2021-09-14 Hancitor IOCs

THREAT ATTRIBUTION:  HANCITOR / COBALT STRIKE

HANCITOR BUILD NUMBER
BUILD=1409_rebcx

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
buolata@controlyourperception.com
cosli@controlyourperception.com
cqyoj@controlyourperception.com
d@controlyourperception.com
deutefm@controlyourperception.com
dhovpyo@controlyourperception.com
dyidoju@controlyourperception.com
eseyv@controlyourperception.com
fgot@controlyourperception.com
fi@controlyourperception.com
hdojeaf@controlyourperception.com
i@controlyourperception.com
kylpj@controlyourperception.com
lu@controlyourperception.com
ndmeo@controlyourperception.com
nmis@controlyourperception.com
nyunuhd@controlyourperception.com
opy@controlyourperception.com
oskuehe@controlyourperception.com
qkoify@controlyourperception.com
sajeuis@controlyourperception.com
slaujeg@controlyourperception.com
smigi@controlyourperception.com
toewj@controlyourperception.com
uuyvytl@controlyourperception.com
uxq@controlyourperception.com
uyougeu@controlyourperception.com
xere@controlyourperception.com
xsear@controlyourperception.com
y@controlyourperception.com

MALDOC FEEDPROXY DISTRIBUTION URLS
http://feedproxy.google.com/~r/adbyjkcymlv/~3/6E6RxC4idCc/containerization.php
http://feedproxy.google.com/~r/agjyh/~3/2Zo3P_OXdyc/stimulant.php
http://feedproxy.google.com/~r/cmijyqilmto/~3/P9h5gL4yxYE/today.php
http://feedproxy.google.com/~r/cmioxegwtdf/~3/ovum9wiEuxM/figurative.php
http://feedproxy.google.com/~r/cwypcpy/~3/TQfARsYXcvY/sauerkraut.php
http://feedproxy.google.com/~r/ekxqwl/~3/H_I1jxo_nVI/floating.php
http://feedproxy.google.com/~r/gcpbmchjfpk/~3/73aBAcw3xiY/splice.php
http://feedproxy.google.com/~r/jaaxd/~3/DZUZwLr9o8k/bribe.php
http://feedproxy.google.com/~r/jnusuuscha/~3/svaCVXMfgcc/pawl.php
http://feedproxy.google.com/~r/jqvakl/~3/c-9qnPWGOK0/palsy.php
http://feedproxy.google.com/~r/kkroh/~3/kh1g0A_-hUU/piece.php
http://feedproxy.google.com/~r/kqfjvr/~3/_tL9zFrCHPc/decapitate.php
http://feedproxy.google.com/~r/ktqvhcsg/~3/AvfX26Gashg/purport.php
http://feedproxy.google.com/~r/nnuesqq/~3/wBUMO93XVb8/allergenic.php
http://feedproxy.google.com/~r/ogkgs/~3/eP7OeKRkyrk/chink.php
http://feedproxy.google.com/~r/qlmrnxrxgr/~3/uEZ_3eBSswo/aura.php
http://feedproxy.google.com/~r/tqyqxvjoxt/~3/mBGFHLDPwUk/subbed.php
http://feedproxy.google.com/~r/tzkomecpvpb/~3/lz2-lRO-C3E/tatter.php
http://feedproxy.google.com/~r/udnzlb/~3/gacshtMoE94/hallucination.php
http://feedproxy.google.com/~r/uiciia/~3/PAyfWvcAK8o/shoddy.php
http://feedproxy.google.com/~r/ulxwu/~3/gccO74RPDCY/whom.php
http://feedproxy.google.com/~r/vbwnuj/~3/cYVM5wP2JIY/despicable.php
http://feedproxy.google.com/~r/yciiv/~3/E48dHJq7Tfs/lyrics.php
http://feedproxy.google.com/~r/ywvhqumv/~3/PhWnQqoQ0Xw/arrant.php
http://feedproxy.google.com/~r/ztywc/~3/Jvd_-55rUyM/superhighway.php

