Credits : Research by ExecuteMalware Indicators of Compromise THREAT IDENTIFICATION: BAZARCALL SENDER EMAILS 3@servicei [.]com info@icartservice [.]com support@myicart [.]com usa@servicei [.]com SUBJECTS Do you want to extend your free trial ############? Free period for ############ is almost over [.] Your free period ############ is about to end! Your free period ############ is almost over! Your free period ############ is about to end! Your free period ############ is almost over! Your free trial ############ is about to end! Your free trial period ############ is almost over! LURE PHONE NUMBER 1 (901) 584 0490 1 (213) 401 9021 MALDOC LANDING PAGE DOMAINS buyimers [.]us geticart [.]us getmers [.]us gobcs [.]us goimed [.]us MALDOC DOWNLOAD URLS https://getmerss [.]xyz/unsubscribe [.]html https://goibcs [.]xyz/unsubscribe [.]html https://getlcart [.]xyz/unsubscribe [.]html https://igomed [.]xyz/unsubscribe [.]html https://buylmers [.]xyz/unsubscribe [.]html buylmers [.]xyz geticart [.]xyz getmerss [.]xyz goibcs [.]xyz igomed [.]xyz MALDOC (XLSB) FILE HASHES 11cc65a8c350b91de6ea341eaeefa3de 8255c1e595a30ae5cb4f047423043c13 91edbc51a4e25ca3354a82d229828c87 9cb09ce52055479aae79ba3c6a3d21fd f5d9155a56cdbdf8a421e5bf106915b2 PAYLOAD DOWNLOAD URLS http://board3 [.]xyz/campo/d/d1 http://board3 [.]xyz/uploads/files/rldr [.]10 [.]4 [.]exe PAYLOAD FILE HASHES rldr [.]10 [.]4 [.]exe 81e6dcf2510ffc2400743e912448013f renamed to: MRXBA3F [.]exe 81e6dcf2510ffc2400743e912448013f ADDITIONAL TRAFFIC mRXBA3F [.]exe calls out to: https://34 [.]212 [.]193 [.]150 ADDITIONAL FILE HASHES FROM PAYLOAD DOMAIN r104 [.]exe d2749c21fa8671e75cd147380ff110e0 ret4 [.]exe 9b224a8a1e6e5897e47fee0eb1e21766 1616183460 91ee2afefdf066eae3aead061a8075ed
Credits : Research by ExecuteMalware Indicators of Compromise THREAT IDENTIFICATION: HANCITOR SUBJECTS OBSERVED You got invoice from DocuSign Electronic Service You got invoice from DocuSign Electronic Signature Service You got invoice from DocuSign Service You got invoice from DocuSign Signature Service You received invoice from DocuSign Electronic Service You received invoice from DocuSign Service You received notification from DocuSign Electronic Signature Service You received notification from DocuSign Signature Service SENDERS OBSERVED dgacgsq@drivewayflags [.]com lleq@drivewayflags [.]com lybpmx@drivewayflags [.]com p@drivewayflags [.]com pymoqio@drivewayflags [.]com rivheod@drivewayflags [.]com uafeoun@drivewayflags [.]com zavo@drivewayflags [.]com MALDOC LANDING PAGE URLS https://docs [.]google [.]com/document/d/e/2PACX-1vQ2ppWe--iSJ3VEepl33K3vEYx0gXf_Vkz3idvlRX-ldhzzIvZmDQtJk9yfG-UWU57uTVYnRhpq79mr/pub https://docs [.]google [.]com/document/d/e/2PACX-1vQq9436z3PaO3ndtW5pGcIm1YikMciJe3N_ubr_syEz4aAvni4vErDDVYfKzsjhUI-GebIn__P15VhJ/pub https://docs [.]google [.]com/document/d/e/2PACX-1vRK7cgPdCcaipphRW5W-cpwwdg0zjbdGPE7G5movv0OjLBdlHsvIB5gpvew1hRfk8nw4Ny3zr_akv1G/pub https://docs [.]google [.]com/document/d/e/2PACX-1vSAFHJAKO7WKmMnN7jvLOmTtWe8gM2SxQ9z4geBfdSb7hlCU95JVd_-rg2qnS-_qu0StKoK_PJrAfII/pub https://docs [.]google [.]com/document/d/e/2PACX-1vScYVQddX7qBiZz6jcwdQnj-ID10gVbO_ZPv4Gie_zjo13YbWOvFueYiYouEQ-W2GhU5L9Ig2ZUFhPa/pub https://docs [.]google [.]com/document/d/e/2PACX-1vSD-I9R60TDGfvJ4K7sTLZF1h2h1vV0xUYh4QCCRlVzMc1yHTakTW4ulE4DNjDH-LoB8kweitIJVlrP/pub https://docs [.]google [.]com/document/d/e/2PACX-1vSTw3jgBO8aOSTzwKQectTvkOpITY5drKQIMY_pHUhRpMdvpWs_APbxXDXaMEiuhLUrSdC-1r6_8-NJ/pub https://docs [.]google [.]com/document/d/e/2PACX-1vTHkVlb-r3k5ObTZZ_wW1Y2lq9TQbE-0aC-tEmmUv6i6hWBN1u8m6XH7iDnV2C0sV2KtWIPcMHUkgEw/pub MALDOC DISTRIBUTION URLS http://tlfthelifefactory [.]com [.]au/foxglove [.]php https://iriti [.]net/crap [.]php https://iriti [.]net/newuser [.]php https://koonol [.]mx/yestereve [.]php https://loyalty [.]kkcoaches [.]co [.]ug/prosperous [.]php https://pharmaciebougieba [.]org/stypsis [.]php https://silverwhipmedia [.]com/ethernet [.]php https://silverwhipmedia [.]com/phonorecord [.]php iriti [.]net koonol [.]mx loyalty [.]kkcoaches [.]co [.]ug pharmaciebougieba [.]org silverwhipmedia [.]com tlfthelifefactory [.]com [.]au HANCITOR MALDOC FILE HASHES Unknown HANCITOR PAYLOAD FILE HASH Unknown HANCITOR C2 http://cilidobas [.]com/8/forum [.]php http://onvoursmo [.]ru/8/forum [.]php http://bilematicdu [.]ru/8/forum [.]php FICKER STEALER PAYLOAD URLS http://pipopetfiu [.]ru/6gdj9oidfg [.]exe FICKER STEALER FILE HASH Unknown FICKER STEALER C2 http://sweyblidian [.]com