2021-09-16 Hancitor IOCs

THREAT IDENTIFICATION:  HANCITOR / COBALT STRIKE

HANCITOR BUILD NUMBER
BUILD=1609_dkytr

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
aheoman@developyourperception.com
buobij@developyourperception.com
dopogcu@developyourperception.com
dzbiniy@developyourperception.com
eco@developyourperception.com
emepaaj@developyourperception.com
enyya@developyourperception.com
eorogy@developyourperception.com
eqiuw@developyourperception.com
euywb@developyourperception.com
eyb@developyourperception.com
gaxilek@developyourperception.com
gffxyto@developyourperception.com
ghykavg@developyourperception.com
gii@developyourperception.com
h@developyourperception.com
hikmaj@developyourperception.com
ie@developyourperception.com
ifeyi@developyourperception.com
ihauoje@developyourperception.com
iikaeic@developyourperception.com
jeyo@developyourperception.com
joxagyo@developyourperception.com
jyvaeov@developyourperception.com
kijslgc@developyourperception.com
kuqfek@developyourperception.com
l@developyourperception.com
layve@developyourperception.com
nexyfaq@developyourperception.com
nfuluk@developyourperception.com
qtfiukc@developyourperception.com
ritoq@developyourperception.com
rtibe@developyourperception.com
ruevwja@developyourperception.com
simakeu@developyourperception.com
sixaw@developyourperception.com
uceiree@developyourperception.com
udigyt@developyourperception.com
uhdkr@developyourperception.com
vejayye@developyourperception.com
votgij@developyourperception.com
wuyniha@developyourperception.com
wvy@developyourperception.com
xeoicla@developyourperception.com
xgujnle@developyourperception.com
xocqulu@developyourperception.com
xyfqua@developyourperception.com
y@developyourperception.com
yaemlku@developyourperception.com
yaxyb@developyourperception.com
yodi@developyourperception.com
yrxl@developyourperception.com
zveaduu@developyourperception.com

MALDOC FEEDPROXY DISTRIBUTION URLS
http://feedproxy.google.com/~r/nrpsgvqa/~3/ZuZc9QrMAwc/coulee.php
http://feedproxy.google.com/~r/bdsbxnk/~3/8njdEmcj5uQ/prestigious.php
http://feedproxy.google.com/~r/boldiomahg/~3/Kc_1UmTzErk/attempter.php
http://feedproxy.google.com/~r/cikrzdvqxxn/~3/jcm6I-YQS7o/southwestward.php
http://feedproxy.google.com/~r/daphykjdoy/~3/GIy56Lmg3Dg/brasilia.php
http://feedproxy.google.com/~r/dlqxslcb/~3/eGol3CW6BHw/substandard.php
http://feedproxy.google.com/~r/dryopxmir/~3/TYiMp5120IE/refining.php
http://feedproxy.google.com/~r/eztnamnnli/~3/hpKLuQW4-rU/accrue.php
http://feedproxy.google.com/~r/fxfnqtnag/~3/g1SqGWzG3WE/subtracted.php
http://feedproxy.google.com/~r/ggeeyz/~3/Kc_1UmTzErk/attempter.php
http://feedproxy.google.com/~r/gmnpkjxdv/~3/fky7X2dlhKI/colossal.php
http://feedproxy.google.com/~r/gtrxgxw/~3/yAGQx8q-DfQ/incorporeal.php
http://feedproxy.google.com/~r/iroerlzvmn/~3/mlQvtyCbuTY/contrast.php
http://feedproxy.google.com/~r/ivibsypga/~3/X9abXta23w4/african.php
http://feedproxy.google.com/~r/jgtktps/~3/h2PK4ZHKhOQ/photographer.php
http://feedproxy.google.com/~r/jmrrqkhvf/~3/yAGQx8q-DfQ/incorporeal.php
http://feedproxy.google.com/~r/kgodkskn/~3/hgmL1_JnJok/wore.php
http://feedproxy.google.com/~r/kgttfz/~3/-vH2NCSQ3X8/hydrology.php
http://feedproxy.google.com/~r/mhvedgtqr/~3/8NEEeH9UvoA/unworried.php
http://feedproxy.google.com/~r/mytali/~3/W3Ytkz_weh4/swish.php
http://feedproxy.google.com/~r/nqocl/~3/ftrjTexWHE8/inevitable.php
http://feedproxy.google.com/~r/nrpsgvqa/~3/ZuZc9QrMAwc/coulee.php
http://feedproxy.google.com/~r/oenjp/~3/Jij3BscThe4/lest.php
http://feedproxy.google.com/~r/pfksbzzxnya/~3/MEnYP5C53os/smoothing.php
http://feedproxy.google.com/~r/qrscorw/~3/Tpe1WcYIKjA/elucidate.php
http://feedproxy.google.com/~r/rogeita/~3/-R4197zplyg/turnstile.php
http://feedproxy.google.com/~r/sofjheim/~3/WnfcFP63SwM/pip.php
http://feedproxy.google.com/~r/svjudvavgpk/~3/LtoMIxTFkOg/honourable.php
http://feedproxy.google.com/~r/taosolxrx/~3/e010F4e3gpo/nigger.php
http://feedproxy.google.com/~r/tnugquv/~3/oTt4OFRnU70/ungrudging.php
http://feedproxy.google.com/~r/tzoedegwhkx/~3/6FDlejVE9Y0/accentual.php
http://feedproxy.google.com/~r/uujqhjvia/~3/h14QTVlqzI0/sinless.php
http://feedproxy.google.com/~r/uxysrft/~3/Nlo9oocjOhk/deducibility.php
http://feedproxy.google.com/~r/vdhovux/~3/Zkrfz1rG6OA/popularize.php
http://feedproxy.google.com/~r/vsrha/~3/B5zagxqsQV8/ghoulish.php
http://feedproxy.google.com/~r/vypqvtxjzri/~3/AHLxPtogzPw/insipient.php
http://feedproxy.google.com/~r/xldxyskcsfr/~3/AtII0lyTRRU/participating.php
http://feedproxy.google.com/~r/yakjl/~3/X9abXta23w4/african.php
http://feedproxy.google.com/~r/ydxhm/~3/XRIwhemSaLw/multiple.php
http://feedproxy.google.com/~r/yrkajpyigl/~3/AHLxPtogzPw/insipient.php
http://feedproxy.google.com/~r/zmjkz/~3/c7FTJ19xGCY/intourist.php