MALDOC REDIRECT URLS
http://api.huokejinglingvip.com/subbed.php
http://arrkcelebrations.com/palsy.php
http://aumatech.fr/aura.php
http://aumatech.fr/splice.php
http://aumatech.fr/stimulant.php
http://fasttrackprojects.com/figurative.php
http://kidshabitat.in/floating.php
http://sample3.khushiyonkazariya.in/hallucination.php
http://shop.zoomania.mu/allergenic.php
http://stepupnetworks.com/containerization.php
http://tiacreation.club/decapitate.php
http://www.preface.com.tn/sauerkraut.php
https://block-b-1.titan2-1.site/superhighway.php
https://shop.zoomania.mu/allergenic.php
https://stepupnetworks.com/containerization.php

arrkcelebrations.com
aumatech.fr
fasttrackprojects.com
huokejinglingvip.com
khushiyonkazariya.in
kidshabitat.in
preface.com.tn
stepupnetworks.com
tiacreation.club
titan2-1.site
zoomania.mu

MALDOC SECONDARY REDIRECT URLS
https://onedrive.live.com/download?cid=9095A505A24A1D32&resid=9095A505A24A1D32%21210&authkey=AK372aoD4fVBjco&em=2
https://onedrive.live.com/download?cid=A40D442771EF23FA&resid=A40D442771EF23FA%21193&authkey=ANTAWrBc64GsCts&em=2
https://onedrive.live.com/download?cid=A40D442771EF23FA&resid=A40D442771EF23FA%21197&authkey=AIXypKYGhRMXnJg&em=2
https://onedrive.live.com/download?cid=A40D442771EF23FA&resid=A40D442771EF23FA%21203&authkey=AMVycNZTR3m_z0I&em=2
https://onedrive.live.com/download?cid=A40D442771EF23FA&resid=A40D442771EF23FA%21204&authkey=AA7ClgrKP5A5EyA&em=2
https://onedrive.live.com/download?cid=A40D442771EF23FA&resid=A40D442771EF23FA%21214&authkey=AOAJAWYwz9CwlTA&em=2
https://onedrive.live.com/download?cid=C8F509F4DF38F932&resid=C8F509F4DF38F932%21207&authkey=AH_0yB2Rsayk3_A&em=2
https://onedrive.live.com/download?cid=C8F509F4DF38F932&resid=C8F509F4DF38F932%21209&authkey=AH43cw2r32z3_D0&em=2
https://onedrive.live.com/download?cid=C8F509F4DF38F932&resid=C8F509F4DF38F932%21212&authkey=AMs1wgPsnswxIws&em=2
https://onedrive.live.com/download?cid=C8F509F4DF38F932&resid=C8F509F4DF38F932%21214&authkey=AFWRYYejBcraUjo&em=2
https://onedrive.live.com/download?cid=C8F509F4DF38F932&resid=C8F509F4DF38F932%21219&authkey=AJy8r2PoMR7bVZk&em=2
https://onedrive.live.com/download?cid=C8F509F4DF38F932&resid=C8F509F4DF38F932%21226&authkey=AFA10EPjAwD0TPE&em=2

