2021-09-08 Hancitor IOCs

THREAT IDENTIFICATION:  HANCITOR / COBALT STRIKE

NOTES:
We saw the return of Hancitor today and there were a few notable changes.
As has been the case for a while now, the emails all contain a Google Feedproxy url.
Previously, these would just act as a redirector and forward to a .php url.
The malicious Word document was then downloaded via the .php url.
Today, however, after the .php url, I saw a secondary redirect pointing to a live[.]com url.
These secondary urls point to a OneDrive shortened url (1drv[.]com) which downloads the maldoc.
It's possible that this has always been the case but perhaps the other urls were not visible.
The speculation is that they may have been shielded by the server-side .php script.
The next change that was noted relates to the Word document.
The maldoc that was downloaded still contains a second embedded password-protected Word document.
However, the embedded file name has changed to "reform[.]doc" and the password is now 2281337.
Also, the .dll file name has been changed - it's now named "hhhh[.]mp3".
Once again, there was no Ficker Stealer secondary payload today - only Cobalt Strike.

SUBJECTS OBSERVED
You got invoice from DocuSign Electronic Service
You got invoice from DocuSign Electronic Signature Service
You got invoice from DocuSign Service
You got invoice from DocuSign Signature Service
You got notification from DocuSign Electronic Service
You got notification from DocuSign Electronic Signature Service
You got notification from DocuSign Service
You got notification from DocuSign Signature Service
You received invoice from DocuSign Electronic Service
You received invoice from DocuSign Electronic Signature Service
You received invoice from DocuSign Service
You received invoice from DocuSign Signature Service
You received notification from DocuSign Electronic Service
You received notification from DocuSign Electronic Signature Service
You received notification from DocuSign Service
You received notification from DocuSign Signature Service

SENDERS OBSERVED
apoeuca@sticknstuck.com
aq@sticknstuck.com
avacd@sticknstuck.com
be@sticknstuck.com
beo@sticknstuck.com
cuu@sticknstuck.com
dahesxa@sticknstuck.com
dio@sticknstuck.com
doeuqwy@sticknstuck.com
emodyio@sticknstuck.com
eppug@sticknstuck.com
eq@sticknstuck.com
eupahoj@sticknstuck.com
evrpyko@sticknstuck.com
faymasu@sticknstuck.com
fydtep@sticknstuck.com
gegar@sticknstuck.com
gforowo@sticknstuck.com
gispyle@sticknstuck.com
hobwas@sticknstuck.com
hoimvo@sticknstuck.com
i@sticknstuck.com
idieipo@sticknstuck.com
ijanaq@sticknstuck.com
ijujs@sticknstuck.com
irfhe@sticknstuck.com
itotq@sticknstuck.com
ixapyxu@sticknstuck.com
jiacdob@sticknstuck.com
jyw@sticknstuck.com
lasihyo@sticknstuck.com
lohnaoe@sticknstuck.com
lqkipeo@sticknstuck.com
momry@sticknstuck.com
n@sticknstuck.com
nibefuk@sticknstuck.com
nqu@sticknstuck.com
oaardee@sticknstuck.com
oebouvu@sticknstuck.com
qa@sticknstuck.com
qouzeqp@sticknstuck.com
qqaiwan@sticknstuck.com
queqazi@sticknstuck.com
qyrmeiw@sticknstuck.com
rbvuywy@sticknstuck.com
rdud@sticknstuck.com
riur@sticknstuck.com
rnuvu@sticknstuck.com
romyxe@sticknstuck.com
rzeeope@sticknstuck.com
sghyfyb@sticknstuck.com
sojij@sticknstuck.com
sy@sticknstuck.com
toqoete@sticknstuck.com
tubaofy@sticknstuck.com
tx@sticknstuck.com
uibdeuc@sticknstuck.com
uiqywek@sticknstuck.com
umig@sticknstuck.com
uv@sticknstuck.com
uvi@sticknstuck.com
uxkiz@sticknstuck.com
vayahos@sticknstuck.com
vfosu@sticknstuck.com
viilevz@sticknstuck.com
vqo@sticknstuck.com
wdnopk@sticknstuck.com
wegsaji@sticknstuck.com
wiwyetm@sticknstuck.com
wolaiaf@sticknstuck.com
wvioto@sticknstuck.com
xoaleub@sticknstuck.com
xzfyouz@sticknstuck.com
yoqent@sticknstuck.com
yppsjye@sticknstuck.com
yqpevz@sticknstuck.com
yqy@sticknstuck.com
ysiy@sticknstuck.com
zuem@sticknstuck.com
zzcmejy@sticknstuck.com

