Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing emails embedded with malicious links and weaponized Microsoft Office document contains malicious macro in it. As observed, Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware
Indicators of Compromise
THREAT IDENTIFICATION: HANCITOR
HANCITOR BUILD NUMBER
&BUILD=0704_scxe
SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service
SENDERS OBSERVED
axelyhy@rodobimba [.]com
blcchii@rodobimba [.]com
dhaorvf@rodobimba [.]com
f@rodobimba [.]com
fiokea@rodobimba [.]com
ftilowr@rodobimba [.]com
iicofcq@rodobimba [.]com
meguoy@rodobimba [.]com
odleoab@rodobimba [.]com
pot@rodobimba [.]com
pz@rodobimba [.]com
q@rodobimba [.]com
sxu@rodobimba [.]com
txhy@rodobimba [.]com
u@rodobimba [.]com
wd@rodobimba [.]com
weus@rodobimba [.]com
xorma@rodobimba [.]com
z@rodobimba [.]com
MALDOC LANDING PAGE URLS
https://docs [.]google [.]com/document/d/e/2PACX-1vQ0IB4AW49Yrh1G0r4szTjX9iWYRWes1WK8Ko1_AARZOY7dxI4we4AcKX34EIHduxYN8AZhtcVuR5DI/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQ8sgMrw4Y6uzuy5Sct0vOFS4lHr_rj6-L4ld2qijj-xJNIPQAUxDpX5mxnNmxWhqd6YJbNBIiWstTi/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQ_usou7tDRcDZU8hx5Nc26wHDdlLXaGjp2cv8JHFPlZJbSf6GIZOKhgOwpoPr7xar6dz_wRJAxOWev/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQdn84kAA3U6gGp5LtHJ9_KpRNuhs-BcTf3EtJ8QDfJF5eX5rPN7gw421LKR-frCjzR-n5y2g53FBun/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQjBRR7kz1n0OqKPjirbg8O6CcBF0Ofhe636SBE-S-vKvcJKfc_gthWAWcRtyFh4EGRnswsRKb5Ss_k/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQwK0gtj7HiCdxp2H_DAL6Ufhuxpbdg8XmpGyi2hjD4eUdjBVk5W2WvUWI-T4LZBSDTCUrx34zEOZTN/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRBAdUu58td4Ovr4yuy3GiFEzW0E0uY7ysFRtASmgNs64irOsebkwdK3WuXSO7Ycg1WkVDujZ6LEc49/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRIzYn_nQOPMNpFfO1u1s-oW_bmJpjhQXuvTQahjnpR3AP9S6VBg1DMd4njkNKYDbhJVqw5-Ha7PJ64/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRjAthVvGFRonXQG4gsuab9bqoH467TEqUPZw2_cFO8Fyeh5VTm-ckCiX5wD3D2yEb0u4CsO2lSEKv0/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRJQjgqU-78FRpffuwB7UdDE7YlWnB2NWTXbJq8k9AyhZx8oaWI6iRBno0I_pWqxr5S4QbFXifu7X4n/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSHn-kBOtunJVSN73AaxTxP10A4fmD72cg5NKS1lIjiNwUtO12UZardWN8XFAPCXvjbed4ve4KxPLyx/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSlkF6AAdiiVVUeHLbYvSopcbm2DGbEPoUwK4B6KA2YZWogtrwGTGQiKMzAsGXnUSYDqQgTCNYllIIT/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSWeH6EtBiYKzlGOTm8gx53_ruELGohXgOUToOrgEyDRMxIwI4xgGOV076lFUTfHuTeUnXYAEVW-5tK/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vT-Qve9km4E1lLd9IcTzBFGPFHm_G-aR48HBWVF8FtPxh8PCcbGbV3JYetrTfTjoWXfU8ngd9vLUW23/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vT33281lMXIJoPgUsciT8gPWvYhTQmvlAxr8pUANCiLtqLZJdGCfKrsDS4PK8IBjDfaPg2ROAZBH7tr/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTaAMuJcabO61pA_ezeRm7ZXcc88ikS0qqYJ7Melzx_xsNWxSDzZ_NHFDn72HuNuh3CZQHWbWjSMky0/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTpjko79htJXUB_U-HeB-YeJemi_bShpp4ZgJG0-u0LUKJShOZ6TTtalBoo1egjpL-U5yZsgvQW6egE/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTY8Nd7L3GankqR6bKDnSPy91dDenDbTXHPFuv4oY4OrUEcHNQ3c3jsCUGEjo4PLi-vq18t6PvrdDmb/pub
MALDOC DISTRIBUTION URLS
https://aklatdelmundo [.]com/ditty [.]php
https://aklatdelmundo [.]com/holler [.]php
https://jollygul [.]com/ford [.]php
https://jollygul [.]com/nipple [.]php
https://kabimmo [.]com/seclusion [.]php
https://kabimmo [.]com/struggler [.]php
https://medicinainterna-critica [.]com/lubricant [.]php
https://quickcompanyreg [.]co [.]za/accordion [.]php
https://save [.]makemoneywith [.]website/housewarming [.]php
aklatdelmundo [.]com
jollygul [.]com
kabimmo [.]com
makemoneywith [.]website
medicinainterna-critica [.]com
quickcompanyreg [.]co [.]za
HANCITOR MALDOC FILE HASHES
26f6537ae7eab818013eb021f54c46d2
6541b3e2c5a8f86531721ec1d417be6c
7fb1cc93b51cf6db68ae20bdbd197023
882ea66f8685633ae0195060dc60076f
HANCITOR PAYLOAD FILE HASH
MsMp [.]dll
8ee94ecdec0de4f4e60e589dae57dbdb
HANCITOR C2
http://windetheta [.]com/8/forum [.]php
http://undereasus [.]ru/8/forum [.]php
http://frougelylo [.]ru/8/forum [.]php
FICKER STEALER PAYLOAD URL
http://67xfjk [.]ru/6jhu8yhd [.]exe
FICKER STEALER FILE HASH
6jhu8yhd [.]exe
77be0dd6570301acac3634801676b5d7
FICKER STEALER C2
http://sweyblidian [.]com