2021-10-19 Hancitor IOCs

THREAT IDENTIFICATION:  HANCITOR / COBALT STRIKE

HANCITOR BUILD NUMBER
BUILD=1910_nsw

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
a@treasuremart.com
amiarv@treasuremart.com
aofusui@treasuremart.com
bobotii@treasuremart.com
caty@treasuremart.com
comopav@treasuremart.com
dcamwy@treasuremart.com
dymli@treasuremart.com
eaese@treasuremart.com
eqoada@treasuremart.com
ezy@treasuremart.com
fjaqfs@treasuremart.com
fupezed@treasuremart.com
g@treasuremart.com
iaepqxd@treasuremart.com
ipypodv@treasuremart.com
j@treasuremart.com
jxyu@treasuremart.com
jyldu@treasuremart.com
koqdagu@treasuremart.com
lsucei@treasuremart.com
mc@treasuremart.com
mo@treasuremart.com
mypwuog@treasuremart.com
ofon@treasuremart.com
okocbop@treasuremart.com
pyeeh@treasuremart.com
q@treasuremart.com
qesywo@treasuremart.com
qetyd@treasuremart.com
qqirant@treasuremart.com
rajas@treasuremart.com
royyiaw@treasuremart.com
sobepu@treasuremart.com
ssu@treasuremart.com
sxodyeu@treasuremart.com
tuwuq@treasuremart.com
tyipyh@treasuremart.com
vasvgoi@treasuremart.com
vbu@treasuremart.com
viceal@treasuremart.com
vxohu@treasuremart.com
wraszes@treasuremart.com
xvezis@treasuremart.com
xyhao@treasuremart.com
ygbaoxa@treasuremart.com
yi@treasuremart.com
yjiumex@treasuremart.com
ymia@treasuremart.com
z@treasuremart.com
zqiuili@treasuremart.com
zviii@treasuremart.com

MALDOC FEEDPROXY DISTRIBUTION URLS
http://feedproxy.google.com/~r/aixvhpqpoqa/~3/CK6SMcZGXV8/denial.php
http://feedproxy.google.com/~r/aizjsca/~3/IqJ0LrwShVo/wrongfulness.php
http://feedproxy.google.com/~r/akbzcjepaco/~3/PRMwnIp1_FE/xebec.php
http://feedproxy.google.com/~r/bexvm/~3/ILzMudKcWfA/nonmonotonic.php
http://feedproxy.google.com/~r/cjyxbk/~3/cur3YJHpEZI/finnish.php
http://feedproxy.google.com/~r/dlndvfsizeh/~3/UVCmkRYIT4E/wadded.php
http://feedproxy.google.com/~r/gbwbgal/~3/ua5OXu_koek/drummer.php
http://feedproxy.google.com/~r/hfnins/~3/jpWDgnKmHbs/be.php
http://feedproxy.google.com/~r/jzmxkeq/~3/tu_2HZY174w/abide.php
http://feedproxy.google.com/~r/klmpkeyqtu/~3/IBa__SMRxwI/boudoir.php
http://feedproxy.google.com/~r/lmbadsa/~3/tu_2HZY174w/abide.php
http://feedproxy.google.com/~r/mhxzawximuk/~3/9Js5KrooBHA/petersburg.php
http://feedproxy.google.com/~r/mqzlb/~3/4ReN59_PB_o/moan.php
http://feedproxy.google.com/~r/mybjeciew/~3/UVCmkRYIT4E/wadded.php
http://feedproxy.google.com/~r/nevvk/~3/fAU-x0IFuyI/tumor.php
http://feedproxy.google.com/~r/nwxlldt/~3/iLjKCapiIOI/thesauri.php
http://feedproxy.google.com/~r/ofdxvegcof/~3/M0QQ60yFNuw/yacht.php
http://feedproxy.google.com/~r/opixkaui/~3/YwOYjEG6qCM/ophthalmology.php
http://feedproxy.google.com/~r/oxpix/~3/-8GY5e5dkKY/musicale.php
http://feedproxy.google.com/~r/qbucdiyhqr/~3/KzYIP1O7Luw/analyse.php
http://feedproxy.google.com/~r/skskcun/~3/cxeeZlsNwqM/larynx.php
http://feedproxy.google.com/~r/tmmiwf/~3/FxI0geFIskY/cloakroom.php
http://feedproxy.google.com/~r/tthcd/~3/WmS4gNxGn7M/symbolic.php
http://feedproxy.google.com/~r/uhieciibmxa/~3/9nbeMhyfsYQ/extend.php
http://feedproxy.google.com/~r/uyalsygd/~3/7jqRdvyVVTM/prevalent.php
http://feedproxy.google.com/~r/vksoyzsl/~3/2yxebV6qc1k/pseudoscience.php
http://feedproxy.google.com/~r/vvcmekmxk/~3/9Js5KrooBHA/petersburg.php
http://feedproxy.google.com/~r/vyehpdkrm/~3/dCC6hEag_Lw/readies.php
http://feedproxy.google.com/~r/wbkejfmk/~3/w8zlT4lU10s/falter.php
http://feedproxy.google.com/~r/wuigaaw/~3/rQv-sPjeMGY/opposite.php
http://feedproxy.google.com/~r/xnzsccfdkct/~3/9Js5KrooBHA/petersburg.php
http://feedproxy.google.com/~r/xojsam/~3/OHwRdueCpO4/duration.php
http://feedproxy.google.com/~r/yeejioe/~3/fAU-x0IFuyI/tumor.php
http://feedproxy.google.com/~r/yffsiwni/~3/ILzMudKcWfA/nonmonotonic.php
http://feedproxy.google.com/~r/yplrgkbd/~3/XjuTOh5ZRsI/spicate.php
http://feedproxy.google.com/~r/yvqtiev/~3/JtPZt2jC938/chastity.php

MALDOC REDIRECT URLS
http://bharattank.me/extend.php
http://bhushankoli.com/be.php
http://bhushankoli.com/boudoir.php
http://bhushankoli.com/drummer.php
http://bhushankoli.com/spicate.php
http://blog.drmostafafouadivf.com/analyse.php
http://blog.drmostafafouadivf.com/falter.php
http://blog.drmostafafouadivf.com/wrongfulness.php
http://custominsure.com/finnish.php
http://custominsure.com/musicale.php
http://dev.promoscredits.com/symbolic.php
http://dulhagharnh.com/moan.php
http://dulhagharnh.com/nonmonotonic.php
http://dulhagharnh.com/prevalent.php
http://dulhagharnh.com/tumor.php
http://francdoc.webdev-wazoomstudio.online/ophthalmology.php
http://healthzoneapp.com/chastity.php
http://healthzoneapp.com/readies.php
http://hewadexchange.com/wadded.php
http://m.ashiwenhua.net/denial.php
http://mcybersoft.com/abide.php
http://mcybersoft.com/cloakroom.php
http://novostroyka812.ru/thesauri.php
http://portal.senseaonline.in/duration.php
http://tartaklegnica.pl/larynx.php
http://tartaklegnica.pl/pseudoscience.php
http://tartaklegnica.pl/yacht.php
https://bharattank.me/extend.php
https://bhushankoli.com/be.php
https://bhushankoli.com/boudoir.php
https://bhushankoli.com/drummer.php
https://bhushankoli.com/spicate.php
https://blog.drmostafafouadivf.com/wrongfulness.php
https://dulhagharnh.com/nonmonotonic.php
https://dulhagharnh.com/tumor.php
https://francdoc.webdev-wazoomstudio.online/ophthalmology.php
https://healthzoneapp.com/chastity.php
https://iptel.cy/opposite.php
https://mcybersoft.com/abide.php
https://mcybersoft.com/cloakroom.php
https://novostroyka812.ru/thesauri.php
https://portal.senseaonline.in/duration.php
https://tartaklegnica.pl/larynx.php
https://www.cardpay365.com/petersburg.php
https://www.cardpay365.com/xebec.php

ashiwenhua.net
bharattank.me
bhushankoli.com
cardpay365.com
custominsure.com
drmostafafouadivf.com
dulhagharnh.com
healthzoneapp.com
hewadexchange.com
iptel.cy
mcybersoft.com
novostroyka812.ru
promoscredits.com
senseaonline.in
tartaklegnica.pl
webdev-wazoomstudio.online

MALDOC FILE HASHES
07e5175afd01bd35512189731d10f8a6
1d6dfb73231da40c6d151d2e8680fb47
687eb332db14b04e7a7820fb0d1a3201

EMBEDDED DOC FILE HASH
zoro.doc
b6487ba7cff8bd5748c8dfa1f7db100c

HANCITOR PAYLOAD FILE HASH
gelforr.dap
4198ac1dc34de77ab8ceac3c9a25480e

HANCITOR C2
http://gintlyba.ru/8/forum.php
http://newnucapi.com/8/forum.php
http://stralonz.ru/8/forum.php

COBALT STRIKE STAGER DOWNLOAD URLS
http://alh1mik.ru/195.bin
http://alh1mik.ru/195s.bin

COBALT STRIKE STAGER FILE HASHES
195.bin
b6a2f7018628bf0e775cdf38efb44201

195s.bin
3e2cadcaa1f3c68860dc93314e8f193d

COBALT STRIKE BEACON DOWNLOAD URLS
http://135.148.120.195/DmBi
http://135.148.120.195:443/TjVH

COBALT STRIKE BEACON FILE HASHES
TjVH
5ec6fe1350996590db43ba440e4b6848

DmBi
5325e4005453b39c76b461ae9f243ae2

COBALT STRIKE C2s
http://135.148.120.195/dpixel
http://135.148.120.195:443/ca