Threat Intelligence – Hancitor, Trickbot, Bazarcall Latest IOCs

0

Credits : Research by ExecuteMalware


THREAT IDENTIFICATION: HANCITOR

Indicators of Compromise

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service

SENDERS OBSERVED
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com

MALDOC LANDING PAGES
https://docs [.]google [.]com/document/d/e/2PACX-1vQ2QmKqpFfogMSVC5PaSsaG3aYVVrlpRk5ykUbi4euELKRWoMNEZIOQsqBXQ2iP0gaA9PyhSQP1dTJx/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQ4zote8gEuHaMs_vq9T8da8zIiArW7owRrmCXq56oiiN_XtlqE9-QVf7mCKoH8GYYiFp2G_65s7bq1/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQedoqW845ToRk9H2w8AuC9uYd37RUAWv33AlX_K_SVMdVPhKe71NT74Q7UWbuwIcxV5BndF7VpmO_3/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQF_sUZFmDtOy6tIeFLHWGEbDS497ZKcFVMv013ITSf_kLqsrCxwwPmIvCkIg5gv-pT7rb-YZKfyOmI/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR6wLZmg3E34qGmiQvsLA0jhwAOr5_V5cMXtum2FrGxR-rFMYbNFVoW32ItFaV2e4s8bceF5N6IOAhT/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRA1hRnQ5LijEc6DLtlGdX4NOa1KTLETUI0WciyQXVZdpcMDho3ZKSMprljuCjQkoFx9FBHwpy0oQvQ/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRAt8uzl1p62_2T6X-CDHb0iYDE_UZOAM5Y0NLbdZIbJ4XpI1t-Ist6HpnCusCSRjOSN0IsKWqr-4pe/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRfQ2VQjCBTTRKsu1XfjG-2W_M6V0impjsV_-mjmUKxvzqImizIg4vmFHNLKWUXx3n_GbO9YgBB_uxl/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRhgT8a4ZKzUbsxthYJXGHMuovSqml6q6cJAirtgygKRsE5Lq6aTpjKiOKdK19UfoywMflcaFgYuz1v/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRNIG5voGdaWw6mofrJaA4L1T0KAoma-9H2fD1wFOgxxHZbII0O0FoqYaSdVFsTsBzJJFkhHpjjtgrk/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRTr82FbM795Fniqq0Se-Ib9S2eu35C2EuoXBhSoje1gSozIXrdUZDEYmRupgmF3F5SOKEwB02dLZsb/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRum3WLrjl61awoawdPXeS223ntq50ClQHWeCXXnwwLdMKMcuNmtWuVdYR_nUyo486PjEXH_9LmlQ3n/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSDdQ-bJDFns_M8Z9xR_Qbc1BAXUmqZaSVbdCdH2CgAEEoeZwmspFu5VWSTIqBab64_CsdMZYPZQCR4/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSe94VNCk9NYSFlc0VpxT9XsONIYaQgJbK0xoxjufn49REZr_LcpIb3tjaq6_jwvA1X3FsL5CzZGOv6/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSjdtqS08PUs_hXHi39N5mF8nCj3lI5f2ZWrmghJ9blZbyOahGolAEY02u45IWTqwGRLBJVMW9oB9Ah/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSq4Yn3nN3UfNO7z65n9rMwZ1oQrHM27QSe-6Hp6hS6s-aSm5eDbrV_SJpWwhRf-7HT6C-Qz4SRGJvC/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSQmg3YFKWCexKvJSUEPUIpYZlm3xH08Oc3PCGtscIo99TLRpQX186XHiLa0NCRzWskXGeho6XErspY/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSurUbKdti2dNpxYp4yUU4N810uy-6j6yPeDQAGi-hrmK-zbXoWfM-ZI5cZBGz7hFHSF5shMy70bf1L/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSW8VQwi4g97jnGUEBzPRoIgBnWLGbJYoJ5NuaqSAgUQmnZR3Gk-aX2JREu3xQDpXiuqMLIDuxgPDRK/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSzzBabP5pDKOaS0IhroC7BT_ngOy3gbIBif9qTJ0hh0Q6SIzo8QtRqEWdHdwy770L44lrdGrz6URZM/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTatBAQkEH4gtEbsE7k0eD_n9hvFCBLgjZlLm3x615XorlugjVlJnup0q9BR0stQlE3Y87qcAYIHVhA/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTedYR0WfOe7OPtEEBkrsHiCvzyVrfZBKtKQhPXc3lAIUPpyhSXuU_rToHgyHDGippy1wbBv97iQLp3/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTsjpTTQl8I0UNQHiqIu29gRqWsGTS7hkKPUKrHkLWlV976zSGINvz0QIwn8LzDx7GSmtCWANdrkIWC/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTYhYPSVBUhft26DKSFpf7EAQlS0BjzRmQIazKc3rLPEJmP08Ev7AF7ZLLLYCzod-Oh38YmMF8HZ8Y7/pub