MALDOC REDIRECT DOWNLOAD URLS
https://4u0mwg.dm.files.1drv.com/y4mRz1opehRBpK_EhE8FSaMthM43or-ZwkcRYA8VNB0K9dSZKvV7Ok_dY6VUNx_Wd6_5d3MmFwNU-Uyrm7as-tZKi1YshUO2WjhA3KJZEXpZCxtnDjYK17rFkaW7wXy0iPYUdQDQfZJLTvbV0AnSugKju2F5LLUgpKmP1rcaV08tjPPF4wXXf7k8hLAB9zaEM4KVZMH7ww8y26-8s_IxZdzPw/0914_2075899505898.doc?download&psid=1
https://4u1jig.dm.files.1drv.com/y4m2cYkjEBpZGYf2AhfZ-YMj9wp9tV2NYuycvdQ4n1F97MU5EjzlEeTYOVrjprD6MPGT4SblfBJ_zJu5bVFMl0BPD_wHshgaQGCvKBMAwlernA29R7C4UGTq1yJXUI4KhZkDKLzGFRRHoUfaQlEG5Ea0_R4keJ7gBulxP4pF6tACDeJ8srh3nIDAgT-Vze_zuvja3x35TfvokXTIXTXXp-OEg/0914_904040208988.doc?download&psid=1
https://4u33tw.dm.files.1drv.com/y4mimCov2PczAIb-bnwRhZ-Xekio2bruN1tgnrS4LvzSXxNp6eJ_FM8-oBqdDfwmvwvwezoSTdlukZ4wllmWMTA98_rpjXLZ85alWjh7rTnYEctgpN_oCwZaVGodPfJnDZ3wPuOdQ4fE4-UXnWRZBXVGAVeQ_jwIe-R65snumdRBijyJ6W-ZnzSbCl6MDNrlOKayvIoh9AlTHQB1NCahj0hew/0914_3019562103895.doc?download&psid=1
https://bjrcog.dm.files.1drv.com/y4mjYqFLkKr9W6lM_V_hhNIQ3Lp1sJ7Vh9Ot5dl_u4jtEORCKlZIuc-Yu04eIljEWAvyQd1h8B67USL1Bm8u4asXlr729vsW80zGQt4_RshLCq2w6-NshaNTcBYWg0XtPD-w8boSr6WNWT1oL8HnUhhcyEOX1gbsYr3GdViDTvJft0d-bGiTIiil7C6xk82cGgeyaRnkJwNWxAnC6ChotBXmQ/0914_1650155951556.doc?download&psid=1
https://bjrq0g.dm.files.1drv.com/y4mE03v6mRvwuEGiEAG_Rn5Dr6QxyYmT0m-ADHVGhgoQhLx2elWEwbFSel7ftlQ0LLryeuvvZdBoqTf8U9lKsoVrreAuIMBvenxJVHyWcIIV6rFwo-0rXqRCiQY8VmoMFMmTqxTgkERClLaXA-8wpiHlVvC2JzMYjtQANBoc_0OQYdTVMkxHq_Oo5E20CTukCIVRj25aaGZ6RPyjnsTfdJyEg/0914_17856887810485.doc?download&psid=1
https://canpra.dm.files.1drv.com/y4m98_klV-Eve3ZlvRyuHwFcHF7-0LI8hNVt6JIphXK2G7MVnsiu1poMYBu1TfQL4S86C1-F3ndKwjx1XWl_7mnKpDi7BqtqWDQdFde80a9zbuoPH5vrd--MlU7mJ_Qj7_zRpDlhT53DTrH91imOE1ITVSRNeZ9DpIpPVaB011P5yZx239eltazRY5Ld2EvLbf8DLqLXntzj8N7cyEruDRF4g/0914_2531056223981.doc?download&psid=1
https://lfnu1w.sn.files.1drv.com/y4m0jNbjGlgE_bZzMrPLy_Wj6pjG8MgmW3dSNBov_0wNcxfHs9JD8sC1bBgHeld6Dn7tfOWB9DXBhsnoX3gdZBC3e_1i7kINur9LNMhMigSI-rw6yH24LTJ4Uhvn7qyMnlAEVgwCCo8S6KdnkZlffCWpoNfBXzJ8UYYbkkA3HSZ_VR7cpe-htK4s2ni6CLZdvCmiZh6ihKGWozPQRKzdpE7Kg/0914_4534346255302.doc?download&psid=1
https://oeuvga.dm.files.1drv.com/y4mC5iwZoyw0ogaVSLTw1R0YX8IJy8eg5m-IK0tRe_iUTz4kxblsXBwAWlfgm4vtiXG4siXmECqlc6ZYkU_dT01NbfXCy3NBWL04J39O1YYF-ryRejEu6IrvCzzQ2V8uImaBeosvmyKJHNlrP-4xyyj0di4lJB2kKLqVmRY1Jigw6w4wSsMR5FiNE5u7XLVUwtz_ppshSUKeChEQYwopWIQug/0914_3579239256334.doc?download&psid=1
https://seic6q.dm.files.1drv.com/y4majrQhqZLmNKCAMNBqcBCJsVaYhxAkKUy8zONPYDn-5grap2gW0nNddwcatFkNQLZwntmTp0_99C-cafykrli58jlznUgnGrxem1bXTTMvh4liGoQPgfHnQF5lU4rGH6FvYUmjNySNfZ-v2xVcdS0kcaGYFkbUZTJcQWMp9WWmzmnKlVV86-ZvGgI_OwWC9vW1rJKzHgbik-Et9qBFNaH0A/0914_718257604903.doc?download&psid=1
https://x80btq.sn.files.1drv.com/y4m2mRYZWYBN3gJ2Qtwy8VgSD_klwF4G8U3DLmvX8WxIIFufeuBQSc2hOyA8l0WcTKYbua7y2YApVSQ8QIrjmQ5cRJ0YkgN3C05fhA8HcJgGWaofSGoaoTe1Ir0W63BI9XY2UDoIvbXQ-azvBP3HQuWdRQkxKTCmoEDIYI9VuiQRMhETrquaAMbRoO3DokupDIB3uaV3Ma_ftVP7YuCXHvUew/0914_805958145579.doc?download&psid=1
https://x82qtw.sn.files.1drv.com/y4mUrot7jiaxh8jO7ngccw8McB7Co0V_7ZRw6eH2AfmuezH1IYuVJ4Wvrr_uaJngmsrbphs_Q3g76v9T9JhblRw3JMvi6YCak7cRg-gb0d01QRU6sxA5f-6uMQrrBDB-mo_1cct_BvZg9nmj_qI6I35AASvYLlHTHWNGUyN6jPajVjyHeqN_CsHDodf7k5XPS2DEWIBPS5jtGw8-vKcVD2TVg/0914_1619310183793.doc?download&psid=1
https://x83lyw.sn.files.1drv.com/y4mnrZdFUrna4YR40hsNH1x7JP94G-BDmzm0XETASy6a-msfwk0mrvV07zrlLl6qFLtY8IowuD58Boh4-QLplT8pslAYLnPwZLYAfOaQXjd-lbPjEalFkvH3uMwdPmuPbk1CFzAbDx_SAqRIS5xFKXg8THsmUXIa3LlS1pjqVNLuJcoQ51Q0Ppf9T1nfAmzj0S_B7Ck-_mbR4ERgIvMkil3_w/0914_4318455841562.doc?download&psid=1
https://ykjs8g.sn.files.1drv.com/y4mJswQSsaqGVZs3ruR_TrnpSpUds2G0mrvJnvNRnZ_eJenoyfQPjWDEMydI1B2onx2uvtWlu7YB9-KAwcXOepU2mIeWgAS917DLqcBNz44k-3lxY4hikmhb8AvhRMd0SQj8yuq4RsPdGtR5mwNKZV906AFkngDu--0T2JQIXOAYRP4YDkRx81HdYWq3rPwA__YgTHugQ844m109cXccKkAig/0914_2866530002563.doc?download&psid=1
https://yklykq.sn.files.1drv.com/y4mzkm5iO8B_r3zPIvE4MCd7mHq6BB7TD1eRtnUCGQLi90wnB4u6cuY9mqgZqDf_2tMBOryENwzenfegB4_lsTIOf_pKdahuSzoM7ygnxp7gVIcXZq34zJHmk0lUDJlQI4oZuc55Vz3NKi7fmGYwgt_5049bRbIl8PEYm-Q3iMg9-7S680imZFcCDm8y-g6_iuWJZ2yuRlD1YGf9mMkH21qgQ/0914_904040208988.doc?download&psid=1

