Credits : Research by ExecuteMalware
Indicators of compromise
THREAT IDENTIFICATION: HANCITOR
HANCITOR BUILD NUMBER
&BUILD=1404_cms3
SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service
SENDERS OBSERVED
amxbite@1aaaoftexas [.]com
begtak@1aaaoftexas [.]com
bu@1aaaoftexas [.]com
e@1aaaoftexas [.]com
eviykus@1aaaoftexas [.]com
ewh@1aaaoftexas [.]com
fgeejw@1aaaoftexas [.]com
fygux@1aaaoftexas [.]com
gotdu@1aaaoftexas [.]com
gvuwva@1aaaoftexas [.]com
hekqat@1aaaoftexas [.]com
huu@1aaaoftexas [.]com
j@1aaaoftexas [.]com
jju@1aaaoftexas [.]com
kozry@1aaaoftexas [.]com
lohpa@1aaaoftexas [.]com
ltclyc@1aaaoftexas [.]com
mjtvuub@1aaaoftexas [.]com
mzampui@1aaaoftexas [.]com
n@1aaaoftexas [.]com
nietoje@1aaaoftexas [.]com
nogea@1aaaoftexas [.]com
nyjodok@1aaaoftexas [.]com
o@1aaaoftexas [.]com
p@1aaaoftexas [.]com
pfomuin@1aaaoftexas [.]com
psablai@1aaaoftexas [.]com
pyypxom@1aaaoftexas [.]com
qeade@1aaaoftexas [.]com
qeokpx@1aaaoftexas [.]com
ri@1aaaoftexas [.]com
sikyfo@1aaaoftexas [.]com
spkymyz@1aaaoftexas [.]com
uosyiim@1aaaoftexas [.]com
uudayql@1aaaoftexas [.]com
v@1aaaoftexas [.]com
vagocu@1aaaoftexas [.]com
vubjxhe@1aaaoftexas [.]com
xqicenn@1aaaoftexas [.]com
xupocus@1aaaoftexas [.]com
yxuoeqh@1aaaoftexas [.]com
zitihyv@1aaaoftexas [.]com
zx@1aaaoftexas [.]com
MALDOC LANDING PAGE URLS
https://docs [.]google [.]com/document/d/e/2PACX-1vQ-224H9A6iDAQ6U-l03Itt3SvGJ393W3UZnUo84oGuRyI9VDDSRv8Jqjadj0_xeXjhUJX1xdBdwZiv/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQiXIwZq6O-2mqxpqYhZDhKlJJV97yBKo73IgwIrUkC3YJ1rLAQOgkVz5FNfacYRRw1RoOFjeF7O42R/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQqCOQq2I-op4sQ-v71x0GPo_g8D68cB2nLa-7iFP_ef6QFKOl_lURZaX26kE71nMETKNsrTNg41-mg/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQTJGF_WMM2rr4Ix_8zAqlXQSOwIWsW5i8pJkwRUQ1_gvteHKzzhhYLcaQq6c1XDPr296DKRggA1MPr/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vQyaQ9UBucuBhoOwDdv4zMc56MBN3QIybWotravTPfuB9e_BiQvcs2t9ek1fpLaXUyqw8yR3i59r7rb/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR2p_LXhFiLmbvMlVvvkpENTyzTnHNZy9v95P9AGp0aa_rEuXFYunqYdR96dGRrpiPivdpLEt9i9Wez/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR6iFZpo_hum1YnN1J0_Pl2D3FFA-TB94Hm6DPy1eKC4aJEcp_AurcquA-Ajr1MpbgBeE0J-kTBojyH/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vR71RnzzketwEfW9Zue4V1y1RsE7brU6B0_DGjzWvVgw8V2Lwfc8SeOz8L5uI8h5ZTmFzUnv7HwDSo9/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRGNG8LoZZ2_X62k5bZTslZ53xjit7BNQnSaklEBLA0UVXp8qWS7Ts8oNJyOK1Lf4lUyeg7awK7cQqf/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRhg3gW_JTA57qulB791mavWthd9iNgl7t-HNco2Ecw5XbE45KZya3UixDnEFjUaRGKlaeUwAfJRu1d/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRkusDQTwwkAoNZW9QudDYX9MyXhRV9DkutqS3Y84nD1B2MFxu8hU5pTz4Z6mlyhsiHM2DT1OHnq36A/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRMIB1sttREz2KvN-R-1x5vrEr9k6WVCSaaWDOhxogQQTNWlWEI8VNNU_yti_UtL3cXIwt-uTZb59S_/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRMZaziwudwRZYeaANdYES293p_T2e4ov3ug8cfw1VHKt8bfCuZLnG4zxLCbOdaiUDX1QHNxj_tysRY/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRnNp2lfALCZs6iRZx_nCNrRfaFES7Kh_fCxD1mSrjpukhD3hslGSnSRnW76b7aiuYhqGKVoiJLYTAP/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRsM4dmcGR3H4JQP_tsOAWJFb