MALDOC DISTRIBUTION URLS
https://cluebazar [.]com/atrocious [.]php
https://cluebazar [.]com/reassembly [.]php
https://erp [.]focusgroupbd [.]com/preparatory [.]php
https://livenetworks [.]com [.]br/lift [.]php
https://locequipamentosbh [.]com [.]br/bowlegged [.]php
https://softwareride [.]com/public/template/plugins/datatables-fixedcolumns/css/astonishes [.]php
https://uniquewebservice [.]com/peonage [.]php
https://webworks [.]nepila [.]com/analgesic [.]php
https://www [.]oacts [.]com/stevedoring [.]php
https://www [.]razwerks [.]com/empiric [.]php
https://www [.]razwerks [.]com/plural [.]php
https://www [.]razwerks [.]com/rah [.]php

cluebazar [.]com
focusgroupbd [.]com
livenetworks [.]com [.]br
locequipamentosbh [.]com [.]br
nepila [.]com
oacts [.]com
razwerks [.]com
softwareride [.]com
uniquewebservice [.]com

HANCITOR MALDOC FILE HASHES
e960bb72d2fde613916fec3938903f73
a2502fa1b2f7c3ee10ba464ea105c74c
eff9684639bef068eb2973f6e3cc4ac4
38fb95d9e5aebb9de5337a877b348417
4aad8d4b96002e1f0ec67c5738a97ff9
9b41f55a0aaf7a3027dc9a81cba9c904
1ceb6115bb50ba5e401af7993cf5b2a7
0f88577f54d19eb2503a44830aee29ce

HANCITOR PAYLOAD FILE HASH
Static [.]dll
5eaea1f20e237257dadfd96e597d8ef4

HANCITOR C2
http://tricilidiany [.]com/8/forum [.]php
http://intaticducalso [.]ru/8/forum [.]php
http://gloporiente [.]ru/8/forum [.]php

FICKER STEALER PAYLOAD URLS
http://g1smurt [.]ru/6jiuu8934u [.]exe

FICKER STEALER FILE HASH
6jiuu8934u [.]exe
77be0dd6570301acac3634801676b5d7

FICKER STEALER C2
http://sweyblidian [.]com

COBALT STRIKE DOWNLOAD URLS
http://g1smurt [.]ru/2303 [.]bin
http://g1smurt [.]ru/2303s [.]bin

COBALT STRIKE FILE HASHES
2303 [.]bin
07a39d514646abe8efc39e930dbf74b1

2303s [.]bin
461353de6e2edda219692b64d08a55e7

COBALT STRIKE TRAFFIC
http://74 [.]50 [.]60 [.]96/9Wic
http://74 [.]50 [.]60 [.]96/visit [.]js

9Wic
72326b9238c305a45cf387ce2141d659

Credits : Research by ExecuteMalware

THREAT IDENTIFICATION: TRICKBOT

Indicators of Compromise

SUBJECTS OBSERVED
Auto ID Card Ready to Print #35873856

SENDERS OBSERVED
THOMAS THOMAS

MALDOC FILE HASHES
Id_Card-32213 [.]xlsm
269aab297d58b5e9d137c6cb2028cd49

TRICKBOT PAYLOAD URLS
http://truemerit [.]io/databases/merit [.]php

http://192 [.]3 [.]247 [.]103/images/redbutton [.]png
http://192 [.]3 [.]247 [.]103/images/cutscroll [.]png

