01 Apr, 2021

[:tr]HANCITOR  Malware Hakkında IoC’ler [:en]About HANCITOR Malware IoCs[:]

[:tr]TEHDİT TANIMI: HANCITOR 

Hancitor (Chanitor olarak da bilinir), sosyal mühendislik teknikleriyle temelde kötü niyetli bağlantılarla gömülü phishing e-postaları ve içinde kötü amaçlı makro içeren Microsoft Office belgesi yoluyla yayılan 2013 yılında ortaya çıktı ve halen günümüzde siber tehdit aktörleri tarafından kullanılmaktadır. 

Aşağıda görüldüğü gibi en son IoC’ler bulunmaktadır. 

 

GÖZLENEN KONULAR 

DocuSign Elektronik Hizmetinden fatura aldınız (You got invoice from DocuSign Electronic Service) 

DocuSign Elektronik İmza Hizmetinden fatura aldınız (You got invoice from DocuSign Electronic Signature Service) 

DocuSign Hizmetinden fatura aldınız (You got invoice from DocuSign Service) 

DocuSign Elektronik İmza Hizmetinden bildirim aldınız (You got notification from DocuSign Electronic Signature Service) 

DocuSign Hizmetinden bildirim aldınız (You got notification from DocuSign Service) 

DocuSign İmza Hizmetinden bildirim aldınız (You got notification from DocuSign Signature Service) 

DocuSign Elektronik İmza Hizmetinden fatura aldınız (You received invoice from DocuSign Electronic Signature Service) 

DocuSign İmza Hizmetinden fatura aldınız (You received invoice from DocuSign Signature Service) 

DocuSign Elektronik Hizmetinden bildirim aldınız (You received notification from DocuSign Electronic Service) 

DocuSign Elektronik İmza Hizmetinden bildirim aldınız (You received notification from DocuSign Electronic Signature Service) 

DocuSign İmza Hizmetinden bildirim aldınız (You received notification from DocuSign Signature Service) 

 

Indicators of Compromise 

GÖNDERENLER GÖZLEMLENDİ  (SENDERS OBSERVED ) 

anxyhqi@skidsteersnowtires [.]com  

cli@skidsteersnowtires [.]com  

ddowigy@skidsteersnowtires [.]com  

eeoybot@skidsteersnowtires [.]com  

eogof@skidsteersnowtires [.]com  

gtsiyf@skidsteersnowtires [.]com  

lycsfiz@skidsteersnowtires [.]com  

mar@skidsteersnowtires [.]com  

mwouhaf@skidsteersnowtires [.]com  

tilegp@skidsteersnowtires [.]com  

tiz@skidsteersnowtires [.]com  

uaqoye@skidsteersnowtires [.]com  

uviqexo@skidsteersnowtires [.]com  

vnctuj@skidsteersnowtires [.]com  

voiutyy@skidsteersnowtires [.]com  

yfefwua@skidsteersnowtires [.]com  

 

MALDOC AÇILIŞ SAYFASI URLLERİ (MALDOC LANDING PAGE URLS ) 

https://docs [.]google [.]com/document/d/e/2PACX-1vQV1Y7N0-q-0vCctsRjOdqtJ2d8YChDHAdY4HqHjIkrpVMSuuOFHQub6GHNacx74GC-lljtyw-VHMF0/pub  

https://docs [.]google [.]com/document/d/e/2PACX-1vR2le5OY6eitMTv7OV1eLn4–MYdrdJ0SRvjR40Mn4hyK2BMWWiGSh67_cD0GsBRGes3ipUBNlZdTjR/pub  

https://docs [.]google [.]com/document/d/e/2PACX-1vRAgFOqsHYGVq7BZ-cm5gtcK_Gh5rGzd5vJvVloYtI5XeZGV1EgHAVlRmjS7JlO_CuFdZ10TbQjUJBV/pub  