MALDOC FILE HASHES
05fa90dd3c3da8d8b28392727ff0e095
26df869ef713a188801eef973a98eb86
29d5d2b0fdb5590d194528a590985f3d
32f27b28463475700b7ac671bacf2958
4840e3adeb1318562117d7291ee9ee72
7cbc4c74870212cf418af8417001c23b
8c64dddea83b10a82dc19ed1407efe5f
901761d685eb5f04e5211a6f67d0ab01
9448c9ea0f64d3dce3f3404882c518ef
a06e9ac4b08671abfb9502dec31160e9
b4c2356a98e9ec1fe578d709f79d9eb2
b62e9c72ea537e5dbc125d41e3e0b0f7
db8169d3473f0079a1850b2d5d5f7861

EMBEDDED DOC FILE HASH
reform.doc
d211706d48cb25c6231697b414887dea

HANCITOR PAYLOAD FILE HASH
hhhh.mp3
9bde38600642743a4f56c455490bbb03

HANCITOR C2
http://belloweek.ru/8/forum.php
http://scorlduce.ru/8/forum.php
http://woureves.ru/8/forum.php

COBALT STRIKE STAGER DOWNLOAD URLS
http://pohul1nk.ru/1409.bin
http://pohul1nk.ru/1409s.bin

COBALT STRIKE STAGER FILE HASHES
1409.bin
8b33e8d5e0f8e4883319d5e0fc688968

1409s.bin
5bf60d9bab2eb878e48c1efc81eff1bb

COBALT STRIKE BEACON DOWNLOAD URLS
http://149.248.34.65/NlHZ

COBALT STRIKE BEACON FILE HASHES
NlHZ
a1162352e94a7fdf1b011f15686ea26d

COBALT STRIKE C2s
http://149.248.34.65/g.pixel