2021-09-09 Hancitor IOCd

THREAT IDENTIFICATION:  HANCITOR / COBALT STRIKE

HANCITOR BUILD NUMBER
BUILD=0909_zyap

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
agynipq@buildyourperception.com
alacmu@buildyourperception.com
amanzuv@buildyourperception.com
cesiuh@buildyourperception.com
cjxev@buildyourperception.com
cytenuy@buildyourperception.com
eanqpzn@buildyourperception.com
edypioo@buildyourperception.com
epjotdu@buildyourperception.com
eugy@buildyourperception.com
exixuvf@buildyourperception.com
gda@buildyourperception.com
gezarxa@buildyourperception.com
gny@buildyourperception.com
goprc@buildyourperception.com
gylyu@buildyourperception.com
ifdvybh@buildyourperception.com
ihqyb@buildyourperception.com
imjiho@buildyourperception.com
isarywu@buildyourperception.com
lfmfod@buildyourperception.com
myjej@buildyourperception.com
n@buildyourperception.com
nwuryo@buildyourperception.com
oadchuq@buildyourperception.com
ocia@buildyourperception.com
odiyaqu@buildyourperception.com
ortuf@buildyourperception.com
pitj@buildyourperception.com
saczaz@buildyourperception.com
swotsy@buildyourperception.com
taapei@buildyourperception.com
tacgi@buildyourperception.com
tjireqd@buildyourperception.com
turroe@buildyourperception.com
uenin@buildyourperception.com
ulhoy@buildyourperception.com
v@buildyourperception.com
vneyiac@buildyourperception.com
vuwojg@buildyourperception.com
xkdyl@buildyourperception.com
ykobxyo@buildyourperception.com
yoeixyi@buildyourperception.com
zbihami@buildyourperception.com

MALDOC FEEDPROXY DISTRIBUTION URLS
http://feedproxy.google.com/~r/ayaqatksu/~3/KKaUYo8u9Uo/affordably.php
http://feedproxy.google.com/~r/chdlhxulsi/~3/bFYzqqyN_5g/implode.php
http://feedproxy.google.com/~r/ckihqm/~3/nLzL-0QVuJ0/marshal.php
http://feedproxy.google.com/~r/cqbooaqsb/~3/UHuFvcdA1ZE/prefab.php
http://feedproxy.google.com/~r/dctgachgm/~3/EyqptEVV8So/coreligionist.php
http://feedproxy.google.com/~r/domygsmrrs/~3/XBcs8ywlqXc/resolute.php
http://feedproxy.google.com/~r/dytrmfvq/~3/eunSyFIk0LQ/subjection.php
http://feedproxy.google.com/~r/fimptiivnos/~3/XSuT1ZjfmhI/toolbox.php
http://feedproxy.google.com/~r/fnizs/~3/obv_cqSlGLM/affordably.php
http://feedproxy.google.com/~r/hiwhladgg/~3/6JqGEvGhB3k/coatroom.php
http://feedproxy.google.com/~r/hxauvicrzwv/~3/E2ix2vjM6Bc/lithuanian.php
http://feedproxy.google.com/~r/istaihhm/~3/k0R_Z1tGWZg/zap.php
http://feedproxy.google.com/~r/jhbmnea/~3/1Slk64BZHfw/redhead.php
http://feedproxy.google.com/~r/jiycllchrnb/~3/GEcv6WMArRk/pastelist.php
http://feedproxy.google.com/~r/kwawnh/~3/O5iaj7-u-tA/schools.php
http://feedproxy.google.com/~r/lpapjxkqeif/~3/qWp_MHrrOt0/niece.php
http://feedproxy.google.com/~r/lysgfpgvld/~3/vos1VPHYKrU/aortic.php
http://feedproxy.google.com/~r/mrvqaoxfn/~3/XBcs8ywlqXc/resolute.php
http://feedproxy.google.com/~r/nqzprzswysb/~3/Pk5oIfZXehA/trundle.php
http://feedproxy.google.com/~r/odhcnrw/~3/tW-wRCmmFF8/unshielded.php
http://feedproxy.google.com/~r/pkrct/~3/bTntvy7WkaQ/dicotyledonous.php
http://feedproxy.google.com/~r/pmlme/~3/6eB5okSh2Es/prometheus.php
http://feedproxy.google.com/~r/qlirzpnkgg/~3/PQl146ocP-k/pedagogy.php
http://feedproxy.google.com/~r/rebcyip/~3/WtRrS7g0jWM/seeding.php
http://feedproxy.google.com/~r/stvrtojjpa/~3/Y6ZYFD1Msuc/yang.php
http://feedproxy.google.com/~r/tgnrfblw/~3/k3QAKOOXbDI/theosophist.php
http://feedproxy.google.com/~r/tyrserlcret/~3/6PCM40qG5nU/aggregative.php
http://feedproxy.google.com/~r/tyzgkyfvk/~3/k0R_Z1tGWZg/zap.php
http://feedproxy.google.com/~r/tzfosxhw/~3/M9js6BjYRn0/acarpelous.php
http://feedproxy.google.com/~r/vlbdadaclwp/~3/NOd5dr1MKLw/arrhythmias.php
http://feedproxy.google.com/~r/wfmgqalpee/~3/14SWNbimXZQ/strolling.php
http://feedproxy.google.com/~r/wpmhjmkgnvc/~3/jC6TC9djC0A/ample.php
http://feedproxy.google.com/~r/xayrfta/~3/a9K8ZPTBub0/trillium.php
http://feedproxy.google.com/~r/zbjuikjbfx/~3/yeWOZZ7RX1c/wracked.php
http://feedproxy.google.com/~r/zmfmygrmys/~3/GVxcGYh6u_s/neighborhood.php
http://feedproxy.google.com/~r/zuygdqnf/~3/LyhnHuwNaaA/dran.php

MALDOC REDIRECT DOWNLOAD URLS
http://ah.btp-inc.ca/yang.php
http://ani-immigration.com/unshielded.php
http://dermasmart.org/neighborhood.php
http://futurespace.orbitships.org/pastelist.php
http://newdevjyq.devjyq.com/toolbox.php
http://salonways.com/dicotyledonous.php
http://salonways.com/redhead.php

ani-immigration.com
btp-inc.ca
dermasmart.org
devjyq.com
orbitships.org
salonways.com

MALDOC FILE HASHES
6efcbcc36340f4f4c54b3410ab72091c
2f7f25afc1699d8bc376552bcef67a09

EMBEDDED DOC FILE HASH
reform.doc
6ef57b9ce972938abc0f04b368ce8443

HANCITOR PAYLOAD FILE HASH
hhhh.mp3
93550847b83aa1c0d367a60ed4de0e4c

HANCITOR C2
http://calloyean.ru/8/forum.php
http://fulgeterly.ru/8/forum.php
http://goramilly.ru/8/forum.php

COBALT STRIKE STAGER DOWNLOAD URLS
http://furu7nu.ru/0909.bin
http://furu7nu.ru/0909s.bin

COBALT STRIKE STAGER FILE HASHES
0909.bin
8270b7dc614041c96f860ae0c563087f

0909s.bin
202da014c544091cbcbcbb447629adbe

COBALT STRIKE BEACON DOWNLOAD URLS
https://107.155.127.246/jcCL
http://107.155.127.246/eGXX

COBALT STRIKE BEACON FILE HASHES
eGXX
e56b336cfbbfbe97b835f72bbd6a68da

jcCL
bd1afec6332b7133bd88297a77fd8334

COBALT STRIKE C2s
https://107.155.127.246/j.ad
http://107.155.127.246/fwlink