[:tr]HANCITOR Malware Hakkında IoC’ler [:en]About HANCITOR Malware IoCs[:]

01 Apr, 2021

Cyber Security News

[:tr]HANCITOR Malware Hakkında IoC’ler [:en]About HANCITOR Malware IoCs[:]

[:tr]TEHDİT TANIMI: HANCITOR

Hancitor (Chanitor olarak da bilinir), sosyal mühendislik teknikleriyle temelde kötü niyetli bağlantılarla gömülü phishing e-postaları ve içinde kötü amaçlı makro içeren Microsoft Office belgesi yoluyla yayılan 2013 yılında ortaya çıktı ve halen günümüzde siber tehdit aktörleri tarafından kullanılmaktadır.

Aşağıda görüldüğü gibi en son IoC’ler bulunmaktadır.

GÖZLENEN KONULAR

DocuSign Elektronik Hizmetinden fatura aldınız (You got invoice from DocuSign Electronic Service)

DocuSign Elektronik İmza Hizmetinden fatura aldınız (You got invoice from DocuSign Electronic Signature Service)

DocuSign Hizmetinden fatura aldınız (You got invoice from DocuSign Service)

DocuSign Elektronik İmza Hizmetinden bildirim aldınız (You got notification from DocuSign Electronic Signature Service)

DocuSign Hizmetinden bildirim aldınız (You got notification from DocuSign Service)

DocuSign İmza Hizmetinden bildirim aldınız (You got notification from DocuSign Signature Service)

DocuSign Elektronik İmza Hizmetinden fatura aldınız (You received invoice from DocuSign Electronic Signature Service)

DocuSign İmza Hizmetinden fatura aldınız (You received invoice from DocuSign Signature Service)

DocuSign Elektronik Hizmetinden bildirim aldınız (You received notification from DocuSign Electronic Service)

DocuSign Elektronik İmza Hizmetinden bildirim aldınız (You received notification from DocuSign Electronic Signature Service)

DocuSign İmza Hizmetinden bildirim aldınız (You received notification from DocuSign Signature Service)

Indicators of Compromise

GÖNDERENLER GÖZLEMLENDİ (SENDERS OBSERVED )

anxyhqi@skidsteersnowtires [.]com

cli@skidsteersnowtires [.]com

ddowigy@skidsteersnowtires [.]com

eeoybot@skidsteersnowtires [.]com

eogof@skidsteersnowtires [.]com

gtsiyf@skidsteersnowtires [.]com

lycsfiz@skidsteersnowtires [.]com

mar@skidsteersnowtires [.]com

mwouhaf@skidsteersnowtires [.]com

tilegp@skidsteersnowtires [.]com

tiz@skidsteersnowtires [.]com

uaqoye@skidsteersnowtires [.]com

uviqexo@skidsteersnowtires [.]com

vnctuj@skidsteersnowtires [.]com

voiutyy@skidsteersnowtires [.]com

yfefwua@skidsteersnowtires [.]com

MALDOC AÇILIŞ SAYFASI URLLERİ (MALDOC LANDING PAGE URLS )