MALDOC FEEDPROXY DISTRIBUTION URLS
http://feedproxy.google.com/~r/aagavlar/~3/0Ucu14UpCis/seeding.php
http://feedproxy.google.com/~r/artgzluhc/~3/GXd8fDSRcG0/nebulous.php
http://feedproxy.google.com/~r/cybcrr/~3/jn3i_jY6TWI/absorption.php
http://feedproxy.google.com/~r/dlhajxbbh/~3/q_SkOEU7ZZg/disbursements.php
http://feedproxy.google.com/~r/dulzw/~3/vD6A8tKx-mU/incise.php
http://feedproxy.google.com/~r/dxukkpgkjyz/~3/jJ4zLzGnd_Q/heard.php
http://feedproxy.google.com/~r/etzcdokrn/~3/dtYH7iepL6Q/aimlessly.php
http://feedproxy.google.com/~r/ewlopgy/~3/rT2CBlkORzU/unhygienic.php
http://feedproxy.google.com/~r/ggbpzkrgyyv/~3/j6TJmPBwaFY/scant.php
http://feedproxy.google.com/~r/giqybajw/~3/ra9WJLU7M2s/paleolithic.php
http://feedproxy.google.com/~r/hcfgxqt/~3/CfN-D3sZ-Pw/undated.php
http://feedproxy.google.com/~r/hnlmkug/~3/j6TJmPBwaFY/scant.php
http://feedproxy.google.com/~r/hphqhrl/~3/HfktkC44DGA/belvedere.php
http://feedproxy.google.com/~r/hunpsakou/~3/sA-qGQ2eT2U/juice.php
http://feedproxy.google.com/~r/idshdahwlqy/~3/3-iUuLv2GsU/dim.php
http://feedproxy.google.com/~r/jfuibkqyh/~3/HiswHPBPVh8/pennon.php
http://feedproxy.google.com/~r/jlzjbdpm/~3/SDEC92AgdzE/atascadero.php
http://feedproxy.google.com/~r/jybnfjsn/~3/9mTl1MRPcbs/antinomian.php
http://feedproxy.google.com/~r/kdwowcvqoh/~3/HiswHPBPVh8/pennon.php
http://feedproxy.google.com/~r/kkccbuwstv/~3/aATWIocvD8U/tenability.php
http://feedproxy.google.com/~r/ktjdh/~3/Jj5iRR9rNa0/taxless.php
http://feedproxy.google.com/~r/luwqkhbhs/~3/CxWhgJa3l-M/whitely.php
http://feedproxy.google.com/~r/lxbmpr/~3/sVt0mUVwDTM/derby.php
http://feedproxy.google.com/~r/meorjknot/~3/cl2kckK-B8A/cumulation.php
http://feedproxy.google.com/~r/mgksamww/~3/q4oECrrhKos/rudimentary.php
http://feedproxy.google.com/~r/mlrncauhpjt/~3/pghOdcoYN78/photon.php
http://feedproxy.google.com/~r/mqqozrc/~3/iTb63YErfIM/philanthropic.php
http://feedproxy.google.com/~r/mxxlaqb/~3/jJ4zLzGnd_Q/heard.php
http://feedproxy.google.com/~r/nbminh/~3/_SaiWO8twV0/teachable.php
http://feedproxy.google.com/~r/nxvqb/~3/siP6n014oKY/importation.php
http://feedproxy.google.com/~r/oczizjbrf/~3/m75PoSzsBRA/aerodynamics.php
http://feedproxy.google.com/~r/onrdudpyq/~3/d7c5Sd_0qZI/fullword.php
http://feedproxy.google.com/~r/psshk/~3/k0sjh02jSBw/haze.php
http://feedproxy.google.com/~r/sevkk/~3/WsAG1cNc83Y/pharmacologic.php
http://feedproxy.google.com/~r/shkkbrwzgk/~3/GXd8fDSRcG0/nebulous.php
http://feedproxy.google.com/~r/sohzu/~3/T4eHiejy_uU/fractal.php
http://feedproxy.google.com/~r/syydufs/~3/TU51R3OHIzk/cinnamon.php
http://feedproxy.google.com/~r/tgvjiwpa/~3/j6TJmPBwaFY/scant.php
http://feedproxy.google.com/~r/tncwx/~3/Uu7EwJKU9sU/steers.php
http://feedproxy.google.com/~r/umapb/~3/20vcmTWqVzc/teracycle.php
http://feedproxy.google.com/~r/unbupds/~3/J4j3Zma53i4/resolve.php
http://feedproxy.google.com/~r/uskbicmpoc/~3/vD6A8tKx-mU/incise.php
http://feedproxy.google.com/~r/yifkjfabbk/~3/I8Ug0NG-RsQ/potation.php
http://feedproxy.google.com/~r/ynptjf/~3/2eDsenBLWME/machinist.php
http://feedproxy.google.com/~r/zmthidth/~3/18bn7fxCo2Q/sideways.php
http://feedproxy.google.com/~r/znpemwsrbc/~3/0N5YbtbGSdY/talc.php
http://feedproxy.google.com/~r/zrczhbrpnsv/~3/18bn7fxCo2Q/sideways.php
http://feedproxy.google.com/~r/ztibj/~3/b-8muNKtQHw/hypothetic.php
http://feedproxy.google.com/~r/zuugnkhporg/~3/q_SkOEU7ZZg/disbursements.php

