2021-10-27 Hancitor IOCs

THREAT IDENTIFICATION:  HANCITOR / COBALT STRIKE

HANCITOR BUILD NUMBER
BUILD=2610_cxe

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
a@revconstructioninc.com
aiara@revconstructioninc.com
aimexhs@revconstructioninc.com
ajsi@revconstructioninc.com
avxwxoo@revconstructioninc.com
azye@revconstructioninc.com
bo@revconstructioninc.com
dbrwy@revconstructioninc.com
dnahykp@revconstructioninc.com
glizyqi@revconstructioninc.com
iseped@revconstructioninc.com
luu@revconstructioninc.com
mgivvki@revconstructioninc.com
muyaiqq@revconstructioninc.com
mzyiwyo@revconstructioninc.com
o@revconstructioninc.com
oreon@revconstructioninc.com
ouddoze@revconstructioninc.com
overiii@revconstructioninc.com
ppeye@revconstructioninc.com
ptamwe@revconstructioninc.com
pular@revconstructioninc.com
qirikol@revconstructioninc.com
rodaffq@revconstructioninc.com
rupcvq@revconstructioninc.com
sidoyla@revconstructioninc.com
sjycy@revconstructioninc.com
smoi@revconstructioninc.com
sqwah@revconstructioninc.com
upiaput@revconstructioninc.com
volxe@revconstructioninc.com
vyjuoyv@revconstructioninc.com
vyx@revconstructioninc.com
wcatu@revconstructioninc.com
x@revconstructioninc.com
ynunoid@revconstructioninc.com
yuxan@revconstructioninc.com
zfoucuv@revconstructioninc.com
zp@revconstructioninc.com
zveroz@revconstructioninc.com

MALDOC FEEDPROXY DISTRIBUTION URLS
http://feedproxy.google.com/~r/acdqpwomvsy/~3/OqPE4LDcjrg/enhancement.php
http://feedproxy.google.com/~r/axsog/~3/dwUXQw5_YpM/onslaught.php
http://feedproxy.google.com/~r/azltqhzautz/~3/Vq-uGOewPFE/amoebae.php
http://feedproxy.google.com/~r/bqotlhet/~3/O9uHE5CCeRA/temerarious.php
http://feedproxy.google.com/~r/bqqjy/~3/8aRZowzAUzw/distributive.php
http://feedproxy.google.com/~r/clhqsk/~3/FWb9_BjtA0M/thine.php
http://feedproxy.google.com/~r/cvkqjnjtb/~3/PPRJBqbU9RI/create.php
http://feedproxy.google.com/~r/fwcnuf/~3/4_OqFbXXw0k/bubo.php
http://feedproxy.google.com/~r/ganujs/~3/vkkQFV_Dtuo/faxswitch.php
http://feedproxy.google.com/~r/gmkdubu/~3/pCuxosw0xxc/quixotic.php
http://feedproxy.google.com/~r/hxvzlwhszp/~3/oiMw7uGZBS0/trepidation.php
http://feedproxy.google.com/~r/ifusiiywemm/~3/o-lhkCiKr34/snuffling.php
http://feedproxy.google.com/~r/jjtna/~3/w_PZXnuE11Q/pleasing.php
http://feedproxy.google.com/~r/jqsrwovxu/~3/aZnKmLsfTKo/crawl.php
http://feedproxy.google.com/~r/juxjadaaey/~3/PdWEu_WphoE/tenterhook.php
http://feedproxy.google.com/~r/krfverdxp/~3/AnmBluxCMv4/viral.php
http://feedproxy.google.com/~r/ldkdkxdc/~3/4Z4ko8L0gjQ/competency.php
http://feedproxy.google.com/~r/nbexrjumgn/~3/F6bZuUG_4LY/peeking.php
http://feedproxy.google.com/~r/nonolli/~3/1UEpu-SKs2U/sacroiliac.php
http://feedproxy.google.com/~r/npebmar/~3/SHkCE-X-pP0/barf.php
http://feedproxy.google.com/~r/oxbuutdu/~3/mDLXGqLXr-0/missionary.php
http://feedproxy.google.com/~r/ppvwcfpnex/~3/4p7yE5QxDus/monoboard.php
http://feedproxy.google.com/~r/psoizymw/~3/eIkCoY61UP8/squeezed.php
http://feedproxy.google.com/~r/qatpa/~3/JkxZOv2v9ZA/bacteriologist.php
http://feedproxy.google.com/~r/qfpopystj/~3/-X-SrSezl5I/hick.php
http://feedproxy.google.com/~r/qooauocapc/~3/N6iAJpO2uJg/truancy.php
http://feedproxy.google.com/~r/qoyzbp/~3/ekh8dPHR6dg/titmice.php
http://feedproxy.google.com/~r/rhkiwbxc/~3/EVBoOLOMMmQ/pursuer.php
http://feedproxy.google.com/~r/utbfwdzrux/~3/2maIhLYweSk/underdone.php
http://feedproxy.google.com/~r/utynfqjt/~3/qGzb2yc-YQM/discolored.php
http://feedproxy.google.com/~r/xxihtp/~3/r_7-q62X03c/grinding.php
http://feedproxy.google.com/~r/yczfgzxvlg/~3/98QPnzqtstA/sinewy.php
http://feedproxy.google.com/~r/yljgwrge/~3/hkluSZLo3A8/expedited.php
http://feedproxy.google.com/~r/ynznf/~3/4kInaz6ZCEE/antiviral.php
http://feedproxy.google.com/~r/yzbakgcpe/~3/cjlo74uY_rc/forenoon.php
http://feedproxy.google.com/~r/zkezs/~3/mNSo1aIT9cg/studiously.php