TRICKBOT PAYLOAD FILE HASHES
i1zTJfH [.]sitecounter
2ae20b49ac0c8f59eaca5e08a319892c

TRICKBOT C2
https://103 [.]102 [.]220 [.]50
https://115 [.]241 [.]244 [.]185
https://174 [.]105 [.]236 [.]140
https://177 [.]84 [.]63 [.]252
https://185 [.]119 [.]120 [.]213
https://189 [.]195 [.]96 [.]238
https://190 [.]89 [.]3 [.]117
https://36 [.]95 [.]27 [.]243
https://5 [.]202 [.]120 [.]150
https://83 [.]220 [.]115 [.]230

Credits : Research by ExecuteMalware

THREAT IDENTIFICATION: BAZARCALL

SENDER EMAILS
[email protected] [.]com
[email protected] [.]net
[email protected] [.]com [.]br
[email protected] [.]com [.]br
[email protected] [.]nl
[email protected] [.]kimze-online [.]com

SUBJECTS
Do you want to extend your free trial KJR82250995?
Thank you for using your free trial BCS49108273 [.] Time to move on!
Want to extend your free trial BCS87227489?
Want to extend your free trial BCS94578201?
Your free trial BCS74922261 has come to end!
Your free trial KJR05696670 is going to end!
Your free trial KJR20362849 is going to end!
Your free trial KJR38012845 is going to end!
Your free trial KJR90622295 is going to end!
Your free trial RMN70575496 has come to end!

LURE PHONE NUMBER
1 (213) 261-0445
1 (661) 501-2041

MALDOC DOWNLOAD URLS
https://bluecartservice [.]com/unsubscribe [.]html
https://icartservice [.]org/unsubscribe [.]html
https://imedservice [.]org/unsubscribe [.]html
https://imerservice [.]net/unsubscribe [.]html
https://merservice [.]org/unsubscribe [.]html

https://bluecartservice [.]com/request [.]php
https://icartservice [.]org/request [.]php
https://imedservice [.]org/request [.]php
https://imerservice [.]net/request [.]php
https://merservice [.]org/request [.]php

bluecartservice [.]com
icartservice [.]org
imedservice [.]org
imerservice [.]net
merservice [.]org

MALDOC FILE HASHES
04021a582f12c54e1023fdcee600111c
38c3650fbd0f86a03b6791aebe9d0c46
3b96e081be068d210a85b55925372567
412db47e93b22ec47c672910e1f85170
a5e1db7b40b1df187d7c4f227ffb316c
a8640287aac9c6468ac03f412382a839
e318ef00212305129aca499d569a741b
fc310563e9b0628f6b5a8567bf3b5133

PAYLOAD DOWNLOAD URL
First a post to:
http://gopigs [.]xyz/campo/u/u

Then downloads:
http://nommac [.]com/malta-app/Malta/node_modules/postcss-merge-rules/dist/retrsd25 [.]exe

PAYLOAD FILE HASH
retrsd25 [.]exe
78388676e1ebde4576357c3727a51787

ADDITIONAL/C2 TRAFFIC
https://52 [.]167 [.]249 [.]196

ADDITIONAL FILES
I also found these files in \Users\public:

42237 [.]j56
0ddece3ffa94e0acffddf867f001a644

42237 [.]xlsb
0ddece3ffa94e0acffddf867f001a644

42237 [.]h5
1462605ccb643532a25098e7fbe323cb

And then later:
42237 [.]j56
c056b7d3999d5110ff1d3bb9c29655b8

42237 [.]xlsb
c056b7d3999d5110ff1d3bb9c29655b8

42237 [.]h5
e80bb5df25aeff934df851df566e3775

All have MZ headers
[.]j56 and [.]xlsb have the same file hash


Previous articleThreat Intelligence – Remcos Trojan Latest IOCs
Next articleThreat Intelligence – Bazarcall Malware Latest IOCs
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here