MALDOC REDIRECT PHP URLS
http://admin.deliverydudez.com/heard.php
http://admin.deliverydudez.com/resolve.php
http://agent.mior.it/teracycle.php
http://disinfectiontunnel.emergemetal.com/haze.php
http://howimetyourdata.com/hypothetic.php
http://howimetyourdata.com/rudimentary.php
http://hr.alexandermarius.com/potation.php
http://icloud.corporaciongrl.com/atascadero.php
http://icloud.corporaciongrl.com/juice.php
http://lawfirm.paperbirdtech.com/philanthropic.php
http://maitri.arrkcelebrations.com/cumulation.php
http://maitri.arrkcelebrations.com/talc.php
http://nlacbe.com/incise.php
http://nlacbe.com/unhygienic.php
http://purplechaiblogger.com/aerodynamics.php
http://purplechaiblogger.com/pennon.php
http://server.walemah.com/disbursements.php
http://vital.omnitryx.com/antinomian.php
http://vital.omnitryx.com/seeding.php
http://vulkanfreespin.prosconsultants.co.uk/absorption.php
http://vulkanfreespin.sbrclinicalresearch.com/pharmacologic.php
https://demo.exclusivev2.uproducts.in/scant.php
https://demo.exclusivev2.uproducts.in/steers.php
https://draihiadvisor.000webhostapp.com/fractal.php
https://draihiadvisor.000webhostapp.com/teachable.php
https://sunrise.uproductslive.com/sideways.php
https://sunrise.uproductslive.com/whitely.php
https://www.bpbj.id/derby.php

000webhostapp.com
alexandermarius.com
arrkcelebrations.com
bpbj.id
corporaciongrl.com
deliverydudez.com
emergemetal.com
howimetyourdata.com
mior.it
nlacbe.com
omnitryx.com
paperbirdtech.com
prosconsultants.co.uk
purplechaiblogger.com
sbrclinicalresearch.com
uproducts.in
uproductslive.com
walemah.com

