Threat Intelligence – HANCITOR Malware Latest IOCs

0

Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing emails embedded with malicious links and weaponized Microsoft Office document contains malicious macro in it. As observed, Below are the latest indicators of compromise.

Credits : Research by ExecuteMalware

Indicators of Compromise

THREAT IDENTIFICATION: HANCITOR

HANCITOR BUILD
BUILD: 3003_verio

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
anxyhqi@skidsteersnowtires [.]com
cli@skidsteersnowtires [.]com
ddowigy@skidsteersnowtires [.]com
eeoybot@skidsteersnowtires [.]com
eogof@skidsteersnowtires [.]com
gtsiyf@skidsteersnowtires [.]com
lycsfiz@skidsteersnowtires [.]com
mar@skidsteersnowtires [.]com
mwouhaf@skidsteersnowtires [.]com
tilegp@skidsteersnowtires [.]com
tiz@skidsteersnowtires [.]com
uaqoye@skidsteersnowtires [.]com
uviqexo@skidsteersnowtires [.]com
vnctuj@skidsteersnowtires [.]com
voiutyy@skidsteersnowtires [.]com
yfefwua@skidsteersnowtires [.]com

MALDOC LANDING PAGE URLS
https://docs [.]google [.]com/document/d/e/2PACX-1vQV1Y7N0-q-0vCctsRjOdqtJ2d8YChDHAdY4HqHjIkrpVMSuuOFHQub6GHNacx74GC-lljtyw-VHMF0/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR2le5OY6eitMTv7OV1eLn4–MYdrdJ0SRvjR40Mn4hyK2BMWWiGSh67_cD0GsBRGes3ipUBNlZdTjR/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRAgFOqsHYGVq7BZ-cm5gtcK_Gh5rGzd5vJvVloYtI5XeZGV1EgHAVlRmjS7JlO_CuFdZ10TbQjUJBV/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSKhMosGJRhAx6nPKG1CxRA5OqFCouT4mAn581iigdj6E0kW5E7pkDM7rzgT4lHSD2w4pbfIDgqO16u/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSllYUcuuUT4iqwFmWWSBAi4ZnCIJfd_I7MpP8pN7_D_kvyVtrFaSRUUStKL19a4N8XVHOboTo2p1S4/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSRfbQEHuTyQW0eqqmAmeC8gNg8L9WUju07_rv4tHRn-eNfCzflVELccrZKo1Vs0h9BlE5HECXJLzrK/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSSt6CrA6bUtz5gwU3mv6B8tCak80azHhLnd6dMsM_XVaxj7q13YfnYOikhuYuhOm2m29tG6se7t5PG/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vT4DehaB_ZFCPUCo6FPTyk0AwDNQHkO55-zrMUMiTCP9S3WYEuXa4E7qklLSmx0aT3kuGKV7EhibYF1/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTCL_qjggEFoZ4wzusYvmPLV_mrOXN0FYiKApb3644JPU8Ivd5wKWf1p7nfb8u6GvDiMWZ2XDABkYHQ/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTi15ayB8KwOrXxIaCUH1d03KK9-aUl7SRrqsLRzUmkoQydto93KgEMKBC8mqc2GDxUwJKb7GLERXyh/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vToBxyjYpZycUcRkK7RAHru3il-bWv7vaLAK_102cOZPv3Ff8pqbwda0pZQK8S2apVVvW-puhjQzLd3/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTOPtRbRsBAmqOcP8PdkQ6TmvxMCD-AHEqSL76R7uk-c9TRHWajt-e_iYQ2iQ1LtG36wjH7ZkvinoNB/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTqyJd8ZQl6kbLiiqbI-jsAQNUJBccElVWHzJBxIy7Mo11lUqD-bemTtPGfGjeGDOvReqs7IMX_VwBd/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTslVGTV3rPJYFKSK2ulbm3mnGbSU1xUy02AwSWY9Qu_XzZeoCSMdJu63rmyQXH8hEFxissf_Yd6qiN/pub

MALDOC DISTRIBUTION URLS
http://tlfthelifefactory [.]com [.]au/fee [.]php
http://www [.]capitallifesyariah [.]co [.]id/replay [.]php
https://capasa [.]com [.]my/cycle [.]php
https://koonol [.]mx/personably [.]php
https://lt [.]app [.]krazyit [.]com [.]au/egor [.]php
https://moradaimoveisjab [.]com [.]br/cranky [.]php
https://pharmaciebougieba [.]org/gel [.]php
https://uberum [.]ro/anoint [.]php
https://uniquewebservice [.]com/wail [.]php

capasa [.]com [.]my
capitallifesyariah [.]co [.]id
koonol [.]mx
krazyit [.]com [.]au
moradaimoveisjab [.]com [.]br
pharmaciebougieba [.]org
tlfthelifefactory [.]com [.]au
uberum [.]ro
uniquewebservice [.]com

HANCITOR MALDOC FILE HASHES
3448cc288fca67901056db4fa75d65c5
570ea5f20ea57233801e4d8c5fbcf472
79f7b1808de6aa49e4775799b0203329
7ca22c035af153396354116cb1db11df
e16b4f91101a452b9a2c5eceb8985cec
fa3799eabf27a6c2c7834f48e5134088
ff0131c3bad0b18758a03950179220e0

HANCITOR PAYLOAD FILE HASH
Runtime [.]dll
c1e73a655d6cb7e796d2e490d03714c5

HANCITOR C2
http://stionicksilid [.]com/8/forum [.]php
http://succupenous [.]ru/8/forum [.]php
http://cappiasstising [.]ru/8/forum [.]php

FICKER STEALER PAYLOAD URLS
http://q17ar45 [.]ru/689uksdffs [.]exe

FICKER STEALER FILE HASH
689uksdffs [.]exe
77be0dd6570301acac3634801676b5d7

FICKER STEALER C2
http://sweyblidian [.]com

COBALT STRIKE PAYLOAD URLS
http://q17ar45 [.]ru/3003 [.]bin
http://q17ar45 [.]ru/3003s [.]bin

COBALT STRIKE FILE HASHES
3003 [.]bin
02dadaeecc3d8ba4e8b59ca4d27b54c6

3003s [.]bin
62a46578b147897724e7e808918994e2

COBALT STRIKE C2/ADDITIONAL TRAFFIC
http://139 [.]60 [.]161 [.]50/Hsp1
http://139 [.]60 [.]161 [.]50/load

Previous articleThreat Intelligence – Bazarcall Malware Latest IOCs
Next articleThreat Intelligence – Bazarcall / Bazar Loader Malware Latest IOCs
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here