https://docs [.]google [.]com/document/d/e/2PACX-1vQV1Y7N0-q-0vCctsRjOdqtJ2d8YChDHAdY4HqHjIkrpVMSuuOFHQub6GHNacx74GC-lljtyw-VHMF0/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vR2le5OY6eitMTv7OV1eLn4–MYdrdJ0SRvjR40Mn4hyK2BMWWiGSh67_cD0GsBRGes3ipUBNlZdTjR/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vRAgFOqsHYGVq7BZ-cm5gtcK_Gh5rGzd5vJvVloYtI5XeZGV1EgHAVlRmjS7JlO_CuFdZ10TbQjUJBV/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vSKhMosGJRhAx6nPKG1CxRA5OqFCouT4mAn581iigdj6E0kW5E7pkDM7rzgT4lHSD2w4pbfIDgqO16u/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vSllYUcuuUT4iqwFmWWSBAi4ZnCIJfd_I7MpP8pN7_D_kvyVtrFaSRUUStKL19a4N8XVHOboTo2p1S4/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vSRfbQEHuTyQW0eqqmAmeC8gNg8L9WUju07_rv4tHRn-eNfCzflVELccrZKo1Vs0h9BlE5HECXJLzrK/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vSSt6CrA6bUtz5gwU3mv6B8tCak80azHhLnd6dMsM_XVaxj7q13YfnYOikhuYuhOm2m29tG6se7t5PG/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vT4DehaB_ZFCPUCo6FPTyk0AwDNQHkO55-zrMUMiTCP9S3WYEuXa4E7qklLSmx0aT3kuGKV7EhibYF1/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vTCL_qjggEFoZ4wzusYvmPLV_mrOXN0FYiKApb3644JPU8Ivd5wKWf1p7nfb8u6GvDiMWZ2XDABkYHQ/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vTi15ayB8KwOrXxIaCUH1d03KK9-aUl7SRrqsLRzUmkoQydto93KgEMKBC8mqc2GDxUwJKb7GLERXyh/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vToBxyjYpZycUcRkK7RAHru3il-bWv7vaLAK_102cOZPv3Ff8pqbwda0pZQK8S2apVVvW-puhjQzLd3/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vTOPtRbRsBAmqOcP8PdkQ6TmvxMCD-AHEqSL76R7uk-c9TRHWajt-e_iYQ2iQ1LtG36wjH7ZkvinoNB/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vTqyJd8ZQl6kbLiiqbI-jsAQNUJBccElVWHzJBxIy7Mo11lUqD-bemTtPGfGjeGDOvReqs7IMX_VwBd/pub

https://docs [.]google [.]com/document/d/e/2PACX-1vTslVGTV3rPJYFKSK2ulbm3mnGbSU1xUy02AwSWY9Qu_XzZeoCSMdJu63rmyQXH8hEFxissf_Yd6qiN/pub

MALDOC DAĞITIM URLLERİ (MALDOC DISTRIBUTION URLS)

http://tlfthelifefactory [.]com [.]au/fee [.]php

http://www [.]capitallifesyariah [.]co [.]id/replay [.]php

https://capasa [.]com [.]my/cycle [.]php

https://koonol [.]mx/personably [.]php

https://lt [.]app [.]krazyit [.]com [.]au/egor [.]php

https://moradaimoveisjab [.]com [.]br/cranky [.]php

https://pharmaciebougieba [.]org/gel [.]php https://uberum [.]ro/anoint [.]php

https://uniquewebservice [.]com/wail [.]php

capasa [.]com [.]my

capitallifesyariah [.]co [.]id

koonol [.]mx

krazyit [.]com [.]au

moradaimoveisjab [.]com [.]br

pharmaciebougieba [.]org

tlfthelifefactory [.]com [.]au

uberum [.]ro

uniquewebservice [.]com

HANCITOR MALDOC DOSYASI Hash bilgileri (HANCITOR MALDOC FILE HASHES )

3448cc288fca67901056db4fa75d65c5

570ea5f20ea57233801e4d8c5fbcf472

79f7b1808de6aa49e4775799b0203329

7ca22c035af153396354116cb1db11df

e16b4f91101a452b9a2c5eceb8985cec

fa3799eabf27a6c2c7834f48e5134088

ff0131c3bad0b18758a03950179220e0

HANCITOR PAYLOAD FILE HASH

Runtime [.]dll

c1e73a655d6cb7e796d2e490d03714c5

HANCITOR C2

http://stionicksilid [.]com/8/forum [.]php

http://succupenous [.]ru/8/forum [.]php

http://cappiasstising [.]ru/8/forum [.]php

FICKER STEALER PAYLOAD URLS

http://q17ar45 [.]ru/689uksdffs [.]exe

FICKER STEALER FILE HASH

689uksdffs [.]exe

77be0dd6570301acac3634801676b5d7

FICKER STEALER C2

http://sweyblidian [.]com

COBALT STRIKE PAYLOAD URLS

http://q17ar45 [.]ru/3003 [.]bin

http://q17ar45 [.]ru/3003s [.]bin

COBALT STRIKE FILE HASHES

3003 [.]bin 02dadaeecc3d8ba4e8b59ca4d27b54c6

3003s [.]bin 62a46578b147897724e7e808918994e2

COBALT STRIKE C2/ADDITIONAL TRAFFIC

http://139 [.]60 [.]161 [.]50/Hsp1

http://139 [.]60 [.]161 [.]50/load [:en]THREAT DEFINITION: HANCITOR

Hancitor (also known as Chanitor) originated in 2013, spread through social engineering techniques mainly via phishing emails embedded with malicious links and Microsoft Office document containing malicious macro and is still used by cyber threat actors today.