MALDOC SECONDARY REDIRECT URLS
https://onedrive.live.com/download?cid=2FDDC2D7EFB728D6&resid=2FDDC2D7EFB728D6%21116&authkey=AAKBtI9HYmNJlGw&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20luwqkhbhs%20(unquenchableimpotence)
https://onedrive.live.com/download?cid=2FDDC2D7EFB728D6&resid=2FDDC2D7EFB728D6%21119&authkey=APdb78LfAuO_4u0&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20dxukkpgkjyz%20(allocatedbalcony)
https://onedrive.live.com/download?cid=6D2462F736CD9AB1&resid=6D2462F736CD9AB1%21106&authkey=AJ0ILAizZN-ahp0&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20ewlopgy%20(semifictionaloutlying)
https://onedrive.live.com/download?cid=6D2462F736CD9AB1&resid=6D2462F736CD9AB1%21108&authkey=APyKTyZWOsnup_I&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20sevkk%20(sqcertify)
https://onedrive.live.com/download?cid=6D2462F736CD9AB1&resid=6D2462F736CD9AB1%21113&authkey=AB-AtNfGrVshAIE&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20umapb%20(overtransmutable)
https://onedrive.live.com/download?cid=6D2462F736CD9AB1&resid=6D2462F736CD9AB1%21114&authkey=AHh4MvE4M0sZuyI&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20oczizjbrf%20(figurativelyhousecoat)
https://onedrive.live.com/download?cid=6D2462F736CD9AB1&resid=6D2462F736CD9AB1%21117&authkey=ANcNY2fBjtvGk_A&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20hnlmkug%20(southernsummation)
https://onedrive.live.com/download?cid=6D2462F736CD9AB1&resid=6D2462F736CD9AB1%21118&authkey=AIWJDfGIy2oA1QA&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20zrczhbrpnsv%20(grammaticssloppiness)
https://onedrive.live.com/download?cid=6D2462F736CD9AB1&resid=6D2462F736CD9AB1%21120&authkey=AFYuLTbTBqtJRj8&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20dulzw%20(decontaminationubiety)
https://onedrive.live.com/download?cid=6D2462F736CD9AB1&resid=6D2462F736CD9AB1%21121&authkey=AMq7vbYyPvEgP5I&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20znpemwsrbc%20(nogginmotor)
https://onedrive.live.com/download?cid=767E9B97073245B9&resid=767E9B97073245B9%21117&authkey=AEDi49-Sz4bRft8&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20hunpsakou%20(sentimentalitysmidgen)
https://onedrive.live.com/download?cid=767E9B97073245B9&resid=767E9B97073245B9%21118&authkey=AOG5124LjZK2NQQ&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20jybnfjsn%20(crimerole)
https://onedrive.live.com/download?cid=767E9B97073245B9&resid=767E9B97073245B9%21118&authkey=AOG5124LjZK2NQQ&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20yifkjfabbk%20(covariationacerbate)
https://onedrive.live.com/download?cid=767E9B97073245B9&resid=767E9B97073245B9%21119&authkey=AHKPWO2XjWhRWJE&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20jlzjbdpm%20(adjudicationentrapment)
https://onedrive.live.com/download?cid=767E9B97073245B9&resid=767E9B97073245B9%21121&authkey=APFcLL5rzpGloWI&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20ggbpzkrgyyv%20(excavatorspinney)
https://onedrive.live.com/download?cid=767E9B97073245B9&resid=767E9B97073245B9%21123&authkey=AJgNYjsI5aY6LT4&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20jfuibkqyh%20(neolithicpodzol)
https://onedrive.live.com/download?cid=767E9B97073245B9&resid=767E9B97073245B9%21124&authkey=AMcb9X0tmp_LXP4&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20sohzu%20(shaftedsuccinctly)
https://onedrive.live.com/download?cid=9095A505A24A1D32&resid=9095A505A24A1D32%21115&authkey=ALOpZQIdFDbwmUU&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20nbminh%20(causalityinferior)
https://onedrive.live.com/download?cid=9095A505A24A1D32&resid=9095A505A24A1D32%21115&authkey=ALOpZQIdFDbwmUU&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20tncwx%20(neurologicalpension)
https://onedrive.live.com/download?cid=9095A505A24A1D32&resid=9095A505A24A1D32%21118&authkey=AB96obepN2Fh7Ks&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20zuugnkhporg%20(subtropicalvs)
https://onedrive.live.com/download?cid=9095A505A24A1D32&resid=9095A505A24A1D32%21122&authkey=AJB5Gf_W14e_sBg&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20cybcrr%20(sandglassantiunion)
https://onedrive.live.com/download?cid=9095A505A24A1D32&resid=9095A505A24A1D32%21123&authkey=AGj91hzQ_Oggx30&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20meorjknot%20(ungraciouslyfamiliarity)
https://onedrive.live.com/download?cid=9095A505A24A1D32&resid=9095A505A24A1D32%21130&authkey=AOZBCUl5JTGYwWs&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20unbupds%20(oboeenthusiasm)
https://onedrive.live.com/download?cid=A40D442771EF23FA&resid=A40D442771EF23FA%21109&authkey=AJ2D0jSE5cYTcWI&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20aagavlar%20(ruledargon)
https://onedrive.live.com/download?cid=A40D442771EF23FA&resid=A40D442771EF23FA%21117&authkey=AATFzfYrxKr-ns0&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20psshk%20(impregnatedabscessing)
https://onedrive.live.com/download?cid=C8F509F4DF38F932&resid=C8F509F4DF38F932%21123&authkey=AFWLXiv3-7Z7KJY&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20lxbmpr%20(terminallyassociated)
https://onedrive.live.com/download?cid=C8F509F4DF38F932&resid=C8F509F4DF38F932%21125&authkey=AJfqFB7BjaMiJG8&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20mqqozrc%20(mappedgreediness)
https://onedrive.live.com/download?cid=C8F509F4DF38F932&resid=C8F509F4DF38F932%21126&authkey=AIvhvSiQqf0HIfs&em=2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20tgvjiwpa%20(birchloaded)

