Threat Intelligence – Hancitor Malware Latest IOCs

0

Credits : Research by ExecuteMalware

Indicators of compromise

THREAT IDENTIFICATION: HANCITOR

HANCITOR BUILD NUMBER
&BUILD=1404_cms3

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
amxbite@1aaaoftexas [.]com
begtak@1aaaoftexas [.]com
bu@1aaaoftexas [.]com
e@1aaaoftexas [.]com
eviykus@1aaaoftexas [.]com
ewh@1aaaoftexas [.]com
fgeejw@1aaaoftexas [.]com
fygux@1aaaoftexas [.]com
gotdu@1aaaoftexas [.]com
gvuwva@1aaaoftexas [.]com
hekqat@1aaaoftexas [.]com
huu@1aaaoftexas [.]com
j@1aaaoftexas [.]com
jju@1aaaoftexas [.]com
kozry@1aaaoftexas [.]com
lohpa@1aaaoftexas [.]com
ltclyc@1aaaoftexas [.]com
mjtvuub@1aaaoftexas [.]com
mzampui@1aaaoftexas [.]com
n@1aaaoftexas [.]com
nietoje@1aaaoftexas [.]com
nogea@1aaaoftexas [.]com
nyjodok@1aaaoftexas [.]com
o@1aaaoftexas [.]com
p@1aaaoftexas [.]com
pfomuin@1aaaoftexas [.]com
psablai@1aaaoftexas [.]com
pyypxom@1aaaoftexas [.]com
qeade@1aaaoftexas [.]com
qeokpx@1aaaoftexas [.]com
ri@1aaaoftexas [.]com
sikyfo@1aaaoftexas [.]com
spkymyz@1aaaoftexas [.]com
uosyiim@1aaaoftexas [.]com
uudayql@1aaaoftexas [.]com
v@1aaaoftexas [.]com
vagocu@1aaaoftexas [.]com
vubjxhe@1aaaoftexas [.]com
xqicenn@1aaaoftexas [.]com
xupocus@1aaaoftexas [.]com
yxuoeqh@1aaaoftexas [.]com
zitihyv@1aaaoftexas [.]com
zx@1aaaoftexas [.]com

MALDOC LANDING PAGE URLS
https://docs [.]google [.]com/document/d/e/2PACX-1vQ-224H9A6iDAQ6U-l03Itt3SvGJ393W3UZnUo84oGuRyI9VDDSRv8Jqjadj0_xeXjhUJX1xdBdwZiv/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQiXIwZq6O-2mqxpqYhZDhKlJJV97yBKo73IgwIrUkC3YJ1rLAQOgkVz5FNfacYRRw1RoOFjeF7O42R/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQqCOQq2I-op4sQ-v71x0GPo_g8D68cB2nLa-7iFP_ef6QFKOl_lURZaX26kE71nMETKNsrTNg41-mg/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQTJGF_WMM2rr4Ix_8zAqlXQSOwIWsW5i8pJkwRUQ1_gvteHKzzhhYLcaQq6c1XDPr296DKRggA1MPr/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQyaQ9UBucuBhoOwDdv4zMc56MBN3QIybWotravTPfuB9e_BiQvcs2t9ek1fpLaXUyqw8yR3i59r7rb/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR2p_LXhFiLmbvMlVvvkpENTyzTnHNZy9v95P9AGp0aa_rEuXFYunqYdR96dGRrpiPivdpLEt9i9Wez/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR6iFZpo_hum1YnN1J0_Pl2D3FFA-TB94Hm6DPy1eKC4aJEcp_AurcquA-Ajr1MpbgBeE0J-kTBojyH/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR71RnzzketwEfW9Zue4V1y1RsE7brU6B0_DGjzWvVgw8V2Lwfc8SeOz8L5uI8h5ZTmFzUnv7HwDSo9/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRGNG8LoZZ2_X62k5bZTslZ53xjit7BNQnSaklEBLA0UVXp8qWS7Ts8oNJyOK1Lf4lUyeg7awK7cQqf/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRhg3gW_JTA57qulB791mavWthd9iNgl7t-HNco2Ecw5XbE45KZya3UixDnEFjUaRGKlaeUwAfJRu1d/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRkusDQTwwkAoNZW9QudDYX9MyXhRV9DkutqS3Y84nD1B2MFxu8hU5pTz4Z6mlyhsiHM2DT1OHnq36A/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRMIB1sttREz2KvN-R-1x5vrEr9k6WVCSaaWDOhxogQQTNWlWEI8VNNU_yti_UtL3cXIwt-uTZb59S_/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRMZaziwudwRZYeaANdYES293p_T2e4ov3ug8cfw1VHKt8bfCuZLnG4zxLCbOdaiUDX1QHNxj_tysRY/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRnNp2lfALCZs6iRZx_nCNrRfaFES7Kh_fCxD1mSrjpukhD3hslGSnSRnW76b7aiuYhqGKVoiJLYTAP/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRsM4dmcGR3H4JQP_tsOAWJFb9Ve26gokFx6oy-gl1W_DdxZMsszEirAUEijF2DiR9DskIuAfUlTSVa/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRUzSaJL3XlseYzQ63NwOXFyV7IOq_RHeswm93MRDBgmuR6R2VZeSP_f5-rnTOVY-q9O1RJ_Mfn-qB7/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSdKkvy22cOYiCGIwvp4df0rNoPvHnKRtiA2isNMQ1pOMzy5iH5v_8vrbNzbQFgu5TDh6S-M7QrJu98/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSgex8_vX-681ByTpjhpA_-yXkYu1FW3aiibkSLThyStLge9b0wz30-W0lhVUowCYN3nPRK-xzW24uc/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSwJaRlXz2WZAM0NkMpiN3QmBOUi78Uxn-no2X4oQkgwF2Oy7twgOsSdM7JqA_vSZ6sAc3JOSnYu6Xc/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSZs-QkOj-4-ItQ5ca3208-EU4IEuy6_j0P9omwb2RPH1pbLdaLVwM5HkBrw1FzP2qkEDVV0qBZRfRE/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSzwnAaqGk9A0xjUcnF7BDylSrreBqpekwR53_QNEaUpZRf94kwKCqf5Yxh7bgd6FycsV8c4CRvGuso/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTavxc7NWrBJcldmMvsiA9obUhd8dBLPKSS3fKAWYFFoGd4m8XA9dGbOnbxPb-n6XYh_R_sUmIfyjHp/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTDBAHr0CwfmYca9m-w0gxuVxXvrHRRiUb_MH7vxfN1lHsyaOtOyAlqr4eW1TWjYfF3UyxIGicl39N_/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTIvRH5DQv2UZjyfFcucJHhrbhCVCX311_1dvv4PMOTrgAKZe_SkadR3EDfYEWRpaFaXMwjJg-LJ-AB/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTKJU-kDUo2CEx3IUIw_k-3tHfx1LDUZIRa7edF2wrMc5IEulqBe_uQzg34ir5YJJqD0OziimIeIiZD/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTMn7m538M-Qw07_R24RizjPtkMRRJcTh09OsV-YMjzQ2iQwc_MFUylxNSvt4AGRfqkj2dwOaS7zXHU/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTnDIwoEtUVlS9BXCnG6HbRxdN9PHkYeGETWjabtpP2ADwxTQXSdvNEDkrdVCXgZ-McY1axdzTnit-W/pub