https://docs [.]google [.]com/document/d/e/2PACX-1vSKhMosGJRhAx6nPKG1CxRA5OqFCouT4mAn581iigdj6E0kW5E7pkDM7rzgT4lHSD2w4pbfIDgqO16u/pub  

https://docs [.]google [.]com/document/d/e/2PACX-1vSllYUcuuUT4iqwFmWWSBAi4ZnCIJfd_I7MpP8pN7_D_kvyVtrFaSRUUStKL19a4N8XVHOboTo2p1S4/pub 

https://docs [.]google [.]com/document/d/e/2PACX-1vSRfbQEHuTyQW0eqqmAmeC8gNg8L9WUju07_rv4tHRn-eNfCzflVELccrZKo1Vs0h9BlE5HECXJLzrK/pub  

https://docs [.]google [.]com/document/d/e/2PACX-1vSSt6CrA6bUtz5gwU3mv6B8tCak80azHhLnd6dMsM_XVaxj7q13YfnYOikhuYuhOm2m29tG6se7t5PG/pub 

https://docs [.]google [.]com/document/d/e/2PACX-1vT4DehaB_ZFCPUCo6FPTyk0AwDNQHkO55-zrMUMiTCP9S3WYEuXa4E7qklLSmx0aT3kuGKV7EhibYF1/pub  

https://docs [.]google [.]com/document/d/e/2PACX-1vTCL_qjggEFoZ4wzusYvmPLV_mrOXN0FYiKApb3644JPU8Ivd5wKWf1p7nfb8u6GvDiMWZ2XDABkYHQ/pub  

https://docs [.]google [.]com/document/d/e/2PACX-1vTi15ayB8KwOrXxIaCUH1d03KK9-aUl7SRrqsLRzUmkoQydto93KgEMKBC8mqc2GDxUwJKb7GLERXyh/pub  

https://docs [.]google [.]com/document/d/e/2PACX-1vToBxyjYpZycUcRkK7RAHru3il-bWv7vaLAK_102cOZPv3Ff8pqbwda0pZQK8S2apVVvW-puhjQzLd3/pub  

https://docs [.]google [.]com/document/d/e/2PACX-1vTOPtRbRsBAmqOcP8PdkQ6TmvxMCD-AHEqSL76R7uk-c9TRHWajt-e_iYQ2iQ1LtG36wjH7ZkvinoNB/pub  

https://docs [.]google [.]com/document/d/e/2PACX-1vTqyJd8ZQl6kbLiiqbI-jsAQNUJBccElVWHzJBxIy7Mo11lUqD-bemTtPGfGjeGDOvReqs7IMX_VwBd/pub  

https://docs [.]google [.]com/document/d/e/2PACX-1vTslVGTV3rPJYFKSK2ulbm3mnGbSU1xUy02AwSWY9Qu_XzZeoCSMdJu63rmyQXH8hEFxissf_Yd6qiN/pub  

MALDOC DAĞITIM URLLERİ (MALDOC DISTRIBUTION URLS) 

http://tlfthelifefactory [.]com [.]au/fee [.]php  

http://www [.]capitallifesyariah [.]co [.]id/replay [.]php  

https://capasa [.]com [.]my/cycle [.]php  

https://koonol [.]mx/personably [.]php  

https://lt [.]app [.]krazyit [.]com [.]au/egor [.]php  

https://moradaimoveisjab [.]com [.]br/cranky [.]php  

https://pharmaciebougieba [.]org/gel [.]php https://uberum [.]ro/anoint [.]php  

https://uniquewebservice [.]com/wail [.]php  

capasa [.]com [.]my  

capitallifesyariah [.]co [.]id  

koonol [.]mx  

krazyit [.]com [.]au  

moradaimoveisjab [.]com [.]br  

pharmaciebougieba [.]org  

tlfthelifefactory [.]com [.]au  

uberum [.]ro  

uniquewebservice [.]com  

 

HANCITOR MALDOC DOSYASI Hash bilgileri (HANCITOR MALDOC FILE HASHES ) 

