Credits : Research by ExecuteMalware
THREAT IDENTIFICATION: HANCITOR
Indicators of Compromise
SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
SENDERS OBSERVED
a@snowbustersllc [.]com
apanazj@snowbustersllc [.]com
buhujy@snowbustersllc [.]com
cixfyli@snowbustersllc [.]com
dneexae@snowbustersllc [.]com
ee@snowbustersllc [.]com
fiuqola@snowbustersllc [.]com
fo@snowbustersllc [.]com
hbyhj@snowbustersllc [.]com
hsuly@snowbustersllc [.]com
le@snowbustersllc [.]com
mwuqsao@snowbustersllc [.]com
p@snowbustersllc [.]com
posikyn@snowbustersllc [.]com
qa@snowbustersllc [.]com
tbcye@snowbustersllc [.]com
tcwapui@snowbustersllc [.]com
uhoywe@snowbustersllc [.]com
um@snowbustersllc [.]com
umixy@snowbustersllc [.]com
wado@snowbustersllc [.]com
wgvkxed@snowbustersllc [.]com
xh@snowbustersllc [.]com
xy@snowbustersllc [.]com
yvecdam@snowbustersllc [.]com
MALDOC LANDING PAGES
https://docs [.]google [.]com/document/d/e/2PACX-1vQ2QmKqpFfogMSVC5PaSsaG3aYVVrlpRk5ykUbi4euELKRWoMNEZIOQsqBXQ2iP0gaA9PyhSQP1dTJx/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQ4zote8gEuHaMs_vq9T8da8zIiArW7owRrmCXq56oiiN_XtlqE9-QVf7mCKoH8GYYiFp2G_65s7bq1/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQedoqW845ToRk9H2w8AuC9uYd37RUAWv33AlX_K_SVMdVPhKe71NT74Q7UWbuwIcxV5BndF7VpmO_3/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQF_sUZFmDtOy6tIeFLHWGEbDS497ZKcFVMv013ITSf_kLqsrCxwwPmIvCkIg5gv-pT7rb-YZKfyOmI/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR6wLZmg3E34qGmiQvsLA0jhwAOr5_V5cMXtum2FrGxR-rFMYbNFVoW32ItFaV2e4s8bceF5N6IOAhT/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRA1hRnQ5LijEc6DLtlGdX4NOa1KTLETUI0WciyQXVZdpcMDho3ZKSMprljuCjQkoFx9FBHwpy0oQvQ/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRAt8uzl1p62_2T6X-CDHb0iYDE_UZOAM5Y0NLbdZIbJ4XpI1t-Ist6HpnCusCSRjOSN0IsKWqr-4pe/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRfQ2VQjCBTTRKsu1XfjG-2W_M6V0impjsV_-mjmUKxvzqImizIg4vmFHNLKWUXx3n_GbO9YgBB_uxl/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRhgT8a4ZKzUbsxthYJXGHMuovSqml6q6cJAirtgygKRsE5Lq6aTpjKiOKdK19UfoywMflcaFgYuz1v/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRNIG5voGdaWw6mofrJaA4L1T0KAoma-9H2fD1wFOgxxHZbII0O0FoqYaSdVFsTsBzJJFkhHpjjtgrk/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRTr82FbM795Fniqq0Se-Ib9S2eu35C2EuoXBhSoje1gSozIXrdUZDEYmRupgmF3F5SOKEwB02dLZsb/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRum3WLrjl61awoawdPXeS223ntq50ClQHWeCXXnwwLdMKMcuNmtWuVdYR_nUyo486PjEXH_9LmlQ3n/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSDdQ-bJDFns_M8Z9xR_Qbc1BAXUmqZaSVbdCdH2CgAEEoeZwmspFu5VWSTIqBab64_CsdMZYPZQCR4/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSe94VNCk9NYSFlc0VpxT9XsONIYaQgJbK0xoxjufn49REZr_LcpIb3tjaq6_jwvA1X3FsL5CzZGOv6/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSjdtqS08PUs_hXHi39N5mF8nCj3lI5f2ZWrmghJ9blZbyOahGolAEY02u45IWTqwGRLBJVMW9oB9Ah/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSq4Yn3nN3UfNO7z65n9rMwZ1oQrHM27QSe-6Hp6hS6s-aSm5eDbrV_SJpWwhRf-7HT6C-Qz4SRGJvC/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSQmg3YFKWCexKvJSUEPUIpYZlm3xH08Oc3PCGtscIo99TLRpQX186XHiLa0NCRzWskXGeho6XErspY/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSurUbKdti2dNpxYp4yUU4N810uy-6j6yPeDQAGi-hrmK-zbXoWfM-ZI5cZBGz7hFHSF5shMy70bf1L/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSW8VQwi4g97jnGUEBzPRoIgBnWLGbJYoJ5NuaqSAgUQmnZR3Gk-aX2JREu3xQDpXiuqMLIDuxgPDRK/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSzzBabP5pDKOaS0IhroC7BT_ngOy3gbIBif9qTJ0hh0Q6SIzo8QtRqEWdHdwy770L44lrdGrz6URZM/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTatBAQkEH4gtEbsE7k0eD_n9hvFCBLgjZlLm3x615XorlugjVlJnup0q9BR0stQlE3Y87qcAYIHVhA/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTedYR0WfOe7OPtEEBkrsHiCvzyVrfZBKtKQhPXc3lAIUPpyhSXuU_rToHgyHDGippy1wbBv97iQLp3/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTsjpTTQl8I0UNQHiqIu29gRqWsGTS7hkKPUKrHkLWlV976zSGINvz0QIwn8LzDx7GSmtCWANdrkIWC/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTYhYPSVBUhft26DKSFpf7EAQlS0BjzRmQIazKc3rLPEJmP08Ev7AF7ZLLLYCzod-Oh38YmMF8HZ8Y7/pub
MALDOC DISTRIBUTION URLS
https://cluebazar [.]com/atrocious [.]php
https://cluebazar [.]com/reassembly [.]php
https://erp [.]focusgroupbd [.]com/preparatory [.]php
https://livenetworks [.]com [.]br/lift [.]php
https://locequipamentosbh [.]com [.]br/bowlegged [.]php
https://softwareride [.]com/public/template/plugins/datatables-fixedcolumns/css/astonishes [.]php
https://uniquewebservice [.]com/peonage [.]php
https://webworks [.]nepila [.]com/analgesic [.]php
https://www [.]oacts [.]com/stevedoring [.]php
https://www [.]razwerks [.]com/empiric [.]php
https://www [.]razwerks [.]com/plural [.]php
https://www [.]razwerks [.]com/rah [.]php
cluebazar [.]com
focusgroupbd [.]com
livenetworks [.]com [.]br
locequipamentosbh [.]com [.]br
nepila [.]com
oacts [.]com
razwerks [.]com
softwareride [.]com
uniquewebservice [.]com
HANCITOR MALDOC FILE HASHES
e960bb72d2fde613916fec3938903f73
a2502fa1b2f7c3ee10ba464ea105c74c
eff9684639bef068eb2973f6e3cc4ac4
38fb95d9e5aebb9de5337a877b348417
4aad8d4b96002e1f0ec67c5738a97ff9
9b41f55a0aaf7a3027dc9a81cba9c904
1ceb6115bb50ba5e401af7993cf5b2a7
0f88577f54d19eb2503a44830aee29ce
HANCITOR PAYLOAD FILE HASH
Static [.]dll
5eaea1f20e237257dadfd96e597d8ef4
HANCITOR C2
http://tricilidiany [.]com/8/forum [.]php
http://intaticducalso [.]ru/8/forum [.]php
http://gloporiente [.]ru/8/forum [.]php
FICKER STEALER PAYLOAD URLS
http://g1smurt [.]ru/6jiuu8934u [.]exe
FICKER STEALER FILE HASH
6jiuu8934u [.]exe
77be0dd6570301acac3634801676b5d7
FICKER STEALER C2
http://sweyblidian [.]com
COBALT STRIKE DOWNLOAD URLS
http://g1smurt [.]ru/2303 [.]bin
http://g1smurt [.]ru/2303s [.]bin
COBALT STRIKE FILE HASHES
2303 [.]bin
07a39d514646abe8efc39e930dbf74b1
2303s [.]bin
461353de6e2edda219692b64d08a55e7
COBALT STRIKE TRAFFIC
http://74 [.]50 [.]60 [.]96/9Wic
http://74 [.]50 [.]60 [.]96/visit [.]js
9Wic
72326b9238c305a45cf387ce2141d659
Credits : Research by ExecuteMalware
THREAT IDENTIFICATION: TRICKBOT
Indicators of Compromise
SUBJECTS OBSERVED
Auto ID Card Ready to Print #35873856
SENDERS OBSERVED
