Threat Intelligence – HANCITOR Malware Latest IOCs

0

Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.As observed, Below are the latest indicators of compromise.

Credits : Research by ExecuteMalware

Indicators of Compromise

THREAT IDENTIFICATION: HANCITOR / COBALT STRIKE

EMAIL SUBJECTS OBSERVED
You got invoice from DocuSign Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Service
You received invoice from DocuSign Electronic Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Signature Service

EMAIL SENDERS OBSERVED
axsk@snowequipmentdealer [.]com
gai@snowequipmentdealer [.]com
golhyxe@snowequipmentdealer [.]com
hezuivs@snowequipmentdealer [.]com
hifoisu@snowequipmentdealer [.]com
k@snowequipmentdealer [.]com
lxutigi@snowequipmentdealer [.]com
oceyv@snowequipmentdealer [.]com
odefyqc@snowequipmentdealer [.]com
qiau@snowequipmentdealer [.]com
rofzole@snowequipmentdealer [.]com

MALDOC LANDING PAGE URLS
https://docs [.]google [.]com/document/d/e/2PACX-1vQk1Da72CGqMZMEQG6oXHSE3GPwcfO7p9ipdAFW6DwN1iOx5qhofWn-dtcAJEOHXYhG0X2qOjeEG9K_/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQtmhc3dUYeRlP3Qa5f_W3pYqsLpm8GhMzKWXwtBrev1va6RwJoZa46B4H2eVtGkajMJ3_RqKMX5MpD/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRIhEId8jUJXA0_0enaj-8glZbnQmE7CwK2_FcKwCFhOVZr9hAPTqX7xJO-gr6NcohKe34ick1DzlIV/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRzObl6qf2Hjg43G9JDvah-BAW4aQ8rJFA53yTqIUHcmtpsTNtkiH07c10wI2Bxcghn75PtWBN8WmFU/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSFFEX1QJHB2_opTC1-USc6NqPQvE01ZNa_lxUhGEOpxaD4x4RgF0dmDEgZ-yPxV5AAYY-SMMPkn8l2/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSgt1N3W12ZP6TzDf4edMTib_0dOhJOgY0M3SBv1L2qLzZsBxkSaqRm869lmhxSrFTVZ_5Gj9d8_z8P/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSj_YIia7nLWcShxEbD4KFvcuDKwkl9GZvEi9HAnVgPklkr4nUmT5VD4MDiFL2K3sMLJh2ukEpJER-T/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSnfQTOjJ3LVldXHz6l8HbjyC8P0P7VDeSl_ol5HDdTCtGHFIPlchy58D17JBBdN3hiIj_jv7rIrYjT/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTSYQe4Zi3QiKrYekM9RXdOYc4_X05PcGwsgFhpVbiwMPNvK92Phfki96ou9il7QrhOJy0VzwNcMbUi/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTwIT1Y2B-FBRWxr_eyddj1pwOymlGd6BxwQl7OQ3SgTuKYXSAQO8q26wGDz96ZzjH_2vf4iPqAJlE9/pub

MALDOC DISTRIBUTION URLS
https://cluebazar [.]com/popularization [.]php
https://mail [.]daunhotmiendong [.]vn/craze [.]php
https://crm [.]basilrealty [.]in/uxoriousness [.]php

basilrealty [.]in
cluebazar [.]com
daunhotmiendong [.]vn

HANCITOR MALDOC FILE HASHES
0303_11021160093261 [.]doc
8d4d32d950ff5ea791848fefae0c35bb

0303_9589344049041 [.]doc
1523d0044c726a057844b09925362ade

HANCITOR PAYLOAD FILE HASH
Static [.]dll
3f6a65b1cdd3a80bcf48d0df223070ed

HANCITOR C2
http://mainctional [.]com/8/forum [.]php
http://disrulaytin [.]ru/8/forum [.]php
http://puldefletat [.]ru/8/forum [.]php

FICKER STEALER PAYLOAD URLS
http://nvgeeforsegt [.]ru/6jhfa478 [.]exe

FICKER STEALER FILE HASH
6jhfa478 [.]exe
77be0dd6570301acac3634801676b5d7

FICKER STEALER C2
http://sweyblidian [.]com

COBALT STRIKE PAYLOAD URLS
http://nvgeeforsegt [.]ru/0303 [.]bin
http://nvgeeforsegt [.]ru/0303s [.]bin

COBALT STRIKE FILE HASHES
0303s [.]bin
a46e64f8667a0c1dc2810c92c8453f91

0303 [.]bin
d7c42ce4f084c429185b994bbdd2fb68

COBALT STRIKE TRAFFIC
http://51 [.]81 [.]142 [.]72/uNPI
http://51 [.]81 [.]142 [.]72/push
http://51 [.]81 [.]142 [.]72/submit [.]php?id=2063695750

Previous articleThreat Intelligence – Buerloader Malware Latest IOCs
Next articlePhishing Attack and Scam Prevention Techniques
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here