MALDOC REDIRECT DOWNLOAD URLS
https://0rg0ma.bn.files.1drv.com/y4mBLMPz7iffNYsJmYwPoJ4yQc_8oe-xDY86WMTIHmrF8nPWClJlw7iqLmjM5VTffru9HnS8XB7NgYlcKLAcLt6GeSi9-eGyQapd7cQkVVLqXpSGRbGOHFv0azlDuXyvLKTLkHK3Nm2RVNudAE9c0S42GVZDAtJ_pMrw-eVCbJTCscycZJvTPw9yrF7SB2Qr4CuxxPeWzCwxhzo3KTxohwLnQ/0908_3125999368670.doc?download&psid=1
https://0rj3zw.bn.files.1drv.com/y4m6967vmgPrhBRcV9Dd6orlz35HY-up2WNQMzqBNi_9ayYxzzdefzJmQVNsPO5foO1oLK9LlP5i8y1QHQQLyfjzW5dQVyfp1UJ8kif4QCw-0ucvuvb3F7HhVkINRfcE-LDl4jNDPkMKLGyViAVe3oXJTMZXLzi5LenPGnFD-cOZpzdadc3bS-ULssoWQxSd8SltJqqwSCbN8uHCe4_KCXV5g/0908_3382318512000.doc?download&psid=1
https://58tqlg.dm.files.1drv.com/y4m3v2AWcjR0FnTWxYDkwXu0XLsNT7kvSE864FoYsm5qxeadKbKoU_rKgTrvF1dIn22T53QcIjTtv95pyIEPMCD7FzAA1kLfEjR0-LXoHo4gAHOz2T8puUu-6IYPQ5Yub85G-HFvv-xkRRAls68wFBB8vGmGCedwNf89wENeB1XmSLjLRzxBcWiS4ZF0MEywGum3QZlS-lxHhpyV1x1VAutqA/0908_23686364010619.doc?download&psid=1
https://bjqijg.dm.files.1drv.com/y4m9et_lg4oXKXeryoJ--wz9vvKUxD1hO3rh0BTLnUtemDX2cQyY8qBhmymZQc0U3uqewrVf-RbdZ-OQF0LDCgjTKHwrkSAsGi42MC49BocWNAaD2NwOKLmK_1-H_8kGqsot25axc3F1N81WBRiMNqkbtTU2K8fvqsVuQiNshxXFADTY57z7MZAIyhsmHu9Tw-dXuOkES2QwKzYLgEyeW_Ptw/0908_1317101047465.doc?download&psid=1
https://cam7og.dm.files.1drv.com/y4mMpsGl2M48LjvfwjJQ20YhWZ0Ddh99a5PDEKqdEkckFMpj3rkXF8lLSN23SXdWDS5NE-qIyfj3wMh9zDjRWWGW6Q6PrZF1bFlSWbwyO71xSHVqlU_ZNxNx5cCuJ7rIbJTy00oujYjd89LBkpwjf5bEoysscii4u39q7PbExU6tqZF9AtJQXfpiTgavXWM70JDGN84ME0QcZT9S8dadVMk7Q/0908_3495938409326.doc?download&psid=1
https://coalxw.bl.files.1drv.com/y4miRri6Q4JfOuPsg7VDkZBhI3Mx5WU2MPdLg4esvNsAGqtVKEvBi9e-6HCfrd_ikgtKYpkhC7qAjY5ngCpqL_zLA407eH6K5cP22dSNc1teVHwkjXMOgdVlqg0JAQXPNX9rOX9kjbElencsGiYpSmJXju7sYsJ70FuSt61_rM3iLhyzkXl9YQYcxmyr_bu9_DHdGSi6BZzBbZiNSeD4t3tkQ/0908_1433632206833.doc?download&psid=1
https://cocmow.bl.files.1drv.com/y4m4SO1uQbys8EVaT5smyUfs1Q0X_K78xG8rz161_U2hjM4vSd9pOJnNA83FVB5sapHavEZQtt_anrDIMndE5e2aqpRdxVx-Sa-T0g-utax6r9luHX4ltqb73-9E9VYH5YhQI1hAwSbRaeB_StH0YW1hV1VMahl9RtklvAqZJB8ZPZ8MiNbE2P7IjCT9hfk66A6zXCvSQlwbGqC_msaE95fKw/0908_3314584507944.doc?download&psid=1
https://lfn4hg.sn.files.1drv.com/y4mVU9WpNVtsfZhA5tB-S8pp3w3goUN4twYiZbCQuwqU3mqkU0tyPDtjcy0apzWCkrZc4loA790lGjWWKFh5Mmz-m9erl4IsnJrx_U4d9qTxlyE6efTxmhNrteSf2XDN7kkqvNDyaGBAnXmPlkJfx5jN4vTPKHk3rPEHvLqimQRTwmGIvsh8dnG1DBwFE3TuKQVh0Omg-nnWjY9QlBVohm4iw/0908_4652590689245.doc?download&psid=1
https://lfncnq.sn.files.1drv.com/y4mSXFYhfrwEQCxXpc6HyDzF3G3x71q9mWAqL5h8KWPV6PhH4R2YtjRRXf-yfUA31gEuI40reja4kA_hMjCv9qL8s9ior0TilFI-LEkolmkWrjSMirstqSq9Mc4fZR9UeSP0z9CFBi24JFd1bjLaG7C6MdWHMk9Emj_G_Qyrkvx0q0bOoQJFw0ZmY9mf3RnEXdi7pA2DHkAzsaknhMiuU7nvA/0908_1926575701456.doc?download&psid=1
https://lfnx1w.sn.files.1drv.com/y4mQPEL9l5iWgDBgOeCF0mSonVyOXehl2rnnlp5uj1Nc_iE9QPrTJ_PWp-wif18yQWnEh8NbEZJdxRvtHUkLdjekdqg2VR26obR4yp-4VJkr-ZkyzWaV5CtaSzHBjkbTW_DO6N5WhFJIH8snCGLY7cBaDkqkm8GOz0jSjrUiHXg9K-BcTdewPIuIMNtoTO9mB8F4vXnYJLe4KDbpVuaKdXBjQ/0908_1982773564820.doc?download&psid=1