As seen below, there are the latest IoCs.

OBSERVED ISSUES

You received an invoice from DocuSign Electronic Service (You got invoice from DocuSign Electronic Service)

You received an invoice from DocuSign Electronic Signature Service (You got invoice from DocuSign Electronic Signature Service)

You got invoice from DocuSign Service (You got invoice from DocuSign Service)

You got notification from DocuSign Electronic Signature Service (You got notification from DocuSign Electronic Signature Service)

You got notification from DocuSign Service (You got notification from DocuSign Service)

You got notification from DocuSign Signature Service (You got notification from DocuSign Signature Service)

You received invoice from DocuSign Electronic Signature Service (You received invoice from DocuSign Electronic Signature Service)

You received invoice from DocuSign Signature Service

You received notification from DocuSign Electronic Service (You received notification from DocuSign Electronic Service)

You received notification from DocuSign Electronic Signature Service

You received notification from DocuSign Signature Service

Indicators of Compromise

SENDERS OBSERVED (SENDERS OBSERVED)

anxyhqi @ skidsteersnowtires [.] com

cli @ skidsteersnowtires [.] com

ddowigy @ skidsteersnowtires [.] com

eeoybot @ skidsteersnowtires [.] com

eogof @ skidsteersnowtires [.] com

gtsiyf @ skidsteersnowtires [.] com

lycsfiz @ skidsteersnowtires [.] com

mar @ skidsteersnowtires [.] com

mwouhaf @ skidsteersnowtires [.] com

tilegp @ skidsteersnowtires [.] com

tre @ skidsteersnowtires [.] com

uaqoye @ skidsteersnowtires [.] com

uviqexo @ skidsteersnowtires [.] com

vnctuj @ skidsteersnowtires [.] com

voiutyy @ skidsteersnowtires [.] com

yfefwua @ skidsteersnowtires [.] com

MALDOC LANDING PAGE URLS

https: // docs [.] google [.] com / document / d / e / 2PACX-1vQV1Y7N0-q-0vCctsRjOdqtJ2d8YChDHAdY4HqHjIkrpVMSuuOFHQub6GHNacx74GC-lljtyw / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vR2le5OY6eitMTv7OV1eLn4 – MYdrdJ0SRvjR40Mn4hyK2BMWWiGSh67_cD0GsBRGes3ipUBNlZdTjR / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vRAgFOqsHYGVq7BZ-cm5gtcK_Gh5rGzd5vJvVloYtI5XeZGV1EgHAVlRmjS7JlO_CuFdZ10BVQj

https: // docs [.] google [.] com / document / d / e / 2PACX-1vSKhMosGJRhAx6nPKG1CxRA5OqFCouT4mAn581iigdj6E0kW5E7pkDM7rzgT4lHSD2w4pbfIDgqO16u

https: // docs [.] google [.] com / document / d / e / 2PACX-1vSllYUcuuUT4iqwFmWWSBAi4ZnCIJfd_I7MpP8pN7_D_kvyVtrFaSRUUStKL19a4N8XVHOboTo2p1S4 / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vSRfbQEHuTyQW0eqqmAmeC8gNg8L9WUju07_rv4tHRn-eNfCzflVELccrZKo1Vs0h9BlEzKHECXJ

