-
Notifications
You must be signed in to change notification settings - Fork 84
/
2021-08-18 Hancitor IOCs
195 lines (180 loc) · 6.79 KB
/
2021-08-18 Hancitor IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
THREAT IDENTIFICATION: HANCITOR / COBALT STRIKE
HANCITOR BUILD NUMBER
BUILD=1808_plfr
SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service
SENDERS OBSERVED
MALDOC PROXY DISTRIBUTION URLS
http://feedproxy.google.com/~r/akpqq/~3/agyeH1w6l4I/arsenic.php
http://feedproxy.google.com/~r/bjscoahat/~3/Sm4o1RDDrMQ/hurrah.php
http://feedproxy.google.com/~r/bpifvhqyxsc/~3/urzSExb_V0M/finder.php
http://feedproxy.google.com/~r/crutz/~3/igoxHy7Ucts/molten.php
http://feedproxy.google.com/~r/doghbnkfgqw/~3/lb2UJaNZHfY/logoff.php
http://feedproxy.google.com/~r/dsolwrpv/~3/M4YtYCwLX04/decibel.php
http://feedproxy.google.com/~r/duvslzy/~3/stKDHLjogUY/serv.php
http://feedproxy.google.com/~r/fbednaf/~3/M4ov8wgxUrg/achievement.php
http://feedproxy.google.com/~r/fpspoozbiva/~3/l6WWRiJbA8g/adeem.php
http://feedproxy.google.com/~r/gkwka/~3/KMhrqMbmjwo/penman.php
http://feedproxy.google.com/~r/hkwqalo/~3/RwpZOuqhBfY/umbrae.php
http://feedproxy.google.com/~r/hszjqq/~3/fAi1HnUvRTQ/severable.php
http://feedproxy.google.com/~r/ijphki/~3/ikowRgYIsf8/twang.php
http://feedproxy.google.com/~r/kitzzmisvl/~3/ikowRgYIsf8/twang.php
http://feedproxy.google.com/~r/koiogsimlg/~3/7DSMoy3z7IA/senegal.php
http://feedproxy.google.com/~r/lffcyc/~3/Ckh0VAAm5-c/stagehand.php
http://feedproxy.google.com/~r/mefoefj/~3/KMhrqMbmjwo/penman.php
http://feedproxy.google.com/~r/mfevvzave/~3/O5w9rxf6ypE/insecticides.php
http://feedproxy.google.com/~r/mpxlexbw/~3/RPIaOfoJ6BQ/victorianism.php
http://feedproxy.google.com/~r/mvbgyyukdw/~3/nxKDZLAhdcg/unattractive.php
http://feedproxy.google.com/~r/pilifpfkypp/~3/LBHdwHAeYDk/demented.php
http://feedproxy.google.com/~r/puxepqltnu/~3/HflFri33yr4/weakly.php
http://feedproxy.google.com/~r/qqmffkj/~3/GxYb4rAwjSU/freshman.php
http://feedproxy.google.com/~r/qygdswxj/~3/Y8b6MVFazIM/antihistaminic.php
http://feedproxy.google.com/~r/rmkprvc/~3/Vg0iZv6nKbI/resurrect.php
http://feedproxy.google.com/~r/ruffh/~3/3nI8fW-2aho/inadvertently.php
http://feedproxy.google.com/~r/sztphjfj/~3/oxB3xbMaIG8/apiece.php
http://feedproxy.google.com/~r/tgobaf/~3/SbxhYC9Tbq8/amoeba.php
http://feedproxy.google.com/~r/tkjwp/~3/IJsrN0DQyVs/interpretive.php
http://feedproxy.google.com/~r/trgjarzp/~3/PlZB-DiXhOk/mailbag.php
http://feedproxy.google.com/~r/ubncrrwq/~3/AdVVSXEGAFQ/copperhead.php
http://feedproxy.google.com/~r/utqvj/~3/lpVPpfQYJK0/timpani.php
http://feedproxy.google.com/~r/vktfxkf/~3/legw-eUaY0o/subagent.php
http://feedproxy.google.com/~r/vvdquat/~3/5JYE3g4uGCU/abator.php
http://feedproxy.google.com/~r/wjpvrriurxu/~3/RPwqafu_SQE/realist.php
http://feedproxy.google.com/~r/xiuqd/~3/C0oJk6s21X4/brotherhood.php
http://feedproxy.google.com/~r/xuwrbcak/~3/lb2UJaNZHfY/logoff.php
http://feedproxy.google.com/~r/xxldelj/~3/G5dZbvrNGCA/architrave.php
http://feedproxy.google.com/~r/xxoksvud/~3/RPwqafu_SQE/realist.php
http://feedproxy.google.com/~r/xyfknbts/~3/zRyIxR7wT9o/ufo.php
http://feedproxy.google.com/~r/yolbyoi/~3/lb2UJaNZHfY/logoff.php
http://feedproxy.google.com/~r/yybgxeip/~3/Gl9YSgSvK-I/wapitis.php
http://feedproxy.google.com/~r/zmsuxup/~3/Qlh8iuOrAU0/upmarket.php
http://feedproxy.google.com/~r/zognyst/~3/bBTJ5ONLJCo/tieback.php
MALDOC REDIRECT DOWNLOAD URLS
http://aniradichita.kaurainfotech.com/amoeba.php
http://icloud.corporaciongrl.com/weakly.php
http://loja.udiwebsistem.com.br/inadvertently.php
http://ottpremium.shoters.cc/senegal.php
http://ottpremium.shoters.cc/timpani.php
http://renoloan.com.sg/twang.php
http://stertower.yubetech.com/ufo.php
https://clientes.capsula.digital/molten.php
https://kiyokawadanang.com/penman.php
capsula.digital
corporaciongrl.com
kaurainfotech.com
kiyokawadanang.com
renoloan.com.sg
shoters.cc
udiwebsistem.com.br
yubetech.com
MALDOC FILE HASHES
0594fde7fa0e58e13bffe639ea7e430a
1208798c48f601e05823afdcbdcdb9b7
59c81abe59ecc24d5b34e2530b3a4e6b
a397188d3d27c101ecb3791f9edb5ff7
dc55c8b1b5b2fdeefae79a432fb2f49d
EMBEDDED DOC FILE HASH
glib.doc
ac6aa3d48029b449e6c4d333dcceec74
HANCITOR PAYLOAD FILE HASH
yefff.dll
7d947a3d37f370b12fec5f1df82dfd1e
HANCITOR C2
http://counteent.ru/8/forum.php
http://madmilons.com/8/forum.php
http://simatereare.ru/8/forum.php
COBALT STRIKE STAGER DOWNLOAD URLS
http://solovin0.ru/1808.bin
http://solovin0.ru/1808s.bin
COBALT STRIKE STAGER FILE HASHES
1808.bin
5876362c914e9e69ce51d03cdfcbf83c
1808s.bin
d70a040f65ec0e3437e12dc7b7da7c4c
COBALT STRIKE BEACON DOWNLOAD URL
http://69.49.230.29/UBxM