Threat Intelligence – Hancitor Malware Latest IOCs

0

Credits : Research by ExecuteMalware


Indicators of compromise

THREAT IDENTIFICATION: HANCITOR

HANCITOR BUILD NUMBER
&BUILD=1404_cms3

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com

MALDOC LANDING PAGE URLS
https://docs [.]google [.]com/document/d/e/2PACX-1vQ-224H9A6iDAQ6U-l03Itt3SvGJ393W3UZnUo84oGuRyI9VDDSRv8Jqjadj0_xeXjhUJX1xdBdwZiv/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQiXIwZq6O-2mqxpqYhZDhKlJJV97yBKo73IgwIrUkC3YJ1rLAQOgkVz5FNfacYRRw1RoOFjeF7O42R/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQqCOQq2I-op4sQ-v71x0GPo_g8D68cB2nLa-7iFP_ef6QFKOl_lURZaX26kE71nMETKNsrTNg41-mg/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQTJGF_WMM2rr4Ix_8zAqlXQSOwIWsW5i8pJkwRUQ1_gvteHKzzhhYLcaQq6c1XDPr296DKRggA1MPr/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQyaQ9UBucuBhoOwDdv4zMc56MBN3QIybWotravTPfuB9e_BiQvcs2t9ek1fpLaXUyqw8yR3i59r7rb/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR2p_LXhFiLmbvMlVvvkpENTyzTnHNZy9v95P9AGp0aa_rEuXFYunqYdR96dGRrpiPivdpLEt9i9Wez/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR6iFZpo_hum1YnN1J0_Pl2D3FFA-TB94Hm6DPy1eKC4aJEcp_AurcquA-Ajr1MpbgBeE0J-kTBojyH/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR71RnzzketwEfW9Zue4V1y1RsE7brU6B0_DGjzWvVgw8V2Lwfc8SeOz8L5uI8h5ZTmFzUnv7HwDSo9/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRGNG8LoZZ2_X62k5bZTslZ53xjit7BNQnSaklEBLA0UVXp8qWS7Ts8oNJyOK1Lf4lUyeg7awK7cQqf/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRhg3gW_JTA57qulB791mavWthd9iNgl7t-HNco2Ecw5XbE45KZya3UixDnEFjUaRGKlaeUwAfJRu1d/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRkusDQTwwkAoNZW9QudDYX9MyXhRV9DkutqS3Y84nD1B2MFxu8hU5pTz4Z6mlyhsiHM2DT1OHnq36A/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRMIB1sttREz2KvN-R-1x5vrEr9k6WVCSaaWDOhxogQQTNWlWEI8VNNU_yti_UtL3cXIwt-uTZb59S_/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRMZaziwudwRZYeaANdYES293p_T2e4ov3ug8cfw1VHKt8bfCuZLnG4zxLCbOdaiUDX1QHNxj_tysRY/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRnNp2lfALCZs6iRZx_nCNrRfaFES7Kh_fCxD1mSrjpukhD3hslGSnSRnW76b7aiuYhqGKVoiJLYTAP/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRsM4dmcGR3H4JQP_tsOAWJFb9Ve26gokFx6oy-gl1W_DdxZMsszEirAUEijF2DiR9DskIuAfUlTSVa/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRUzSaJL3XlseYzQ63NwOXFyV7IOq_RHeswm93MRDBgmuR6R2VZeSP_f5-rnTOVY-q9O1RJ_Mfn-qB7/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSdKkvy22cOYiCGIwvp4df0rNoPvHnKRtiA2isNMQ1pOMzy5iH5v_8vrbNzbQFgu5TDh6S-M7QrJu98/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSgex8_vX-681ByTpjhpA_-yXkYu1FW3aiibkSLThyStLge9b0wz30-W0lhVUowCYN3nPRK-xzW24uc/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSwJaRlXz2WZAM0NkMpiN3QmBOUi78Uxn-no2X4oQkgwF2Oy7twgOsSdM7JqA_vSZ6sAc3JOSnYu6Xc/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSZs-QkOj-4-ItQ5ca3208-EU4IEuy6_j0P9omwb2RPH1pbLdaLVwM5HkBrw1FzP2qkEDVV0qBZRfRE/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSzwnAaqGk9A0xjUcnF7BDylSrreBqpekwR53_QNEaUpZRf94kwKCqf5Yxh7bgd6FycsV8c4CRvGuso/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTavxc7NWrBJcldmMvsiA9obUhd8dBLPKSS3fKAWYFFoGd4m8XA9dGbOnbxPb-n6XYh_R_sUmIfyjHp/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTDBAHr0CwfmYca9m-w0gxuVxXvrHRRiUb_MH7vxfN1lHsyaOtOyAlqr4eW1TWjYfF3UyxIGicl39N_/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTIvRH5DQv2UZjyfFcucJHhrbhCVCX311_1dvv4PMOTrgAKZe_SkadR3EDfYEWRpaFaXMwjJg-LJ-AB/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTKJU-kDUo2CEx3IUIw_k-3tHfx1LDUZIRa7edF2wrMc5IEulqBe_uQzg34ir5YJJqD0OziimIeIiZD/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTMn7m538M-Qw07_R24RizjPtkMRRJcTh09OsV-YMjzQ2iQwc_MFUylxNSvt4AGRfqkj2dwOaS7zXHU/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTnDIwoEtUVlS9BXCnG6HbRxdN9PHkYeGETWjabtpP2ADwxTQXSdvNEDkrdVCXgZ-McY1axdzTnit-W/pub