THOMAS THOMAS
MALDOC FILE HASHES
Id_Card-32213 [.]xlsm
269aab297d58b5e9d137c6cb2028cd49
TRICKBOT PAYLOAD URLS
http://truemerit [.]io/databases/merit [.]php
http://192 [.]3 [.]247 [.]103/images/redbutton [.]png
http://192 [.]3 [.]247 [.]103/images/cutscroll [.]png
TRICKBOT PAYLOAD FILE HASHES
i1zTJfH [.]sitecounter
2ae20b49ac0c8f59eaca5e08a319892c
TRICKBOT C2
https://103 [.]102 [.]220 [.]50
https://115 [.]241 [.]244 [.]185
https://174 [.]105 [.]236 [.]140
https://177 [.]84 [.]63 [.]252
https://185 [.]119 [.]120 [.]213
https://189 [.]195 [.]96 [.]238
https://190 [.]89 [.]3 [.]117
https://36 [.]95 [.]27 [.]243
https://5 [.]202 [.]120 [.]150
https://83 [.]220 [.]115 [.]230
Credits : Research by ExecuteMalware
THREAT IDENTIFICATION: BAZARCALL
SENDER EMAILS
info@icartservice [.]com
info@icartservice [.]net
newtonmeddr@ibest [.]com [.]br
suarezrosana@ibest [.]com [.]br
tobema@homebyasa [.]nl
tyfoda@testwp [.]kimze-online [.]com
SUBJECTS
Do you want to extend your free trial KJR82250995?
Thank you for using your free trial BCS49108273 [.] Time to move on!
Want to extend your free trial BCS87227489?
Want to extend your free trial BCS94578201?
Your free trial BCS74922261 has come to end!
Your free trial KJR05696670 is going to end!
Your free trial KJR20362849 is going to end!
Your free trial KJR38012845 is going to end!
Your free trial KJR90622295 is going to end!
Your free trial RMN70575496 has come to end!
LURE PHONE NUMBER
1 (213) 261-0445
1 (661) 501-2041
MALDOC DOWNLOAD URLS
https://bluecartservice [.]com/unsubscribe [.]html
https://icartservice [.]org/unsubscribe [.]html
https://imedservice [.]org/unsubscribe [.]html
https://imerservice [.]net/unsubscribe [.]html
https://merservice [.]org/unsubscribe [.]html
https://bluecartservice [.]com/request [.]php
https://icartservice [.]org/request [.]php
https://imedservice [.]org/request [.]php
https://imerservice [.]net/request [.]php
https://merservice [.]org/request [.]php
bluecartservice [.]com
icartservice [.]org
imedservice [.]org
imerservice [.]net
merservice [.]org
MALDOC FILE HASHES
04021a582f12c54e1023fdcee600111c
38c3650fbd0f86a03b6791aebe9d0c46
3b96e081be068d210a85b55925372567
412db47e93b22ec47c672910e1f85170
a5e1db7b40b1df187d7c4f227ffb316c
a8640287aac9c6468ac03f412382a839
e318ef00212305129aca499d569a741b
fc310563e9b0628f6b5a8567bf3b5133
PAYLOAD DOWNLOAD URL
First a post to:
http://gopigs [.]xyz/campo/u/u
Then downloads:
http://nommac [.]com/malta-app/Malta/node_modules/postcss-merge-rules/dist/retrsd25 [.]exe
PAYLOAD FILE HASH
retrsd25 [.]exe
78388676e1ebde4576357c3727a51787
ADDITIONAL/C2 TRAFFIC
https://52 [.]167 [.]249 [.]196
ADDITIONAL FILES
I also found these files in \Users\public:
42237 [.]j56
0ddece3ffa94e0acffddf867f001a644
42237 [.]xlsb
0ddece3ffa94e0acffddf867f001a644
42237 [.]h5
1462605ccb643532a25098e7fbe323cb
And then later:
42237 [.]j56
c056b7d3999d5110ff1d3bb9c29655b8
42237 [.]xlsb
c056b7d3999d5110ff1d3bb9c29655b8
42237 [.]h5
e80bb5df25aeff934df851df566e3775
All have MZ headers
[.]j56 and [.]xlsb have the same file hash