Threat Intelligence – HANCITOR Malware Latest IOCs

0

Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.As observed, Below are the latest indicators of compromise.

Credits : Research by ExecuteMalware

Indicators of Compromise

Date : 19/03/2021

THREAT IDENTIFICATION: HANCITOR

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
cda@tnasales [.]com
deexere@tnasales [.]com
edugeu@tnasales [.]com
elpu@tnasales [.]com
eyfopa@tnasales [.]com
gi@tnasales [.]com
hkybe@tnasales [.]com
ibibai@tnasales [.]com
iuaciro@tnasales [.]com
ivvaopj@tnasales [.]com
jceicap@tnasales [.]com
jujfi@tnasales [.]com
jw@tnasales [.]com
o@tnasales [.]com
ofwnzod@tnasales [.]com
oxyqe@tnasales [.]com
p@tnasales [.]com
qzimyc@tnasales [.]com
raso@tnasales [.]com
rky@tnasales [.]com
sa@tnasales [.]com
tag@tnasales [.]com
udiq@tnasales [.]com
wocyepo@tnasales [.]com
xa@tnasales [.]com
za@tnasales [.]com
zusefe@tnasales [.]com

MALDOC REDIRECT URLS
https://www [.]google [.]com/url?q=http://alwayscomply [.]com/sites/default/modules/cck/translations/help/de/dip [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNG91xuWh7Lq9xWZjbVKfeaODM47ZQ
https://www [.]google [.]com/url?q=http://alwayscomply [.]com/sites/default/modules/cck/translations/help/de/impinge [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNGd4y2Wcog2N19amMynsC_9AKM0Qg
https://www [.]google [.]com/url?q=http://archive-admin [.]museubandasfilarmonicas [.]pt/assets/plugins/jquery-file-upload/server/php/files/austria [.]php&source=gmail&ust=1616148253954000&usg=%0D%0AAFQjCNHB_VH8sITckq8j_an_QD0H7bFMFQ
https://www [.]google [.]com/url?q=http://archive-admin [.]museubandasfilarmonicas [.]pt/assets/plugins/jquery-file-upload/server/php/files/austria [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNHB_VH8sITckq8j_an_QD0H7bFMFQ
https://www [.]google [.]com/url?q=http://tao [.]arnoldinum [.]cloud/qtiItemPci/views/js/pciCreator/paten [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNG3BmLzQyaMvZQyALCmO2n9MN4v3g
https://www [.]google [.]com/url?q=http://tao [.]arnoldinum [.]cloud/qtiItemPci/views/js/pciCreator/trackman [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNGI0rHP-w2onvzXvv_YC1KQe8NR6A
https://www [.]google [.]com/url?q=https://alaseeldates [.]com/predispose [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNHhru9FX4ASRSMGZKl1hn-x276YTA
https://www [.]google [.]com/url?q=https://alaseeldates [.]com/snoozer [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNHcfcedHHOyhqZamM-UV4slpRki5g
https://www [.]google [.]com/url?q=https://aprilstudios [.]in/appropriate [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNF-SRFZeIucjKC74M8ANtMaU8z3Hw
https://www [.]google [.]com/url?q=https://aprilstudios [.]in/oz [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNEZSwhqIHCN3Q2tbb-pQjseTnqTOQ
https://www [.]google [.]com/url?q=https://aprilstudios [.]in/transverter [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNFjlYKzOuoW2OnGXSwNThjqEXhx-g
https://www [.]google [.]com/url?q=https://chamkoon [.]com/secund [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNE7FNF5pQjCAW8JVDK9bmP0v5-vOw
https://www [.]google [.]com/url?q=https://chamkoon [.]com/wrongness [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNGDINAExVrk6errRs7HysLxHq5enA
https://www [.]google [.]com/url?q=https://cluebazar [.]com/upstairs [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNEBJLi_vsN1IZLzqjISwLJd4QCycw
https://www [.]google [.]com/url?q=https://emiratesminning [.]com/refers [.]php&source=gmail&ust=1616148253952000&usg=AFQjCNGwmq4JG0a5nHvtM-DsfyT6g8WZRQ
https://www [.]google [.]com/url?q=https://livenetworks [.]com [.]br/sakhalin [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNGWyvivCM6mNTntohyPUmMp-UC2DQ
https://www [.]google [.]com/url?q=https://locequipamentosbh [.]com [.]br/dissenting [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNFAfNrwGvOqamAovRPSNCciZ1CLXg
https://www [.]google [.]com/url?q=https://locequipamentosbh [.]com [.]br/dowager [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNHgppXUdFMfg10tIzapFl5VAGyGRw
https://www [.]google [.]com/url?q=https://locequipamentosbh [.]com [.]br/theomorphic [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNGbJM1e4y2LlqKFyp4yj5EnC4CyfQ
https://www [.]google [.]com/url?q=https://m7a [.]rgstage [.]com/brazier [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNGdIpVlW0g5550PUTVUk7FeaInZCQ
https://www [.]google [.]com/url?q=https://m7a [.]rgstage [.]com/monologue [.]php&source=gmail&ust=1616148253953000&usg=AFQjCNGb7yJpEnbiu-f4lpeQtBv0a6lLOw
https://www [.]google [.]com/url?q=https://mail [.]daunhotmiendong [.]vn/controvertible [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNGgyf7Tf7u9dTtvttkKCvgBTpg_zw
https://www [.]google [.]com/url?q=https://mail [.]daunhotmiendong [.]vn/pusillanimous [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNE3qPBnoC1pjGi6JlYCdqi98zm3kw
https://www [.]google [.]com/url?q=https://orsan [.]gruporhynous [.]com/speed [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNGaQvSL_y_uSRgnP3FcvXEJ-zSEmw
https://www [.]google [.]com/url?q=https://webworks [.]nepila [.]com/crazed [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNGGuc0hcxNbunmm4YHXQXwIIQ8DYA
https://www [.]google [.]com/url?q=https://webworks [.]nepila [.]com/defector [.]php&source=gmail&ust=1616148253954000&usg=AFQjCNFYvfyuwM9fHk8UacywoyeTz6n1aA

