Threat Intelligence – Bazarcall & Hancitor Latest IOCs

0
Credits : Research by ExecuteMalware

Indicators of Compromise

THREAT IDENTIFICATION:  BAZARCALL
 SENDER EMAILS
 3@servicei [.]com
 info@icartservice [.]com
 support@myicart [.]com
 usa@servicei [.]com
 SUBJECTS
 Do you want to extend your free trial ############?
 Free period for ############ is almost over [.]
 Your free period ############ is about to end!
 Your free period ############ is almost over!
 Your free period ############ is about to end!
 Your free period ############ is almost over!
 Your free trial ############ is about to end!
 Your free trial period ############ is almost over!
 LURE PHONE NUMBER
 1 (901) 584 0490
 1 (213) 401 9021
 MALDOC LANDING PAGE DOMAINS
 buyimers [.]us
 geticart [.]us
 getmers [.]us
 gobcs [.]us
 goimed [.]us
 MALDOC DOWNLOAD URLS
 https://getmerss [.]xyz/unsubscribe [.]html
 https://goibcs [.]xyz/unsubscribe [.]html
 https://getlcart [.]xyz/unsubscribe [.]html
 https://igomed [.]xyz/unsubscribe [.]html
 https://buylmers [.]xyz/unsubscribe [.]html
 buylmers [.]xyz
 geticart [.]xyz
 getmerss [.]xyz
 goibcs [.]xyz
 igomed [.]xyz
 MALDOC (XLSB) FILE HASHES
 11cc65a8c350b91de6ea341eaeefa3de
 8255c1e595a30ae5cb4f047423043c13
 91edbc51a4e25ca3354a82d229828c87
 9cb09ce52055479aae79ba3c6a3d21fd
 f5d9155a56cdbdf8a421e5bf106915b2
 PAYLOAD DOWNLOAD URLS
 http://board3 [.]xyz/campo/d/d1
 http://board3 [.]xyz/uploads/files/rldr [.]10 [.]4 [.]exe
 PAYLOAD FILE HASHES
 rldr [.]10 [.]4 [.]exe
 81e6dcf2510ffc2400743e912448013f
 renamed to:
 MRXBA3F [.]exe
 81e6dcf2510ffc2400743e912448013f
 ADDITIONAL TRAFFIC
 mRXBA3F [.]exe calls out to:
 https://34 [.]212 [.]193 [.]150
 ADDITIONAL FILE HASHES FROM PAYLOAD DOMAIN
 r104 [.]exe
 d2749c21fa8671e75cd147380ff110e0
 ret4 [.]exe
 9b224a8a1e6e5897e47fee0eb1e21766
 1616183460
 91ee2afefdf066eae3aead061a8075ed
Credits : Research by ExecuteMalware

Indicators of Compromise

THREAT IDENTIFICATION:  HANCITOR
 SUBJECTS OBSERVED
 You got invoice from DocuSign Electronic Service 
 You got invoice from DocuSign Electronic Signature Service 
 You got invoice from DocuSign Service 
 You got invoice from DocuSign Signature Service 
 You received invoice from DocuSign Electronic Service 
 You received invoice from DocuSign Service 
 You received notification from DocuSign Electronic Signature Service 
 You received notification from DocuSign Signature Service 
 SENDERS OBSERVED
 dgacgsq@drivewayflags [.]com
 lleq@drivewayflags [.]com
 lybpmx@drivewayflags [.]com
 p@drivewayflags [.]com
 pymoqio@drivewayflags [.]com
 rivheod@drivewayflags [.]com
 uafeoun@drivewayflags [.]com
 zavo@drivewayflags [.]com
 MALDOC LANDING PAGE URLS
 https://docs [.]google [.]com/document/d/e/2PACX-1vQ2ppWe--iSJ3VEepl33K3vEYx0gXf_Vkz3idvlRX-ldhzzIvZmDQtJk9yfG-UWU57uTVYnRhpq79mr/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vQq9436z3PaO3ndtW5pGcIm1YikMciJe3N_ubr_syEz4aAvni4vErDDVYfKzsjhUI-GebIn__P15VhJ/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vRK7cgPdCcaipphRW5W-cpwwdg0zjbdGPE7G5movv0OjLBdlHsvIB5gpvew1hRfk8nw4Ny3zr_akv1G/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vSAFHJAKO7WKmMnN7jvLOmTtWe8gM2SxQ9z4geBfdSb7hlCU95JVd_-rg2qnS-_qu0StKoK_PJrAfII/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vScYVQddX7qBiZz6jcwdQnj-ID10gVbO_ZPv4Gie_zjo13YbWOvFueYiYouEQ-W2GhU5L9Ig2ZUFhPa/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vSD-I9R60TDGfvJ4K7sTLZF1h2h1vV0xUYh4QCCRlVzMc1yHTakTW4ulE4DNjDH-LoB8kweitIJVlrP/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vSTw3jgBO8aOSTzwKQectTvkOpITY5drKQIMY_pHUhRpMdvpWs_APbxXDXaMEiuhLUrSdC-1r6_8-NJ/pub
 https://docs [.]google [.]com/document/d/e/2PACX-1vTHkVlb-r3k5ObTZZ_wW1Y2lq9TQbE-0aC-tEmmUv6i6hWBN1u8m6XH7iDnV2C0sV2KtWIPcMHUkgEw/pub
 MALDOC DISTRIBUTION URLS
 http://tlfthelifefactory [.]com [.]au/foxglove [.]php
 https://iriti [.]net/crap [.]php
 https://iriti [.]net/newuser [.]php
 https://koonol [.]mx/yestereve [.]php
 https://loyalty [.]kkcoaches [.]co [.]ug/prosperous [.]php
 https://pharmaciebougieba [.]org/stypsis [.]php
 https://silverwhipmedia [.]com/ethernet [.]php
 https://silverwhipmedia [.]com/phonorecord [.]php
 iriti [.]net
 koonol [.]mx
 loyalty [.]kkcoaches [.]co [.]ug
 pharmaciebougieba [.]org
 silverwhipmedia [.]com
 tlfthelifefactory [.]com [.]au
 HANCITOR MALDOC FILE HASHES
 Unknown
 HANCITOR PAYLOAD FILE HASH
 Unknown
 HANCITOR C2
 http://cilidobas [.]com/8/forum [.]php
 http://onvoursmo [.]ru/8/forum [.]php
 http://bilematicdu [.]ru/8/forum [.]php
 FICKER STEALER PAYLOAD URLS
 http://pipopetfiu [.]ru/6gdj9oidfg [.]exe
 FICKER STEALER FILE HASH
 Unknown
 FICKER STEALER C2
 http://sweyblidian [.]com
Previous articleThreat Intelligence – Bazarcall / Bazar Loader Malware Latest IOCs
Next articleURL Forward – Prevention and Detection of Malicious Forwards
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here