MALDOC DISTRIBUTION URLS
http://3 [.]133 [.]244 [.]105/sedentariness [.]php
http://somdeeppalace [.]com/comer [.]php
https://aarambhaad [.]com [.]np/anointment [.]php
https://citricadvertising [.]com/purgation [.]php
https://citricadvertising [.]com/snuffbox [.]php
https://impactmarketingservice [.]in/fuchsine [.]php
https://impactmarketingservice [.]in/whipsaw [.]php
https://itco [.]pe/shelly [.]php
https://merinocraft [.]ro/tearing [.]php
https://merinocraft [.]ro/unbroken [.]php
https://natural-healing-central [.]com/factorization [.]php
https://www [.]educacionvirtualavanzada [.]mx/inexact [.]php
https://xtracomsolutions [.]com/indispensable [.]php

aarambhaad [.]com [.]np
citricadvertising [.]com
impactmarketingservice [.]in
itco [.]pe
merinocraft [.]ro
natural-healing-central [.]com
somdeeppalace [.]com
educacionvirtualavanzada [.]mx
xtracomsolutions [.]com

HANCITOR MALDOC FILE HASHES
1193060c6c356ad35f3f1b778875f4de
19ecb07f51990d8392d06d7ed6f14c0b
2ab27e26b3643139a9d8cb99ba60738d
2ac587024def64ac26a7cf94e5741644
47a7996165733631a1f5b269e39bbd09
5edba41a1dd5184586b1251670bf19dc
60201a46d43c5da51c6ae5aa0329439d
c1f0fecc46b150bbf46e03134b5454d1
c8a7735dcc286e70031983c5bb419f0b

HANCITOR PAYLOAD FILE HASH
edge [.]dll
e5cf2f65aeb1ff4d8e40b0e73860cb75

HANCITOR C2
http://dingulbolies [.]com/8/forum [.]php
http://culadinces [.]ru/8/forum [.]php
http://coliessrass [.]ru/8/forum [.]php

FICKER STEALER PAYLOAD URL
http://qm30098 [.]ru/6jkiojdfssd [.]exe

FICKER STEALER FILE HASH
6jkiojdfssd [.]exe
77be0dd6570301acac3634801676b5d7

FICKER STEALER C2
http://sweyblidian [.]com

Previous articleThreat Intelligence – Trickbot Malware Latest IOCs
Next articleThreat Intelligence – AGENT TESLA Latest IOCs
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here