https://lfnx1w.sn.files.1drv.com/y4mtE6o_kK7x8cmUgKp0VUxRYEa88Cor_TAkOhPRTBRzcoTMGAs76yBi50duLoxIQ4bdXKzfMPM4TOJkDDvAdboBTnBWfQloNIwG6mgwXdyk312k8zC06n34F6gurR2Y7qFUblVLlU7pTXJUzbndyVKMt4qbITM1aXOsRpZozoEdVUcipKf8OR8rlIPKSwq8G8JixhecXtHs_2xvXIyec06BQ/0908_1982773564820.doc?download&psid=1
https://pfr1oq.bl.files.1drv.com/y4mWljs0Ll37VplgxyI4MqUy6itQH3V8dw19cWcXGmLNbshi0qUxjGKL8Liauvjxp4CBkg8KJhl3dzDg2NtwB_9HnTmKnJLurIAOqMidr8BvW5MH3X89piXC7Fn3tEIgm_IBK28lFFRGm8R2ndjmyKR1KMREmvKee80tbXqmR969SfwkfVTD5sQmGhSSO09vbyc4EOS5HlUsO-BX__AZHKypQ/0908_3615818147478.doc?download&psid=1
https://pfr8ga.bl.files.1drv.com/y4mxCzElb_CmNJTzzaezqsmC9vHTd_469zNEDzefGMXxhejDSfiEj_t085SQKG9tCUtt6F83gTd4HdViyrA7G8ZPdl1SLzTLjN1InzaMI6XWPxtECF_qq_32XQsF_Sd5URLDq89DBvJm-gSFXMDSiAJDq8VtbPkRQm4i8uYABshLYMbOXn2oBx5ZNN42f1ncsHvJnVSXwbxep-oJ9OdjRriRw/0908_3495938409326.doc?download&psid=1
https://pfthcw.bl.files.1drv.com/y4mpC-okgbQtjujQ5S_kp3tXAjQh_rMFA4T-5ntjqUskMxoMI2SRB72_jlXdtpVni6l3P2RVBH9UUpcYLMSoS4teQ-Izk7UTXCZItOCCOzVs5DZmqc9XLggYb5_FC8De6Xoxyna-a7Xig6NVEWoQQwxHs8namu_aNRz_x0HTgV3GxL3Ui6PaRNshvqkMbu4pPM0SFP7X4kv28fylXcbH7w5Vg/0908_3043392604904.doc?download&psid=1
https://pftoug.bl.files.1drv.com/y4mxGs-eOWeTkzjzcXKCV9D1yNUavjIr8BumNBOZ5xIqGjPBLzuYfCRzzfFf7HfCB4qhBGueXSDMWVk1Rw2lxApoqZ7W10ozjtcEuAPMVT6NdRlfuti5qHJ5i6_3dKfAVtwQPEXjgAk121VyqCZVIFzQeKdEAgYICKKb_ZKYH6J0jMY7TGZy7DvSumhi-mPnYX0qQzNm13Rk630Nw9SsUBrHw/0908_726776075140.doc?download&psid=1
https://qgkd3a.bl.files.1drv.com/y4mxIrbZSgMPvRhngMS2ePRqccXiGCJ_Mv6263R2groUjmjxP0-iRUHMn2qtoTKDq0adMOdMAgjlR7rFZSn-sf8mxPjvUVRfjhrnxS5Lqc1vdGeM0VacNcto_m1nCTX1eNmt8daHJPq2XRpSb5cj7ovnMp7Nkvip5PpAXS1Fk7SqFb7Y5fvTSjArZ2RLT747XyEjbGt7u3_o4BGITiiBUL1Uw/0908_1820491583793.doc?download&psid=1
https://qgmqlw.bl.files.1drv.com/y4mmZqY84gWpzZe5GhJPJYKfQ8FIDvZzuYbqvEcF3X7ZOkv_w6AT0bL65-37KlLl-y6auqahAN9FvKCuG64E9S-kwaj-3Y6-O7w870dnYw0mt_NSB76j3Nxo0qxzRQ2OpZmdfiWZm9qWSj4QLLMgXmEI2fSQh-8ZDbb6KRAfIPUKU12hsUr_Mckffk4gl5Kea82cRLe981NS9PmUSpUNYbP6A/0908_768021906924.doc?download&psid=1
https://qo9exg.dm.files.1drv.com/y4mZdTppjV9T7dpNudOBdV1tzQ-padJ-1xSCe6ovEpWLyiPPlXKAWx0wTLKRTLIBYcPdkoGRy75VCMOzFzFGwWR20rmimqZllru-K2EyD9A_HeBkTjt1zY7BeNWomLH9XtLsX4g_oj6qOlqKIEqTr144lB36bZMyTbXEw2zAUvTGPXFT3EEUTJGswjG5K_IyWtDnbXCkM0qBGOq8XnXMNz3RA/0908_3495938409326.doc?download&psid=1
https://qo9qcg.dm.files.1drv.com/y4mFjb5cL3vE8QOcOGEFf8F3QIb5ZLQBVDHiEKxYm7CIn6fPoVglb9ODW0wJSx256EGjJLZIwBnc8jtot_MpHWf4cA0tBMc2cXhHpnhKCKGqPZNeqkBLRly1Yr37hUHSwROR7rcwV4uErYMTQdPFa8aBq2Wj7zvtPZLB2o2_ZtctoRN_8FvxtAzwQtZOFQ2trUiv5NpcmnzdzQ7qKHPnIAnpQ/0908_3615818147478.doc?download&psid=1
