Credits : Research by ExecuteMalware
Indicators of compromise
THREAT IDENTIFICATION: HANCITOR
HANCITOR BUILD NUMBER
&BUILD=1404_cms3
SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service
SENDERS OBSERVED
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
MALDOC LANDING PAGE URLS
https://docs [.]google [.]com/document/d/e/2PACX-1vQ-224H9A6iDAQ6U-l03Itt3SvGJ393W3UZnUo84oGuRyI9VDDSRv8Jqjadj0_xeXjhUJX1xdBdwZiv/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQiXIwZq6O-2mqxpqYhZDhKlJJV97yBKo73IgwIrUkC3YJ1rLAQOgkVz5FNfacYRRw1RoOFjeF7O42R/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQqCOQq2I-op4sQ-v71x0GPo_g8D68cB2nLa-7iFP_ef6QFKOl_lURZaX26kE71nMETKNsrTNg41-mg/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQTJGF_WMM2rr4Ix_8zAqlXQSOwIWsW5i8pJkwRUQ1_gvteHKzzhhYLcaQq6c1XDPr296DKRggA1MPr/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQyaQ9UBucuBhoOwDdv4zMc56MBN3QIybWotravTPfuB9e_BiQvcs2t9ek1fpLaXUyqw8yR3i59r7rb/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR2p_LXhFiLmbvMlVvvkpENTyzTnHNZy9v95P9AGp0aa_rEuXFYunqYdR96dGRrpiPivdpLEt9i9Wez/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR6iFZpo_hum1YnN1J0_Pl2D3FFA-TB94Hm6DPy1eKC4aJEcp_AurcquA-Ajr1MpbgBeE0J-kTBojyH/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR71RnzzketwEfW9Zue4V1y1RsE7brU6B0_DGjzWvVgw8V2Lwfc8SeOz8L5uI8h5ZTmFzUnv7HwDSo9/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRGNG8LoZZ2_X62k5bZTslZ53xjit7BNQnSaklEBLA0UVXp8qWS7Ts8oNJyOK1Lf4lUyeg7awK7cQqf/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRhg3gW_JTA57qulB791mavWthd9iNgl7t-HNco2Ecw5XbE45KZya3UixDnEFjUaRGKlaeUwAfJRu1d/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRkusDQTwwkAoNZW9QudDYX9MyXhRV9DkutqS3Y84nD1B2MFxu8hU5pTz4Z6mlyhsiHM2DT1OHnq36A/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRMIB1sttREz2KvN-R-1x5vrEr9k6WVCSaaWDOhxogQQTNWlWEI8VNNU_yti_UtL3cXIwt-uTZb59S_/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRMZaziwudwRZYeaANdYES293p_T2e4ov3ug8cfw1VHKt8bfCuZLnG4zxLCbOdaiUDX1QHNxj_tysRY/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRnNp2lfALCZs6iRZx_nCNrRfaFES7Kh_fCxD1mSrjpukhD3hslGSnSRnW76b7aiuYhqGKVoiJLYTAP/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRsM4dmcGR3H4JQP_tsOAWJFb9Ve26gokFx6oy-gl1W_DdxZMsszEirAUEijF2DiR9DskIuAfUlTSVa/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRUzSaJL3XlseYzQ63NwOXFyV7IOq_RHeswm93MRDBgmuR6R2VZeSP_f5-rnTOVY-q9O1RJ_Mfn-qB7/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSdKkvy22cOYiCGIwvp4df0rNoPvHnKRtiA2isNMQ1pOMzy5iH5v_8vrbNzbQFgu5TDh6S-M7QrJu98/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSgex8_vX-681ByTpjhpA_-yXkYu1FW3aiibkSLThyStLge9b0wz30-W0lhVUowCYN3nPRK-xzW24uc/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSwJaRlXz2WZAM0NkMpiN3QmBOUi78Uxn-no2X4oQkgwF2Oy7twgOsSdM7JqA_vSZ6sAc3JOSnYu6Xc/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSZs-QkOj-4-ItQ5ca3208-EU4IEuy6_j0P9omwb2RPH1pbLdaLVwM5HkBrw1FzP2qkEDVV0qBZRfRE/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSzwnAaqGk9A0xjUcnF7BDylSrreBqpekwR53_QNEaUpZRf94kwKCqf5Yxh7bgd6FycsV8c4CRvGuso/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTavxc7NWrBJcldmMvsiA9obUhd8dBLPKSS3fKAWYFFoGd4m8XA9dGbOnbxPb-n6XYh_R_sUmIfyjHp/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTDBAHr0CwfmYca9m-w0gxuVxXvrHRRiUb_MH7vxfN1lHsyaOtOyAlqr4eW1TWjYfF3UyxIGicl39N_/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTIvRH5DQv2UZjyfFcucJHhrbhCVCX311_1dvv4PMOTrgAKZe_SkadR3EDfYEWRpaFaXMwjJg-LJ-AB/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTKJU-kDUo2CEx3IUIw_k-3tHfx1LDUZIRa7edF2wrMc5IEulqBe_uQzg34ir5YJJqD0OziimIeIiZD/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTMn7m538M-Qw07_R24RizjPtkMRRJcTh09OsV-YMjzQ2iQwc_MFUylxNSvt4AGRfqkj2dwOaS7zXHU/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTnDIwoEtUVlS9BXCnG6HbRxdN9PHkYeGETWjabtpP2ADwxTQXSdvNEDkrdVCXgZ-McY1axdzTnit-W/pub
MALDOC DISTRIBUTION URLS
http://3 [.]133 [.]244 [.]105/sedentariness [.]php
http://somdeeppalace [.]com/comer [.]php
https://aarambhaad [.]com [.]np/anointment [.]php
https://citricadvertising [.]com/purgation [.]php
https://citricadvertising [.]com/snuffbox [.]php
https://impactmarketingservice [.]in/fuchsine [.]php
https://impactmarketingservice [.]in/whipsaw [.]php
https://itco [.]pe/shelly [.]php
https://merinocraft [.]ro/tearing [.]php
https://merinocraft [.]ro/unbroken [.]php
https://natural-healing-central [.]com/factorization [.]php
https://www [.]educacionvirtualavanzada [.]mx/inexact [.]php
https://xtracomsolutions [.]com/indispensable [.]php
aarambhaad [.]com [.]np
citricadvertising [.]com
impactmarketingservice [.]in
itco [.]pe
merinocraft [.]ro
natural-healing-central [.]com
somdeeppalace [.]com
educacionvirtualavanzada [.]mx
xtracomsolutions [.]com
HANCITOR MALDOC FILE HASHES
1193060c6c356ad35f3f1b778875f4de
19ecb07f51990d8392d06d7ed6f14c0b
2ab27e26b3643139a9d8cb99ba60738d
2ac587024def64ac26a7cf94e5741644
47a7996165733631a1f5b269e39bbd09
5edba41a1dd5184586b1251670bf19dc
60201a46d43c5da51c6ae5aa0329439d
c1f0fecc46b150bbf46e03134b5454d1
c8a7735dcc286e70031983c5bb419f0b
HANCITOR PAYLOAD FILE HASH
edge [.]dll
e5cf2f65aeb1ff4d8e40b0e73860cb75
HANCITOR C2
http://dingulbolies [.]com/8/forum [.]php
http://culadinces [.]ru/8/forum [.]php
http://coliessrass [.]ru/8/forum [.]php
FICKER STEALER PAYLOAD URL
http://qm30098 [.]ru/6jkiojdfssd [.]exe
FICKER STEALER FILE HASH
6jkiojdfssd [.]exe
77be0dd6570301acac3634801676b5d7
FICKER STEALER C2
http://sweyblidian [.]com