MALDOC REDIRECT URLS
http://dev.promoscredits.com/expedited.php
http://dev.promoscredits.com/pursuer.php
http://dev.springbreaklife.com/tour/content/021815_redneck_twerk_contest_D021815/crawl.php
http://francdoc.webdev-wazoomstudio.online/trepidation.php
http://hewadexchange.com/temerarious.php
https://dev.promoscredits.com/expedited.php
https://francdoc.webdev-wazoomstudio.online/trepidation.php
https://hewadexchange.com/temerarious.php
https://iptel.cy/thine.php

hewadexchange.com
iptel.cy
promoscredits.com
springbreaklife.com
webdev-wazoomstudio.online

MALDOC FILE HASHES
0def3267f4f4eff1944f6dd7630e64c0
6bb281d9b5f02abd5f49f574a4501375
b2c0be02b0e8b12d42942b05fd81328e
c699150fcfed8bbae6334723e2e7657e
ca1a5c90330a23fcf4a67a13af23a6fc

EMBEDDED MALDOC FILE HASH
zoro.doc
ee879ba2ab61f42bcfaf5085c392ce7a

HANCITOR PAYLOAD FILE HASH
gelforr.dap
86f065892d619ff64bcafe30290bad4f

HANCITOR C2
http://indiscort.ru/8/forum.php
http://ottedince.com/8/forum.php
http://tremilline.ru/8/forum.php

COBALT STRIKE STAGER DOWNLOAD URLS
http://indisc0rt.ru/51.bin
http://indisc0rt.ru/51s.bin

COBALT STRIKE STAGER FILE HASHES
51.bin
7645620877e5023fedd76ce35210057b

51s.bin
a8f44dbfdf08473a50eb16e406ceba87

COBALT STRIKE BEACON DOWNLOAD URLS
http://51.81.13.141/HvZD
http://51.81.13.141:443/iPSP

COBALT STRIKE BEACON FILE HASHES
HvZD
6092497ca41ebbb12c42cc37424652a7

iPSP
dfbdaabea9fe7f3bdde37214ebfaca8a

COBALT STRIKE C2s
http://162.244.83.95:443/fwlink
http://51.81.13.141/g.pixel