https://qo9qcg.dm.files.1drv.com/y4mMYJN9xxbMpF0BllgS-qsZCvW0dgGyV0dmRI1XzGORmjyImKXSfnUBo44SC9V8J9WZWpeNGUGvmDHA4AN35jTJBAwm3ctG9jyiwXlAgmF6LrlCatw0jX9mUT8x5BcJxe7CIrulCZZ62wnQpzv2hPR8Vrab6C6PI_63YsmBcRXjl1u0gBaqVkjIgLlk95GdgppqobLW_2e5Bmik4BLEqiuxg/0908_3615818147478.doc?download&psid=1
https://qoqkqq.dm.files.1drv.com/y4m0wipiuNr9JIsWc8pk9nPvSP_B216w2EBEKnRjwlj7LBjubmvfgdHAyU6My_hK3s-DvKfTF2kYK4Xnz7JoD3sEvwhn6RQ2n0XzfYo89OQIeKhSYtbpRKTkQWws5Z5WoLOoMAmvYf3VO4ok8O2tBVQ9GF_rFVmlUAorO6SiNFB72y6rn1Pi44vA50g9UzaI6a224G0CWgUKQ6ABztb-BpYOw/0908_3382318512000.doc?download&psid=1
https://sejdra.dm.files.1drv.com/y4mZpCFaj-tc-DXPf8DN1ILnOIA-KZbErIJm-mDBTeTG35lVhYG7hNqn--d3kaVTW2QA983E0IRfHkNPZw7SeI5dim3bGk5J9gk4Drsyu1q_dXM8br1ehGX23DE26zmKBLPc948l0nZ0h9mABXW9IzVsjSCgoHEMx-XHdD4nQuAcCswAbnglfHVI-5xDcT4CtA7TpcmqnYvMHjzoSZPi9PtHA/0908_3615818147478.doc?download&psid=1
https://sejkiw.dm.files.1drv.com/y4m4P9Ba3Nz5J4hfnBfjU6FblSy3lUdccbX8lOyxvzpbi-NEA314b9CscgQcCbyFtwoxELUWCvsuQCI_qrpiet0vYy_0wMYSA0Y7tVj3LEJY81m1C6kMP5O9XvNx_D8S5AB6-COllpmvl6LPQK4TWyqBpnV96JqPMls44Ft0JYJzpsy7lxU1VouIbUWMVt8Vr2QG-k5Roz48yPxgFJmERYo9w/0908_4573554488090.doc?download&psid=1
https://sejkiw.dm.files.1drv.com/y4mOD8t2LqIhKi4HgNXebKzc0FMC2p9qyEs1dbXwOkn3dE8eaao7Fa5KSXzLvZiKCpiFJ6IvnT_c6bj3Wp41TWLgrV9Zs7Dt5LuKrjDQpn-NqLQ9YSoFy-H0woNf68YA5KVYiEplSOzuPWECx-b5ZpxzcubnrBWJdy_kbigszfvZN26CqCZDRsCh3kqTm57vhDnE21D64S5wvGymNBC8UsilA/0908_4573554488090.doc?download&psid=1
https://tfeu6q.dm.files.1drv.com/y4mMp5yquLFOh0Vf2g7-HEcQ7Mzys-ZNcG9XY6tbc0ITrYw3KfbC2FYsYnnDyoAUAIyd2AsHLpmH1kEqRij-SnrdmAD8lEjJSb-4XLVKd1UQG6Za5xNZd0H2BXGv8qhxO_N-BpHXJMKN9r92-2KSGVHuWEU9i-EmVyOjNnl7_v59l3Kh6JWgXoVsdA9N5EBgERO1aQOmP15nNGUp59CCjIrUQ/0908_3674663753075.doc?download&psid=1
https://tff5da.dm.files.1drv.com/y4mYlsUhJ-Hkg1oHII_yhYWbPIRvXxlQYICiRh5l5S5JyjyvTGNbCX4DUagvCHbfvJcR-st879TdVFhBLO7jAOFlsdDKvQojvkwuLIEwDRW67Ho_rvQlBc9KzNi8E0zWQoWcPpYUMEelGA6VrDYdAmvxvdr7zST-USNt7ErsVT0HBwFcYAxA58FVpxEnO4spR7NiyAXl_jrOdn7r7C3XZe2dg/0908_4652590689245.doc?download&psid=1
https://yxscrw.dm.files.1drv.com/y4mHW1OSoGXtr-Mux20Q7mc0Bm4dwuCq5BTqfEu49LZTl60dPhd_dYD5qhHOIhFK7uyc--sOeExHqqsjAmXk4NolsolZ-r9B-QIbDFEp631XJzxkOQ2l3Jc7KcdN-0Kwze6g1SJNA_MFhGS1drZauCPSCB8PrUldzta1aFG3E-upP0OtEdoYWIYfSSYAvenL2YIQuL75rgcvxd7u0Nq9b1IlA/0908_1926575701456.doc?download&psid=1
https://yxsvaa.dm.files.1drv.com/y4mKzT2azMTCmsIIz092Zax2Ijaq4BWubg2_HeqtKRc8KfA2WYF__Q3csTEphI2BB8AYnym89u3wCx1QsXPUS6Oz1PekH9PPNJLl5qY5QJOx7ymUXvw0nbO67nGnDLGNHpTHWhAjyOQfOvVOm3yGALa6saDVS2mnj75FkGXYKJnT2kno-KAiMR-tEjTSpNQWAQ_mgHuLCmf3tyNfMiaQowzSg/0908_1433632206833.doc?download&psid=1
https://yxtl6q.dm.files.1drv.com/y4mFooQkDL3Zz3MVsVD0znPYWAi1LftnlpuXABgVpT_WLBbEOHPqk6YxS1xD0gcasuBlAunrPksaWx0KjnReq7tGjY6PmhbxzNxq1niJPkl8dRTu_vDmEgAXwvHfqp63IXKYUfIjNcFEMrs9hAZP1tnznJ1utsxoFJHan-JgdLKJksY-ahnAFS0Daj6uzoQcO0HRybm-dc0KONT4VEudQUYew/0908_3674663753075.doc?download&psid=1