MALDOC DISTRIBUTION URLS
http://3 [.]133 [.]244 [.]105/sedentariness [.]php
http://somdeeppalace [.]com/comer [.]php
https://aarambhaad [.]com [.]np/anointment [.]php
https://citricadvertising [.]com/purgation [.]php
https://citricadvertising [.]com/snuffbox [.]php
https://impactmarketingservice [.]in/fuchsine [.]php
https://impactmarketingservice [.]in/whipsaw [.]php
https://itco [.]pe/shelly [.]php
https://merinocraft [.]ro/tearing [.]php
https://merinocraft [.]ro/unbroken [.]php
https://natural-healing-central [.]com/factorization [.]php
https://www [.]educacionvirtualavanzada [.]mx/inexact [.]php
https://xtracomsolutions [.]com/indispensable [.]php

aarambhaad [.]com [.]np
citricadvertising [.]com
impactmarketingservice [.]in
itco [.]pe
merinocraft [.]ro
natural-healing-central [.]com
somdeeppalace [.]com
educacionvirtualavanzada [.]mx
xtracomsolutions [.]com

HANCITOR MALDOC FILE HASHES
1193060c6c356ad35f3f1b778875f4de
19ecb07f51990d8392d06d7ed6f14c0b
2ab27e26b3643139a9d8cb99ba60738d
2ac587024def64ac26a7cf94e5741644
47a7996165733631a1f5b269e39bbd09
5edba41a1dd5184586b1251670bf19dc
60201a46d43c5da51c6ae5aa0329439d
c1f0fecc46b150bbf46e03134b5454d1
c8a7735dcc286e70031983c5bb419f0b

HANCITOR PAYLOAD FILE HASH
edge [.]dll
e5cf2f65aeb1ff4d8e40b0e73860cb75

HANCITOR C2
http://dingulbolies [.]com/8/forum [.]php
http://culadinces [.]ru/8/forum [.]php
http://coliessrass [.]ru/8/forum [.]php

FICKER STEALER PAYLOAD URL
http://qm30098 [.]ru/6jkiojdfssd [.]exe

FICKER STEALER FILE HASH
6jkiojdfssd [.]exe
77be0dd6570301acac3634801676b5d7

FICKER STEALER C2
http://sweyblidian [.]com


Previous articleThreat Intelligence – Trickbot Malware Latest IOCs
Next articleThreat Intelligence – AGENT TESLA Latest IOCs
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here