Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing emails embedded with malicious links and weaponized Microsoft Office document contains malicious macro in it. As observed, Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware
Indicators of Compromise
THREAT IDENTIFICATION: HANCITOR
HANCITOR BUILD
BUILD: 3003_verio
SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Signature Service
SENDERS OBSERVED
anxyhqi@skidsteersnowtires [.]com
cli@skidsteersnowtires [.]com
ddowigy@skidsteersnowtires [.]com
eeoybot@skidsteersnowtires [.]com
eogof@skidsteersnowtires [.]com
gtsiyf@skidsteersnowtires [.]com
lycsfiz@skidsteersnowtires [.]com
mar@skidsteersnowtires [.]com
mwouhaf@skidsteersnowtires [.]com
tilegp@skidsteersnowtires [.]com
tiz@skidsteersnowtires [.]com
uaqoye@skidsteersnowtires [.]com
uviqexo@skidsteersnowtires [.]com
vnctuj@skidsteersnowtires [.]com
voiutyy@skidsteersnowtires [.]com
yfefwua@skidsteersnowtires [.]com
MALDOC LANDING PAGE URLS
https://docs [.]google [.]com/document/d/e/2PACX-1vQV1Y7N0-q-0vCctsRjOdqtJ2d8YChDHAdY4HqHjIkrpVMSuuOFHQub6GHNacx74GC-lljtyw-VHMF0/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR2le5OY6eitMTv7OV1eLn4–MYdrdJ0SRvjR40Mn4hyK2BMWWiGSh67_cD0GsBRGes3ipUBNlZdTjR/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRAgFOqsHYGVq7BZ-cm5gtcK_Gh5rGzd5vJvVloYtI5XeZGV1EgHAVlRmjS7JlO_CuFdZ10TbQjUJBV/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSKhMosGJRhAx6nPKG1CxRA5OqFCouT4mAn581iigdj6E0kW5E7pkDM7rzgT4lHSD2w4pbfIDgqO16u/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSllYUcuuUT4iqwFmWWSBAi4ZnCIJfd_I7MpP8pN7_D_kvyVtrFaSRUUStKL19a4N8XVHOboTo2p1S4/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSRfbQEHuTyQW0eqqmAmeC8gNg8L9WUju07_rv4tHRn-eNfCzflVELccrZKo1Vs0h9BlE5HECXJLzrK/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSSt6CrA6bUtz5gwU3mv6B8tCak80azHhLnd6dMsM_XVaxj7q13YfnYOikhuYuhOm2m29tG6se7t5PG/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vT4DehaB_ZFCPUCo6FPTyk0AwDNQHkO55-zrMUMiTCP9S3WYEuXa4E7qklLSmx0aT3kuGKV7EhibYF1/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTCL_qjggEFoZ4wzusYvmPLV_mrOXN0FYiKApb3644JPU8Ivd5wKWf1p7nfb8u6GvDiMWZ2XDABkYHQ/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTi15ayB8KwOrXxIaCUH1d03KK9-aUl7SRrqsLRzUmkoQydto93KgEMKBC8mqc2GDxUwJKb7GLERXyh/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vToBxyjYpZycUcRkK7RAHru3il-bWv7vaLAK_102cOZPv3Ff8pqbwda0pZQK8S2apVVvW-puhjQzLd3/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTOPtRbRsBAmqOcP8PdkQ6TmvxMCD-AHEqSL76R7uk-c9TRHWajt-e_iYQ2iQ1LtG36wjH7ZkvinoNB/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTqyJd8ZQl6kbLiiqbI-jsAQNUJBccElVWHzJBxIy7Mo11lUqD-bemTtPGfGjeGDOvReqs7IMX_VwBd/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTslVGTV3rPJYFKSK2ulbm3mnGbSU1xUy02AwSWY9Qu_XzZeoCSMdJu63rmyQXH8hEFxissf_Yd6qiN/pub
MALDOC DISTRIBUTION URLS
http://tlfthelifefactory [.]com [.]au/fee [.]php
http://www [.]capitallifesyariah [.]co [.]id/replay [.]php
https://capasa [.]com [.]my/cycle [.]php
https://koonol [.]mx/personably [.]php
https://lt [.]app [.]krazyit [.]com [.]au/egor [.]php
https://moradaimoveisjab [.]com [.]br/cranky [.]php
https://pharmaciebougieba [.]org/gel [.]php
https://uberum [.]ro/anoint [.]php
https://uniquewebservice [.]com/wail [.]php
capasa [.]com [.]my
capitallifesyariah [.]co [.]id
koonol [.]mx
krazyit [.]com [.]au
moradaimoveisjab [.]com [.]br
pharmaciebougieba [.]org
tlfthelifefactory [.]com [.]au
uberum [.]ro
uniquewebservice [.]com
HANCITOR MALDOC FILE HASHES
3448cc288fca67901056db4fa75d65c5
570ea5f20ea57233801e4d8c5fbcf472
79f7b1808de6aa49e4775799b0203329
7ca22c035af153396354116cb1db11df
e16b4f91101a452b9a2c5eceb8985cec
fa3799eabf27a6c2c7834f48e5134088
ff0131c3bad0b18758a03950179220e0
HANCITOR PAYLOAD FILE HASH
Runtime [.]dll
c1e73a655d6cb7e796d2e490d03714c5
HANCITOR C2
http://stionicksilid [.]com/8/forum [.]php
http://succupenous [.]ru/8/forum [.]php
http://cappiasstising [.]ru/8/forum [.]php
FICKER STEALER PAYLOAD URLS
http://q17ar45 [.]ru/689uksdffs [.]exe
FICKER STEALER FILE HASH
689uksdffs [.]exe
77be0dd6570301acac3634801676b5d7
FICKER STEALER C2
http://sweyblidian [.]com
COBALT STRIKE PAYLOAD URLS
http://q17ar45 [.]ru/3003 [.]bin
http://q17ar45 [.]ru/3003s [.]bin
COBALT STRIKE FILE HASHES
3003 [.]bin
02dadaeecc3d8ba4e8b59ca4d27b54c6
3003s [.]bin
62a46578b147897724e7e808918994e2
COBALT STRIKE C2/ADDITIONAL TRAFFIC
http://139 [.]60 [.]161 [.]50/Hsp1
http://139 [.]60 [.]161 [.]50/load