Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.As observed, Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware
Indicators of Compromise
THREAT IDENTIFICATION: HANCITOR / COBALT STRIKE
EMAIL SUBJECTS OBSERVED
You got invoice from DocuSign Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Service
You received invoice from DocuSign Electronic Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Signature Service
EMAIL SENDERS OBSERVED
axsk@snowequipmentdealer [.]com
gai@snowequipmentdealer [.]com
golhyxe@snowequipmentdealer [.]com
hezuivs@snowequipmentdealer [.]com
hifoisu@snowequipmentdealer [.]com
k@snowequipmentdealer [.]com
lxutigi@snowequipmentdealer [.]com
oceyv@snowequipmentdealer [.]com
odefyqc@snowequipmentdealer [.]com
qiau@snowequipmentdealer [.]com
rofzole@snowequipmentdealer [.]com
MALDOC LANDING PAGE URLS
https://docs [.]google [.]com/document/d/e/2PACX-1vQk1Da72CGqMZMEQG6oXHSE3GPwcfO7p9ipdAFW6DwN1iOx5qhofWn-dtcAJEOHXYhG0X2qOjeEG9K_/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQtmhc3dUYeRlP3Qa5f_W3pYqsLpm8GhMzKWXwtBrev1va6RwJoZa46B4H2eVtGkajMJ3_RqKMX5MpD/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRIhEId8jUJXA0_0enaj-8glZbnQmE7CwK2_FcKwCFhOVZr9hAPTqX7xJO-gr6NcohKe34ick1DzlIV/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRzObl6qf2Hjg43G9JDvah-BAW4aQ8rJFA53yTqIUHcmtpsTNtkiH07c10wI2Bxcghn75PtWBN8WmFU/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSFFEX1QJHB2_opTC1-USc6NqPQvE01ZNa_lxUhGEOpxaD4x4RgF0dmDEgZ-yPxV5AAYY-SMMPkn8l2/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSgt1N3W12ZP6TzDf4edMTib_0dOhJOgY0M3SBv1L2qLzZsBxkSaqRm869lmhxSrFTVZ_5Gj9d8_z8P/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSj_YIia7nLWcShxEbD4KFvcuDKwkl9GZvEi9HAnVgPklkr4nUmT5VD4MDiFL2K3sMLJh2ukEpJER-T/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSnfQTOjJ3LVldXHz6l8HbjyC8P0P7VDeSl_ol5HDdTCtGHFIPlchy58D17JBBdN3hiIj_jv7rIrYjT/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTSYQe4Zi3QiKrYekM9RXdOYc4_X05PcGwsgFhpVbiwMPNvK92Phfki96ou9il7QrhOJy0VzwNcMbUi/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTwIT1Y2B-FBRWxr_eyddj1pwOymlGd6BxwQl7OQ3SgTuKYXSAQO8q26wGDz96ZzjH_2vf4iPqAJlE9/pub
MALDOC DISTRIBUTION URLS
https://cluebazar [.]com/popularization [.]php
https://mail [.]daunhotmiendong [.]vn/craze [.]php
https://crm [.]basilrealty [.]in/uxoriousness [.]php
basilrealty [.]in
cluebazar [.]com
daunhotmiendong [.]vn
HANCITOR MALDOC FILE HASHES
0303_11021160093261 [.]doc
8d4d32d950ff5ea791848fefae0c35bb
0303_9589344049041 [.]doc
1523d0044c726a057844b09925362ade
HANCITOR PAYLOAD FILE HASH
Static [.]dll
3f6a65b1cdd3a80bcf48d0df223070ed
HANCITOR C2
http://mainctional [.]com/8/forum [.]php
http://disrulaytin [.]ru/8/forum [.]php
http://puldefletat [.]ru/8/forum [.]php
FICKER STEALER PAYLOAD URLS
http://nvgeeforsegt [.]ru/6jhfa478 [.]exe
FICKER STEALER FILE HASH
6jhfa478 [.]exe
77be0dd6570301acac3634801676b5d7
FICKER STEALER C2
http://sweyblidian [.]com
COBALT STRIKE PAYLOAD URLS
http://nvgeeforsegt [.]ru/0303 [.]bin
http://nvgeeforsegt [.]ru/0303s [.]bin
COBALT STRIKE FILE HASHES
0303s [.]bin
a46e64f8667a0c1dc2810c92c8453f91
0303 [.]bin
d7c42ce4f084c429185b994bbdd2fb68
COBALT STRIKE TRAFFIC
http://51 [.]81 [.]142 [.]72/uNPI
http://51 [.]81 [.]142 [.]72/push
http://51 [.]81 [.]142 [.]72/submit [.]php?id=2063695750