9Ve26gokFx6oy-gl1W_DdxZMsszEirAUEijF2DiR9DskIuAfUlTSVa/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vRUzSaJL3XlseYzQ63NwOXFyV7IOq_RHeswm93MRDBgmuR6R2VZeSP_f5-rnTOVY-q9O1RJ_Mfn-qB7/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSdKkvy22cOYiCGIwvp4df0rNoPvHnKRtiA2isNMQ1pOMzy5iH5v_8vrbNzbQFgu5TDh6S-M7QrJu98/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSgex8_vX-681ByTpjhpA_-yXkYu1FW3aiibkSLThyStLge9b0wz30-W0lhVUowCYN3nPRK-xzW24uc/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSwJaRlXz2WZAM0NkMpiN3QmBOUi78Uxn-no2X4oQkgwF2Oy7twgOsSdM7JqA_vSZ6sAc3JOSnYu6Xc/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSZs-QkOj-4-ItQ5ca3208-EU4IEuy6_j0P9omwb2RPH1pbLdaLVwM5HkBrw1FzP2qkEDVV0qBZRfRE/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vSzwnAaqGk9A0xjUcnF7BDylSrreBqpekwR53_QNEaUpZRf94kwKCqf5Yxh7bgd6FycsV8c4CRvGuso/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTavxc7NWrBJcldmMvsiA9obUhd8dBLPKSS3fKAWYFFoGd4m8XA9dGbOnbxPb-n6XYh_R_sUmIfyjHp/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTDBAHr0CwfmYca9m-w0gxuVxXvrHRRiUb_MH7vxfN1lHsyaOtOyAlqr4eW1TWjYfF3UyxIGicl39N_/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTIvRH5DQv2UZjyfFcucJHhrbhCVCX311_1dvv4PMOTrgAKZe_SkadR3EDfYEWRpaFaXMwjJg-LJ-AB/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTKJU-kDUo2CEx3IUIw_k-3tHfx1LDUZIRa7edF2wrMc5IEulqBe_uQzg34ir5YJJqD0OziimIeIiZD/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTMn7m538M-Qw07_R24RizjPtkMRRJcTh09OsV-YMjzQ2iQwc_MFUylxNSvt4AGRfqkj2dwOaS7zXHU/pub
https://docs [.]google [.]com/document/d/e/2PACX-1vTnDIwoEtUVlS9BXCnG6HbRxdN9PHkYeGETWjabtpP2ADwxTQXSdvNEDkrdVCXgZ-McY1axdzTnit-W/pub
MALDOC DISTRIBUTION URLS
http://3 [.]133 [.]244 [.]105/sedentariness [.]php
http://somdeeppalace [.]com/comer [.]php
https://aarambhaad [.]com [.]np/anointment [.]php
https://citricadvertising [.]com/purgation [.]php
https://citricadvertising [.]com/snuffbox [.]php
https://impactmarketingservice [.]in/fuchsine [.]php
https://impactmarketingservice [.]in/whipsaw [.]php
https://itco [.]pe/shelly [.]php
https://merinocraft [.]ro/tearing [.]php
https://merinocraft [.]ro/unbroken [.]php
https://natural-healing-central [.]com/factorization [.]php
https://www [.]educacionvirtualavanzada [.]mx/inexact [.]php
https://xtracomsolutions [.]com/indispensable [.]php
aarambhaad [.]com [.]np
citricadvertising [.]com
impactmarketingservice [.]in
itco [.]pe
merinocraft [.]ro
natural-healing-central [.]com
somdeeppalace [.]com
educacionvirtualavanzada [.]mx
xtracomsolutions [.]com
HANCITOR MALDOC FILE HASHES
1193060c6c356ad35f3f1b778875f4de
19ecb07f51990d8392d06d7ed6f14c0b
2ab27e26b3643139a9d8cb99ba60738d
2ac587024def64ac26a7cf94e5741644
47a7996165733631a1f5b269e39bbd09
5edba41a1dd5184586b1251670bf19dc
60201a46d43c5da51c6ae5aa0329439d
c1f0fecc46b150bbf46e03134b5454d1
c8a7735dcc286e70031983c5bb419f0b
HANCITOR PAYLOAD FILE HASH
edge [.]dll
e5cf2f65aeb1ff4d8e40b0e73860cb75
HANCITOR C2
http://dingulbolies [.]com/8/forum [.]php
http://culadinces [.]ru/8/forum [.]php
http://coliessrass [.]ru/8/forum [.]php
FICKER STEALER PAYLOAD URL
http://qm30098 [.]ru/6jkiojdfssd [.]exe
FICKER STEALER FILE HASH
6jkiojdfssd [.]exe
77be0dd6570301acac3634801676b5d7
FICKER STEALER C2
http://sweyblidian [.]com