3448cc288fca67901056db4fa75d65c5 

570ea5f20ea57233801e4d8c5fbcf472  

79f7b1808de6aa49e4775799b0203329  

7ca22c035af153396354116cb1db11df  

e16b4f91101a452b9a2c5eceb8985cec  

fa3799eabf27a6c2c7834f48e5134088  

ff0131c3bad0b18758a03950179220e0  

 

HANCITOR PAYLOAD FILE HASH  

Runtime [.]dll  

c1e73a655d6cb7e796d2e490d03714c5  

HANCITOR C2  

http://stionicksilid [.]com/8/forum [.]php  

http://succupenous [.]ru/8/forum [.]php  

http://cappiasstising [.]ru/8/forum [.]php  

FICKER STEALER PAYLOAD URLS  

http://q17ar45 [.]ru/689uksdffs [.]exe  

FICKER STEALER FILE HASH  

689uksdffs [.]exe  

77be0dd6570301acac3634801676b5d7  

FICKER STEALER C2  

http://sweyblidian [.]com  

COBALT STRIKE PAYLOAD URLS  

http://q17ar45 [.]ru/3003 [.]bin  

http://q17ar45 [.]ru/3003s [.]bin  

COBALT STRIKE FILE HASHES  

3003 [.]bin 02dadaeecc3d8ba4e8b59ca4d27b54c6  

3003s [.]bin 62a46578b147897724e7e808918994e2 

COBALT STRIKE C2/ADDITIONAL TRAFFIC  

http://139 [.]60 [.]161 [.]50/Hsp1  

http://139 [.]60 [.]161 [.]50/load [:en]THREAT DEFINITION: HANCITOR

Hancitor (also known as Chanitor) originated in 2013, spread through social engineering techniques mainly via phishing emails embedded with malicious links and Microsoft Office document containing malicious macro and is still used by cyber threat actors today.

As seen below, there are the latest IoCs.

OBSERVED ISSUES

You received an invoice from DocuSign Electronic Service (You got invoice from DocuSign Electronic Service)

You received an invoice from DocuSign Electronic Signature Service (You got invoice from DocuSign Electronic Signature Service)

You got invoice from DocuSign Service (You got invoice from DocuSign Service)

You got notification from DocuSign Electronic Signature Service (You got notification from DocuSign Electronic Signature Service)

You got notification from DocuSign Service (You got notification from DocuSign Service)

You got notification from DocuSign Signature Service (You got notification from DocuSign Signature Service)

You received invoice from DocuSign Electronic Signature Service (You received invoice from DocuSign Electronic Signature Service)

You received invoice from DocuSign Signature Service

You received notification from DocuSign Electronic Service (You received notification from DocuSign Electronic Service)

You received notification from DocuSign Electronic Signature Service

You received notification from DocuSign Signature Service

Indicators of Compromise

SENDERS OBSERVED (SENDERS OBSERVED)

anxyhqi @ skidsteersnowtires [.] com

cli @ skidsteersnowtires [.] com

ddowigy @ skidsteersnowtires [.] com

eeoybot @ skidsteersnowtires [.] com

eogof @ skidsteersnowtires [.] com

gtsiyf @ skidsteersnowtires [.] com

lycsfiz @ skidsteersnowtires [.] com

mar @ skidsteersnowtires [.] com

mwouhaf @ skidsteersnowtires [.] com

tilegp @ skidsteersnowtires [.] com

tre @ skidsteersnowtires [.] com

uaqoye @ skidsteersnowtires [.] com

uviqexo @ skidsteersnowtires [.] com

vnctuj @ skidsteersnowtires [.] com

voiutyy @ skidsteersnowtires [.] com

yfefwua @ skidsteersnowtires [.] com

MALDOC LANDING PAGE URLS

https: // docs [.] google [.] com / document / d / e / 2PACX-1vQV1Y7N0-q-0vCctsRjOdqtJ2d8YChDHAdY4HqHjIkrpVMSuuOFHQub6GHNacx74GC-lljtyw / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vR2le5OY6eitMTv7OV1eLn4 – MYdrdJ0SRvjR40Mn4hyK2BMWWiGSh67_cD0GsBRGes3ipUBNlZdTjR / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vRAgFOqsHYGVq7BZ-cm5gtcK_Gh5rGzd5vJvVloYtI5XeZGV1EgHAVlRmjS7JlO_CuFdZ10BVQj

