2021-09-13 Hancitor IOCs

THREAT IDENTIFICATION:  HANCITOR / COBALT STRIKE

HANCITOR BUILD NUMBER
BUILD=1309_memq

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
ahyeli@commandyourperception.com
avabwox@commandyourperception.com
aypksi@commandyourperception.com
b@commandyourperception.com
baoabuh@commandyourperception.com
bosix@commandyourperception.com
bz@commandyourperception.com
cpciaqi@commandyourperception.com
cydekne@commandyourperception.com
efymicy@commandyourperception.com
eilhtyt@commandyourperception.com
ekiusiz@commandyourperception.com
enanolo@commandyourperception.com
frqawa@commandyourperception.com
fuodjz@commandyourperception.com
gi@commandyourperception.com
golrydt@commandyourperception.com
hxhus@commandyourperception.com
hy@commandyourperception.com
i@commandyourperception.com
ilrqike@commandyourperception.com
ioifoqp@commandyourperception.com
jygcyg@commandyourperception.com
kaewa@commandyourperception.com
kiolbvu@commandyourperception.com
lgz@commandyourperception.com
m@commandyourperception.com
maacqul@commandyourperception.com
migidh@commandyourperception.com
namodov@commandyourperception.com
nb@commandyourperception.com
nikecw@commandyourperception.com
nuowoge@commandyourperception.com
o@commandyourperception.com
oekqgt@commandyourperception.com
of@commandyourperception.com
oissyn@commandyourperception.com
ojkuiro@commandyourperception.com
okewaer@commandyourperception.com
p@commandyourperception.com
paxpfac@commandyourperception.com
qelijut@commandyourperception.com
qeyaocp@commandyourperception.com
reivz@commandyourperception.com
remao@commandyourperception.com
rituda@commandyourperception.com
son@commandyourperception.com
swuayp@commandyourperception.com
syxl@commandyourperception.com
taynugy@commandyourperception.com
txxybxy@commandyourperception.com
u@commandyourperception.com
ucryby@commandyourperception.com
uogwo@commandyourperception.com
utid@commandyourperception.com
uviwa@commandyourperception.com
wom@commandyourperception.com
woypux@commandyourperception.com
wra@commandyourperception.com
xa@commandyourperception.com
xatipmo@commandyourperception.com
xozeoqn@commandyourperception.com
xpyraxa@commandyourperception.com
yeoxuly@commandyourperception.com
yhyuvda@commandyourperception.com
zbytjl@commandyourperception.com
zelusac@commandyourperception.com
zutedxe@commandyourperception.com

MALDOC FEEDPROXY DISTRIBUTION URLS
http://feedproxy.google.com/~r/ntrfyl/~3/z64i_E_CoCc/cavalry.php
http://feedproxy.google.com/~r/cfnhm/~3/O_Lf49_zjsE/rarefaction.php
http://feedproxy.google.com/~r/niytxxts/~3/qXRqB1WF1kQ/wader.php
http://feedproxy.google.com/~r/awujzflnwa/~3/HH9-c5aMS1c/procurer.php
http://feedproxy.google.com/~r/zhulf/~3/p-7H-CvcxmY/adenoid.php
http://feedproxy.google.com/~r/cqmciny/~3/WLqk7-qxxYw/summery.php
http://feedproxy.google.com/~r/ydqtmues/~3/RSjONxP69n4/foghorn.php
http://feedproxy.google.com/~r/ggclulzqonp/~3/eRLsryfGlrY/gumption.php
http://feedproxy.google.com/~r/pieridcfck/~3/7wrcrSgeQSk/defuse.php
http://feedproxy.google.com/~r/ldcmifu/~3/3LDDY9Zvi8Q/impenetrable.php
http://feedproxy.google.com/~r/bqvmaadtx/~3/SEkbmmJ9Vqg/strophe.php
http://feedproxy.google.com/~r/xvcxhesoktk/~3/5kjxtLlGWIo/frozen.php
http://feedproxy.google.com/~r/ptjgq/~3/iJRqOTNMV5w/anticorrosives.php
http://feedproxy.google.com/~r/uuytxzzozbt/~3/clFqWiuE7vc/grace.php
http://feedproxy.google.com/~r/pmktknqxnp/~3/oqwTp-PdJsY/timorousness.php
http://feedproxy.google.com/~r/milkhuti/~3/-rUTJGt6QiE/abaca.php
http://feedproxy.google.com/~r/fcauau/~3/oM7MiZzBJhQ/amended.php
http://feedproxy.google.com/~r/xzvqfrizrf/~3/qFc_wdisLpQ/customization.php
http://feedproxy.google.com/~r/ixkfquerq/~3/rmrATh3h8zg/waver.php
http://feedproxy.google.com/~r/fdlrjobirq/~3/0wLiftLXi1c/greeting.php
http://feedproxy.google.com/~r/ppohvcctrn/~3/80FX_kQlEdI/compiler.php
http://feedproxy.google.com/~r/mcyjtmmfg/~3/2f7tl4o9PNQ/flamingo.php
http://feedproxy.google.com/~r/euqqwdtwkl/~3/1qtJn8B_o5c/shaky.php
http://feedproxy.google.com/~r/azxcoeix/~3/LECPQBlW19k/revulsion.php
http://feedproxy.google.com/~r/srwmssln/~3/5kjxtLlGWIo/frozen.php
http://feedproxy.google.com/~r/rucorvbra/~3/iWLZywISUWo/armlessly.php
http://feedproxy.google.com/~r/txtdwhcjf/~3/bhHMdQId6F0/icing.php
http://feedproxy.google.com/~r/smvdbpiyou/~3/uIVuL-dNmgU/unhurried.php
http://feedproxy.google.com/~r/xvqinkjxj/~3/j2xm8LT5Hrk/underpin.php
http://feedproxy.google.com/~r/lbtbd/~3/iWLZywISUWo/armlessly.php
http://feedproxy.google.com/~r/tvcknfhwnzl/~3/bo1jApVN7To/perfunctory.php
http://feedproxy.google.com/~r/lookcdgjab/~3/ZC4CdbHeVe8/coprimes.php
http://feedproxy.google.com/~r/mskotaa/~3/bo1jApVN7To/perfunctory.php
http://feedproxy.google.com/~r/sgjco/~3/7cROInbFUKE/bicameral.php
http://feedproxy.google.com/~r/kcpenjqz/~3/yZ7qKGY_P6c/conversion.php
http://feedproxy.google.com/~r/tjgtkbjzdpg/~3/RXXbNcZTyHc/pleistocene.php
http://feedproxy.google.com/~r/bkgqd/~3/uIVuL-dNmgU/unhurried.php
http://feedproxy.google.com/~r/oacyfx/~3/EdZ-Rb_-MMA/quarterly.php
http://feedproxy.google.com/~r/eegdufbj/~3/tpGMlD83nNk/hydraulics.php
http://feedproxy.google.com/~r/lrrtsfh/~3/brhXnW3Qvlg/objectless.php
http://feedproxy.google.com/~r/yyhggxr/~3/0wLiftLXi1c/greeting.php
http://feedproxy.google.com/~r/yyqshgi/~3/N-LSXkyhTg8/impolitic.php

