUWI-T4LZBSDTCUrx34zEOZTN/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRBAdUu58td4Ovr4yuy3GiFEzW0E0uY7ysFRtASmgNs64irOsebkwdK3WuXSO7Ycg1WkVDujZ6LEc49/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRIzYn_nQOPMNpFfO1u1s-oW_bmJpjhQXuvTQahjnpR3AP9S6VBg1DMd4njkNKYDbhJVqw5-Ha7PJ64/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRjAthVvGFRonXQG4gsuab9bqoH467TEqUPZw2_cFO8Fyeh5VTm-ckCiX5wD3D2yEb0u4CsO2lSEKv0/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRJQjgqU-78FRpffuwB7UdDE7YlWnB2NWTXbJq8k9AyhZx8oaWI6iRBno0I_pWqxr5S4QbFXifu7X4n/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSHn-kBOtunJVSN73AaxTxP10A4fmD72cg5NKS1lIjiNwUtO12UZardWN8XFAPCXvjbed4ve4KxPLyx/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSlkF6AAdiiVVUeHLbYvSopcbm2DGbEPoUwK4B6KA2YZWogtrwGTGQiKMzAsGXnUSYDqQgTCNYllIIT/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSWeH6EtBiYKzlGOTm8gx53_ruELGohXgOUToOrgEyDRMxIwI4xgGOV076lFUTfHuTeUnXYAEVW-5tK/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vT-Qve9km4E1lLd9IcTzBFGPFHm_G-aR48HBWVF8FtPxh8PCcbGbV3JYetrTfTjoWXfU8ngd9vLUW23/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vT33281lMXIJoPgUsciT8gPWvYhTQmvlAxr8pUANCiLtqLZJdGCfKrsDS4PK8IBjDfaPg2ROAZBH7tr/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTaAMuJcabO61pA_ezeRm7ZXcc88ikS0qqYJ7Melzx_xsNWxSDzZ_NHFDn72HuNuh3CZQHWbWjSMky0/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTpjko79htJXUB_U-HeB-YeJemi_bShpp4ZgJG0-u0LUKJShOZ6TTtalBoo1egjpL-U5yZsgvQW6egE/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTY8Nd7L3GankqR6bKDnSPy91dDenDbTXHPFuv4oY4OrUEcHNQ3c3jsCUGEjo4PLi-vq18t6PvrdDmb/pub

MALDOC DISTRIBUTION URLS
https://aklatdelmundo [.]com/ditty [.]php
https://aklatdelmundo [.]com/holler [.]php
https://jollygul [.]com/ford [.]php
https://jollygul [.]com/nipple [.]php
https://kabimmo [.]com/seclusion [.]php
https://kabimmo [.]com/struggler [.]php
https://medicinainterna-critica [.]com/lubricant [.]php
https://quickcompanyreg [.]co [.]za/accordion [.]php
https://save [.]makemoneywith [.]website/housewarming [.]php

aklatdelmundo [.]com
jollygul [.]com
kabimmo [.]com
makemoneywith [.]website
medicinainterna-critica [.]com
quickcompanyreg [.]co [.]za

HANCITOR MALDOC FILE HASHES
26f6537ae7eab818013eb021f54c46d2
6541b3e2c5a8f86531721ec1d417be6c
7fb1cc93b51cf6db68ae20bdbd197023
882ea66f8685633ae0195060dc60076f

HANCITOR PAYLOAD FILE HASH
MsMp [.]dll
8ee94ecdec0de4f4e60e589dae57dbdb

HANCITOR C2
http://windetheta [.]com/8/forum [.]php
http://undereasus [.]ru/8/forum [.]php
http://frougelylo [.]ru/8/forum [.]php

FICKER STEALER PAYLOAD URL
http://67xfjk [.]ru/6jhu8yhd [.]exe

FICKER STEALER FILE HASH
6jhu8yhd [.]exe
77be0dd6570301acac3634801676b5d7

FICKER STEALER C2
http://sweyblidian [.]com


Previous articleThreat Intelligence – Bazarcall Malware Latest IOCs
Next articleFinding the Evil in TLS 1.2 Traffic – Detecting Malware on Encrypted Traffic
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here