MALDOC DISTRIBUTION URLS
http://alwayscomply [.]com/sites/default/modules/cck/translations/help/de/dip [.]php
http://alwayscomply [.]com/sites/default/modules/cck/translations/help/de/impinge [.]php
http://archive-admin [.]museubandasfilarmonicas [.]pt/assets/plugins/jquery-file-upload/server/php/files/austria [.]php
http://tao [.]arnoldinum [.]cloud/qtiItemPci/views/js/pciCreator/paten [.]php
http://tao [.]arnoldinum [.]cloud/qtiItemPci/views/js/pciCreator/trackman [.]php
https://alaseeldates [.]com/predispose [.]php
https://alaseeldates [.]com/snoozer [.]php
https://aprilstudios [.]in/appropriate [.]php
https://aprilstudios [.]in/oz [.]php
https://aprilstudios [.]in/transverter [.]php
https://chamkoon [.]com/secund [.]php
https://chamkoon [.]com/wrongness [.]php
https://cluebazar [.]com/upstairs [.]php
https://emiratesminning [.]com/refers [.]php
https://livenetworks [.]com [.]br/sakhalin [.]php
https://locequipamentosbh [.]com [.]br/dissenting [.]php
https://locequipamentosbh [.]com [.]br/dowager [.]php
https://locequipamentosbh [.]com [.]br/theomorphic [.]php
https://m7a [.]rgstage [.]com/brazier [.]php
https://m7a [.]rgstage [.]com/monologue [.]php
https://mail [.]daunhotmiendong [.]vn/controvertible [.]php
https://mail [.]daunhotmiendong [.]vn/pusillanimous [.]php
https://orsan [.]gruporhynous [.]com/speed [.]php
https://webworks [.]nepila [.]com/crazed [.]php
https://webworks [.]nepila [.]com/defector [.]php

alaseeldates [.]com
alwayscomply [.]com
aprilstudios [.]in
arnoldinum [.]cloud
chamkoon [.]com
cluebazar [.]com
daunhotmiendong [.]vn
emiratesminning [.]com
gruporhynous [.]com
livenetworks [.]com [.]br
locequipamentosbh [.]com [.]br
museubandasfilarmonicas [.]pt
nepila [.]com
rgstage [.]com

HANCITOR MALDOC FILE HASHES
0ddee5b7da65f3a801677a9187c92d35
30e8467c27864508ee01fa82f719849c
504afcedfccc2caf7e2bd9a440bbe566
534350c5741aa2175ca54f219ab7d905
69022fe73ea471e0a9e0af364a023cc2
709a14419d84ac5e0d8a95071008cce1
7fee47f618c0c7f18488ca357f3b26df
9bb98f4388cb39e11c17e825ffca2b84
b17e33adf9f089bafe33c65c5f446287
c355368d0f5ff410851ab8900da7098c
df5bc23f39f5bc0926cdbed514712ed6

HANCITOR PAYLOAD FILE HASH
Static [.]dll
be81b6f1ce7a7673c1c549064de73430

HANCITOR C2
http://froursmonesed [.]com/8/forum [.]php
http://abouniteta [.]ru/8/forum [.]php

FICKER STEALER PAYLOAD URLS
http://pirijinko [.]ru/6jkiuwf43 [.]exe

FICKER STEALER FILE HASH
6jkiuwf43 [.]exe
77be0dd6570301acac3634801676b5d7

FICKER STEALER C2
http://sweyblidian [.]com

COBALT STRIKE FILE HASHES
1703 [.]bin
c9a34a84b8be1d3b4f84fc50bd1ac80a

1703s [.]bin
339db7ec6f43de6df9109f13b17842b6

I also found these on the same domain
1102 [.]bin
75dd171de48fb65c9ff07e937b473ced

1102s [.]bin
68552585411cf40c9c7f5cda18840bd7

Previous articleThreat Intelligence – Bazarcall Malware Latest IOCs
Next articleThreat Intelligence – Bazarcall Malware Latest IOCs
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here