https: // docs [.] google [.] com / document / d / e / 2PACX-1vSSt6CrA6bUtz5gwU3mv6B8tCak80azHhLnd6dMsM_XVaxj7q13YfnYOikhuYuhOm2m29tG6se7t5PG / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vT4DehaB_ZFCPUCo6FPTyk0AwDNQHkO55-zrMUMiTCP9S3WYEuXa4E7qklLSmx0aT3kuGKV7EhibYF1 / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vTCL_qjggEFoZ4wzusYvmPLV_mrOXN0FYiKApb3644JPU8Ivd5wKWf1p7nfb8u6GvDiMWZ2XDABkYHQ / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vTi15ayB8KwOrXxIaCUH1d03KK9-aUl7SRrqsLRzUmkoQydto93KgEMKBC8mqc2GDxUwJKb7GLERXyh / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vToBxyjYpZycUcRkK7RAHru3il-bWv7vaLAK_102cOZPv3Ff8pqbwda0pZQK8S2apVVvW-puhjQzLd3 / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vTOPtRbRsBAmqOcP8PdkQ6TmvxMCD-AHEqSL76R7uk-c9TRHWajt-e_iYQ2iQ1LtG36wjH7ZkvinoNB / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vTqyJd8ZQl6kbLiiqbI-jsAQNUJBccElVWHzJBxIy7Mo11lUqD-bemTtPGfGjeGDOvReqs7IMX_V

https: // docs [.] google [.] com / document / d / e / 2PACX-1vTslVGTV3rPJYFKSK2ulbm3mnGbSU1x uy02AwSWY9Qu_XzZeoCSMdJu63rmyQXH8hEFxissf_Yd6qiN / pub

MALDOC DISTRIBUTION URLS

http: // tlfthelifefactory [.] com [.] au / fee [.] php

http: // www [.] capitallifesyariah [.] co [.] id / replay [.] php

https: // capasa [.] com [.] my / cycle [.] php

https: // koonol [.] mx / personably [.] php

https: // lt [.] app [.] krazyit [.] com [.] au / egor [.] php

https: // moradaimoveisjab [.] com [.] br / cranky [.] php

https: // pharmaciebougieba [.] org / gel [.] php https: // uberum [.] ro / anoint [.] php

https: // uniquewebservice [.] com / wail [.] php

capasa [.] com [.] my

capitallifesyariah [.] co [.] id

coonol [.] mx

krazyit [.] com [.] au

moradaimoveisjab [.] com [.] br

pharmaciebougieba [.] org

tlfthelifefactory [.] com [.] au

uberum [.] ro

uniquewebservice [.] com

HANCITOR MALDOC FILE Hash information (HANCITOR MALDOC FILE HASH[:]

01 Apr, 2021

Cyber Security News

[:tr]HANCITOR Malware Hakkında IoC’ler [:en]About HANCITOR Malware IoCs[:]

About Content:

Share on Social Media:

Related Articles

GootLoader: Bengal Kedisi Yasaları Üzerinden Siber Tuzak!

Siber Suçlular Excel Açığını Kullanarak Dosyasız Remcos RAT Zararlısını Yaymaya Çalışıyor

Cencora’ya Yapılan Siber Saldırı

Internet Archive’a Siber Saldırı: 31 Milyon Kullanıcının Verileri Çalındı

Cloudflare, Küresel Sektörleri Hedefleyen 3,8 Tbps ile Şimdiye Kadarki En Büyük DDoS Saldırısını Püskürttü

İçeriden Bilgi Ticareti Yapan Hacker’a 3,75 Milyon Dolarlık Suçlama

Kuzey Kore Bağlantılı Lazarus Grubu, İş İlanları Kılığında Yönlendirdiği Siber Saldırılarla Öne Çıkıyor

ICOM Telsiz Patlamaları Lübnan’da Endişe Yarattı: Siber Savaşın Yeni Bir Yüzü Mü?

İsrail’den Hizbullah’a Siber Saldırı: Çağrı Cihazları Nasıl Bombaya Dönüştü?

Cato CTRL Q2 2024 SASE Tehdit Raporu Yayınlandı

İran Hükümeti Destekli APT 33 Grubunun Yeni Bir Zararlı Yazılımı Ortaya Çıktı

Our services

Menu

Contact

[email protected]

+90 212 274 81 90

Quasar Ofis Fulya Mahallesi Büyükdere Caddesi No:76 Şişli/İstanbul

Email Subscription