MALDOC REDIRECT URLS
http://covid-19.mgkanyasangliedu.in/multiple.php
http://covid-19.mgkanyasangliedu.in/southwestward.php
http://fluidfilm.bg/accentual.php
http://fluidfilm.bg/insipient.php
http://fluidfilm.bg/turnstile.php
http://ivan-li.ru/deducibility.php
http://ivan-li.ru/hydrology.php
http://ivan-li.ru/subtracted.php
http://natefoto.com/accrue.php
http://sample3.khushiyonkazariya.in/nigger.php
http://sample3.khushiyonkazariya.in/participating.php
http://sample3.khushiyonkazariya.in/substandard.php
http://service.pizmedia.web.id/popularize.php
http://test.allbester.ru/honourable.php
http://test.allbester.ru/incorporeal.php
http://test.allbester.ru/swish.php
https://block-b-1.titan2-1.site/colossal.php
https://block-b-1.titan2-1.site/refining.php
https://block-b-1.titan2-1.site/ungrudging.php
https://cakefrostofficial.com/african.php
https://cakefrostofficial.com/intourist.php
https://cakefrostofficial.com/pip.php
https://cakefrostofficial.com/sinless.php
https://demo.exclusivev2.uproducts.in/brasilia.php
https://demo.exclusivev2.uproducts.in/prestigious.php
https://fluidfilm.bg/accentual.php
https://fluidfilm.bg/insipient.php
https://fluidfilm.bg/turnstile.php
https://forfacks.com/ghoulish.php
https://iamjitenpatel.com/attempter.php
https://iamjitenpatel.com/inevitable.php
https://ivan-li.ru/hydrology.php
https://ivan-li.ru/subtracted.php
https://jumabar.co.uk/contrast.php
https://jumabar.co.uk/unworried.php
https://natefoto.com/accrue.php
https://service.pizmedia.web.id/popularize.php
https://start360up.com/lest.php
https://start360up.com/photographer.php
https://start360up.com/smoothing.php
https://start360up.com/wore.php
https://test.allbester.ru/honourable.php
https://test.allbester.ru/incorporeal.php
https://test.allbester.ru/swish.php
https://whizcraft.co.uk/coulee.php
https://whizcraft.co.uk/elucidate.php

allbester.ru
cakefrostofficial.com
fluidfilm.bg
forfacks.com
iamjitenpatel.com
ivan-li.ru
jumabar.co.uk
khushiyonkazariya.in
mgkanyasangliedu.in
natefoto.com
pizmedia.web.id
start360up.com
titan2-1.site
uproducts.in
whizcraft.co.uk

MALDOC FILE HASHES
09e8460dd13d84399e7b509fd6493b2a
0dfbc1800b413d84f0e344d1cec93bac
1ad180d2efaec0487147ff46f5fb21da
24f18ef44d710995a2c89bdc31c2ca84
2e860a0da5d1976876d2b11a2eccf9d8
4aa7a5c8cd05e054c64afbcc7c476f9a
4bf54562f85bd71baf5e1490ea18f125
674e59f9081416895934f0adfc98ff2f
8cd8d45a85d056dbc2bba1733df76da4
8fcb23057f40e7dca84b9306a1f19a5d
94ca9b76fef2b2fcbce4ff10892ca4c4
997795d82887d67094018044245a610a
9ba77e9d1f03ac68aeb8cad8215c7356
a130ddd1b583e2bbd4837e0e6d6c7a9d
a329a3392f65608d19bb880eab687e89
a49e7fcc25826c10265a5e3eb2a1ac3d
a6bb2ccac27845e07f6f05c6454f42c0
ae42678944bc82b25b5f204b596160d2
b34d1f1a53f72af0daa142f38e6833c0
bbf103ac09902d361965e4655dfcbeea
c1a028b774012eb44e3ca7090dee2732
df3648229c94fb3948e7bf1eb22c3e4e

EMBEDDED DOC FILE HASH
reform.doc
eef8a36d966a38817d6c9e5c06933207

HANCITOR PAYLOAD FILE HASH
hhhh.mp3
5adfe28532fec9b193ab50ddf186d31f

HANCITOR C2
http://agarreaters.ru/8/forum.php
http://plivatecez.com/8/forum.php
http://weratiands.ru/8/forum.php

COBALT STRIKE STAGER DOWNLOAD URLS
http://atrutr0n.ru/1409.bin
http://atrutr0n.ru/1409s.bin

COBALT STRIKE STAGER FILE HASHES
1409.bin
3af696a511c8d46fd3b17dae9437d7f4

1409s.bin
dcc37a2d1bb022bff02962ca7ebcae7c

COBALT STRIKE BEACON DOWNLOAD URLS
https://45.66.158.14/sZAN
http://45.66.158.14/WtOB

COBALT STRIKE BEACON FILE HASHES
WtOB
6c497d1afcb6cfc2bf185215360dc04e

sZAN
6c497d1afcb6cfc2bf185215360dc04e

COBALT STRIKE C2s
http://139.60.161.228/en_US/all.js
https://139.60.161.228/fwlink