https: // docs [.] google [.] com / document / d / e / 2PACX-1vSKhMosGJRhAx6nPKG1CxRA5OqFCouT4mAn581iigdj6E0kW5E7pkDM7rzgT4lHSD2w4pbfIDgqO16u

https: // docs [.] google [.] com / document / d / e / 2PACX-1vSllYUcuuUT4iqwFmWWSBAi4ZnCIJfd_I7MpP8pN7_D_kvyVtrFaSRUUStKL19a4N8XVHOboTo2p1S4 / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vSRfbQEHuTyQW0eqqmAmeC8gNg8L9WUju07_rv4tHRn-eNfCzflVELccrZKo1Vs0h9BlEzKHECXJ

https: // docs [.] google [.] com / document / d / e / 2PACX-1vSSt6CrA6bUtz5gwU3mv6B8tCak80azHhLnd6dMsM_XVaxj7q13YfnYOikhuYuhOm2m29tG6se7t5PG / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vT4DehaB_ZFCPUCo6FPTyk0AwDNQHkO55-zrMUMiTCP9S3WYEuXa4E7qklLSmx0aT3kuGKV7EhibYF1 / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vTCL_qjggEFoZ4wzusYvmPLV_mrOXN0FYiKApb3644JPU8Ivd5wKWf1p7nfb8u6GvDiMWZ2XDABkYHQ / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vTi15ayB8KwOrXxIaCUH1d03KK9-aUl7SRrqsLRzUmkoQydto93KgEMKBC8mqc2GDxUwJKb7GLERXyh / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vToBxyjYpZycUcRkK7RAHru3il-bWv7vaLAK_102cOZPv3Ff8pqbwda0pZQK8S2apVVvW-puhjQzLd3 / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vTOPtRbRsBAmqOcP8PdkQ6TmvxMCD-AHEqSL76R7uk-c9TRHWajt-e_iYQ2iQ1LtG36wjH7ZkvinoNB / pub

https: // docs [.] google [.] com / document / d / e / 2PACX-1vTqyJd8ZQl6kbLiiqbI-jsAQNUJBccElVWHzJBxIy7Mo11lUqD-bemTtPGfGjeGDOvReqs7IMX_V

https: // docs [.] google [.] com / document / d / e / 2PACX-1vTslVGTV3rPJYFKSK2ulbm3mnGbSU1x uy02AwSWY9Qu_XzZeoCSMdJu63rmyQXH8hEFxissf_Yd6qiN / pub

MALDOC DISTRIBUTION URLS

http: // tlfthelifefactory [.] com [.] au / fee [.] php

http: // www [.] capitallifesyariah [.] co [.] id / replay [.] php

https: // capasa [.] com [.] my / cycle [.] php

https: // koonol [.] mx / personably [.] php

https: // lt [.] app [.] krazyit [.] com [.] au / egor [.] php

https: // moradaimoveisjab [.] com [.] br / cranky [.] php

https: // pharmaciebougieba [.] org / gel [.] php https: // uberum [.] ro / anoint [.] php

https: // uniquewebservice [.] com / wail [.] php

capasa [.] com [.] my

capitallifesyariah [.] co [.] id

coonol [.] mx

krazyit [.] com [.] au

moradaimoveisjab [.] com [.] br

pharmaciebougieba [.] org

tlfthelifefactory [.] com [.] au

uberum [.] ro

uniquewebservice [.] com

HANCITOR MALDOC FILE Hash information (HANCITOR MALDOC FILE HASH[:]

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram