Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.As observed, Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware
Indicators of Compromise
Date : 19/03/2021
THREAT IDENTIFICATION: HANCITOR
SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service
SENDERS OBSERVED
cda@tnasales [.]com
deexere@tnasales [.]com
edugeu@tnasales [.]com
elpu@tnasales [.]com
eyfopa@tnasales [.]com
gi@tnasales [.]com
hkybe@tnasales [.]com
ibibai@tnasales [.]com
iuaciro@tnasales [.]com
ivvaopj@tnasales [.]com
jceicap@tnasales [.]com
jujfi@tnasales [.]com
jw@tnasales [.]com
o@tnasales [.]com
ofwnzod@tnasales [.]com
oxyqe@tnasales [.]com
p@tnasales [.]com
qzimyc@tnasales [.]com
raso@tnasales [.]com
rky@tnasales [.]com
sa@tnasales [.]com
tag@tnasales [.]com
udiq@tnasales [.]com
wocyepo@tnasales [.]com
xa@tnasales [.]com
za@tnasales [.]com
zusefe@tnasales [.]com
MALDOC REDIRECT URLS
https://www [.]google [.]com/url?q=http://alwayscomply [.]com/sites/default/modules/cck/translations/help/de/dip [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNG91xuWh7Lq9xWZjbVKfeaODM47ZQ
https://www [.]google [.]com/url?q=http://alwayscomply [.]com/sites/default/modules/cck/translations/help/de/impinge [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNGd4y2Wcog2N19amMynsC_9AKM0Qg
https://www [.]google [.]com/url?q=http://archive-admin [.]museubandasfilarmonicas [.]pt/assets/plugins/jquery-file-upload/server/php/files/austria [.]php&source=gmail&ust=1616148253954000&usg=%0D%0AAFQjCNHB_VH8sITckq8j_an_QD0H7bFMFQ
https://www [.]google [.]com/url?q=http://archive-admin [.]museubandasfilarmonicas [.]pt/assets/plugins/jquery-file-upload/server/php/files/austria [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNHB_VH8sITckq8j_an_QD0H7bFMFQ
https://www [.]google [.]com/url?q=http://tao [.]arnoldinum [.]cloud/qtiItemPci/views/js/pciCreator/paten [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNG3BmLzQyaMvZQyALCmO2n9MN4v3g
https://www [.]google [.]com/url?q=http://tao [.]arnoldinum [.]cloud/qtiItemPci/views/js/pciCreator/trackman [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNGI0rHP-w2onvzXvv_YC1KQe8NR6A
https://www [.]google [.]com/url?q=https://alaseeldates [.]com/predispose [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNHhru9FX4ASRSMGZKl1hn-x276YTA
https://www [.]google [.]com/url?q=https://alaseeldates [.]com/snoozer [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNHcfcedHHOyhqZamM-UV4slpRki5g
https://www [.]google [.]com/url?q=https://aprilstudios [.]in/appropriate [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNF-SRFZeIucjKC74M8ANtMaU8z3Hw
https://www [.]google [.]com/url?q=https://aprilstudios [.]in/oz [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNEZSwhqIHCN3Q2tbb-pQjseTnqTOQ
https://www [.]google [.]com/url?q=https://aprilstudios [.]in/transverter [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNFjlYKzOuoW2OnGXSwNThjqEXhx-g
https://www [.]google [.]com/url?q=https://chamkoon [.]com/secund [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNE7FNF5pQjCAW8JVDK9bmP0v5-vOw
https://www [.]google [.]com/url?q=https://chamkoon [.]com/wrongness [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNGDINAExVrk6errRs7HysLxHq5enA
https://www [.]google [.]com/url?q=https://cluebazar [.]com/upstairs [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNEBJLi_vsN1IZLzqjISwLJd4QCycw
https://www [.]google [.]com/url?q=https://emiratesminning [.]com/refers [.]php&source=gmail&ust=1616148253952000&usg=AFQjCNGwmq4JG0a5nHvtM-DsfyT6g8WZRQ
https://www [.]google [.]com/url?q=https://livenetworks [.]com [.]br/sakhalin [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNGWyvivCM6mNTntohyPUmMp-UC2DQ
https://www [.]google [.]com/url?q=https://locequipamentosbh [.]com [.]br/dissenting [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNFAfNrwGvOqamAovRPSNCciZ1CLXg
https://www [.]google [.]com/url?q=https://locequipamentosbh [.]com [.]br/dowager [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNHgppXUdFMfg10tIzapFl5VAGyGRw
https://www [.]google [.]com/url?q=https://locequipamentosbh [.]com [.]br/theomorphic [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNGbJM1e4y2LlqKFyp4yj5EnC4CyfQ
https://www [.]google [.]com/url?q=https://m7a [.]rgstage [.]com/brazier [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNGdIpVlW0g5550PUTVUk7FeaInZCQ
https://www [.]google [.]com/url?q=https://m7a [.]rgstage [.]com/monologue [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNGb7yJpEnbiu-f4lpeQtBv0a6lLOw
https://www [.]google [.]com/url?q=https://mail [.]daunhotmiendong [.]vn/controvertible [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNGgyf7Tf7u9dTtvttkKCvgBTpg_zw
https://www [.]google [.]com/url?q=https://mail [.]daunhotmiendong [.]vn/pusillanimous [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNE3qPBnoC1pjGi6JlYCdqi98zm3kw
https://www [.]google [.]com/url?q=https://orsan [.]gruporhynous [.]com/speed [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNGaQvSL_y_uSRgnP3FcvXEJ-zSEmw
https://www [.]google [.]com/url?q=https://webworks [.]nepila [.]com/crazed [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNGGuc0hcxNbunmm4YHXQXwIIQ8DYA
https://www [.]google [.]com/url?q=https://webworks [.]nepila [.]com/defector [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNFYvfyuwM9fHk8UacywoyeTz6n1aA
MALDOC DISTRIBUTION URLS
http://alwayscomply [.]com/sites/default/modules/cck/translations/help/de/dip [.]php
http://alwayscomply [.]com/sites/default/modules/cck/translations/help/de/impinge [.]php
http://archive-admin [.]museubandasfilarmonicas [.]pt/assets/plugins/jquery-file-upload/server/php/files/austria [.]php
http://tao [.]arnoldinum [.]cloud/qtiItemPci/views/js/pciCreator/paten [.]php
http://tao [.]arnoldinum [.]cloud/qtiItemPci/views/js/pciCreator/trackman [.]php
https://alaseeldates [.]com/predispose [.]php
https://alaseeldates [.]com/snoozer [.]php
https://aprilstudios [.]in/appropriate [.]php
https://aprilstudios [.]in/oz [.]php
https://aprilstudios [.]in/transverter [.]php
https://chamkoon [.]com/secund [.]php
https://chamkoon [.]com/wrongness [.]php
https://cluebazar [.]com/upstairs [.]php
https://emiratesminning [.]com/refers [.]php
https://livenetworks [.]com [.]br/sakhalin [.]php
https://locequipamentosbh [.]com [.]br/dissenting [.]php
https://locequipamentosbh [.]com [.]br/dowager [.]php
https://locequipamentosbh [.]com [.]br/theomorphic [.]php
https://m7a [.]rgstage [.]com/brazier [.]php
https://m7a [.]rgstage [.]com/monologue [.]php
https://mail [.]daunhotmiendong [.]vn/controvertible [.]php
https://mail [.]daunhotmiendong [.]vn/pusillanimous [.]php
https://orsan [.]gruporhynous [.]com/speed [.]php
https://webworks [.]nepila [.]com/crazed [.]php
https://webworks [.]nepila [.]com/defector [.]php
alaseeldates [.]com
alwayscomply [.]com
aprilstudios [.]in
arnoldinum [.]cloud
chamkoon [.]com
cluebazar [.]com
daunhotmiendong [.]vn
emiratesminning [.]com
gruporhynous [.]com
livenetworks [.]com [.]br
locequipamentosbh [.]com [.]br
museubandasfilarmonicas [.]pt
nepila [.]com
rgstage [.]com
HANCITOR MALDOC FILE HASHES
0ddee5b7da65f3a801677a9187c92d35
30e8467c27864508ee01fa82f719849c
504afcedfccc2caf7e2bd9a440bbe566
534350c5741aa2175ca54f219ab7d905
69022fe73ea471e0a9e0af364a023cc2
709a14419d84ac5e0d8a95071008cce1
7fee47f618c0c7f18488ca357f3b26df
9bb98f4388cb39e11c17e825ffca2b84
b17e33adf9f089bafe33c65c5f446287
c355368d0f5ff410851ab8900da7098c
df5bc23f39f5bc0926cdbed514712ed6
HANCITOR PAYLOAD FILE HASH
Static [.]dll
be81b6f1ce7a7673c1c549064de73430
HANCITOR C2
http://froursmonesed [.]com/8/forum [.]php
http://abouniteta [.]ru/8/forum [.]php
FICKER STEALER PAYLOAD URLS
http://pirijinko [.]ru/6jkiuwf43 [.]exe
FICKER STEALER FILE HASH
6jkiuwf43 [.]exe
77be0dd6570301acac3634801676b5d7
FICKER STEALER C2
http://sweyblidian [.]com
COBALT STRIKE FILE HASHES
1703 [.]bin
c9a34a84b8be1d3b4f84fc50bd1ac80a
1703s [.]bin
339db7ec6f43de6df9109f13b17842b6
I also found these on the same domain
1102 [.]bin
75dd171de48fb65c9ff07e937b473ced
1102s [.]bin
68552585411cf40c9c7f5cda18840bd7