MALDOC REDIRECT DOWNLOAD URLS
http://8.210.133.129/cavalry.php
http://8.210.133.129/customization.php
http://alihamzapso.smsoft.pk/pleistocene.php
http://alihamzapso.smsoft.pk/underpin.php
http://ani-immigration.com/summery.php
http://api.masjidy.world/conversion.php
http://api.masjidy.world/coprimes.php
http://api.masjidy.world/objectless.php
http://api.masjidy.world/shaky.php
http://api.masjidy.world/strophe.php
http://black-beauty-accessories.com/grace.php
http://black-beauty-accessories.com/icing.php
http://blog.bidvacationrental.com/flamingo.php
http://blog.bidvacationrental.com/frozen.php
http://blog.bidvacationrental.com/impolitic.php
http://futurespace.orbitships.org/gumption.php
http://futurespace.orbitships.org/wader.php
http://isocertificationindia.net/abaca.php
http://isocertificationindia.net/procurer.php
http://isocertificationindia.net/revulsion.php
http://metro.fingerbus.cn/anticorrosives.php
http://newdevjyq.devjyq.com/rarefaction.php
http://newdevjyq.devjyq.com/timorousness.php
http://newdevjyq.devjyq.com/waver.php
http://tridevincense.com/adenoid.php
http://tridevincense.com/greeting.php
http://tridevincense.com/hydraulics.php
http://tridevincense.com/unhurried.php
http://washatsanjose.com/armlessly.php
http://washatsanjose.com/compiler.php
https://black-beauty-accessories.com/grace.php
https://demo.exclusivev2.uproducts.in/defuse.php
https://demo.exclusivev2.uproducts.in/foghorn.php
https://demo.exclusivev2.uproducts.in/quarterly.php
https://futurespace.orbitships.org/gumption.php
https://futurespace.orbitships.org/wader.php
https://newdevjyq.devjyq.com/rarefaction.php

ani-immigration.com
bidvacationrental.com
black-beauty-accessories.com
devjyq.com
fingerbus.cn
isocertificationindia.net
masjidy.world
orbitships.org
smsoft.pk
tridevincense.com
uproducts.in
washatsanjose.com

MALDOC FILE HASHES
1334cd736f64d22d004d51c874bc841d
2ea2f9fda13fc77d33a99bfb636f45e1
37b66f1c2760caaa12e33272be821bd4
407b66485c20f543cf68cb29620e6708
461db134f39d06bc9c204b83b4145a9f
526168ef1b2104c4c999f2c933436c04
56b05af86e5eabfaf09116b9355c7320
619efb86dbe1093355df0b76a1da8dc7
857a1edbd09a8456aac3fd9cd492b6db
8c85a65a764bc1e9e30bc0f7e7cf90bc
8ff279cee18d32ffcab051a7be589fad
a351a31ea722d459769fa4e2b437f70d
a9fafd6acc8debda2a39014f7cd6c05e
fb7499dfc324915cd2300ab6153c04c2
feb192853ba0002118ba5ab99a24a15d

EMBEDDED DOC FILE HASH
reform.doc
153bb0f25582e63182af1d8224e3e8bb

HANCITOR PAYLOAD FILE HASH
hhhh.mp3
2453bb5e07779ab1b9e91386c24c9f2f

HANCITOR C2
http://gavelycappir.ru/8/forum.php
http://muditations.ru/8/forum.php
http://weveresroyeas.ru/8/forum.php

COBALT STRIKE STAGER DOWNLOAD URLS
http://obondon1.ru/1309.bin
http://obondon1.ru/1309s.bin

COBALT STRIKE STAGER FILE HASHES
1309.bin
f13549a83b2f8954ca76f0c6f3c72fdc

1309s.bin
fa15f9387a4291bc15ade84b23347504

COBALT STRIKE BEACON DOWNLOAD URLS
http://193.160.32.125/SbTS
https://193.160.32.125/Fz9c

COBALT STRIKE BEACON FILE HASHES
Fz9c
fa89f0a30f3fb8b16d934b8d14a31f6d

SbTS
f68b69e473ddc9a162d4f754a6c00f1a

COBALT STRIKE C2s
http://193.160.32.125/cm
https://193.160.32.125/ptj