MALDOC FILE HASHES
09a2872294d089c5b78d5bf4baea7ef4
0a832cd8e3a03edec222c5e439fc8745
128dce3f819108c1ef249252abfa3958
2c31f9a4c0f43c2d576940ac09c6c8ef
2f25e3893d304273ed75b2e985884bcb
2feeb467a5f977048c7791d77c442f8c
4394c24ff129cf373a844636fb435f7b
44800dfc6ddf564f57bbfa1b3eaab2a9
512bf2e7c344b5b9dce4e0ad126b3445
66038dc0bc706cb3a430b4d817ffe6c3
7be586e116427f79c0b9dc51d3f5419a
8be8ded3d3e3d02a63b0f8883710464b
985430bde7046f60da665fb65a15d5b5
d020be88b48df5fb210fa49001d46346
d0f538245adf2283f80d1309aefe955f
dd0641163ad4a5c195b7181c28b4ae34
e057bf3ed42e7d2ddd0760ce887f9bab
e1bfd913888da72cd36d8f559efb5a30

EMBEDDED DOC FILE HASH
reform.doc
4300d8752edf88fb9e3881d22ee3187e

HANCITOR PAYLOAD FILE HASH
hhhh.mp3
d2c1a8831babe70804def9f78c09fb69

HANCITOR C2
http://kedaeclas.ru/8/forum.php
http://olocratim.ru/8/forum.php
http://takitrisexp.ru/8/forum.php

HANCITOR BUILD NUMBER
BUILD=0709_baxc7

COBALT STRIKE STAGER DOWNLOAD URLS
http://klistr0n.ru/0709.bin
http://klistr0n.ru/0709s.bin

COBALT STRIKE STAGER FILE HASHES
0709.bin
27a7b6a85320a143c042bfde5166b0f5

0709s.bin
dcb484b4aa438d44999a5bc415e6a548

COBALT STRIKE BEACON DOWNLOAD URLS
http://23.160.193.55/l7vC
https://23.160.193.55/4jEy

COBALT STRIKE BEACON FILE HASHES
4jEy
5eb43a0bd264e604a3e9ce12a4f2ed6e

l7vC
81f2d0565935cba4cef7465b5dd2dd32

COBALT STRIKE C2s
http://23.160.193.55/ca
https://23.160.193.55/push


COBALT STRIKE BEACON CONFIGURATIONS (extracted using Didier Stevens' 1768 Python script)
File: 4jEy
xorkey(chain): 0x57530c65
length: 0x00033800
payloadType: 0x10015044
payloadSize: 0x00000000
intxorkey: 0x00000000
id2: 0x00000000
Config found: xorkey b'.' 0x00030620 0x00033800
0x0001 payload type                     0x0001 0x0002 8 windows-beacon_https-reverse_https
0x0002 port                             0x0001 0x0002 443
0x0003 sleeptime                        0x0002 0x0004 60000
0x0004 maxgetsize                       0x0002 0x0004 1048576
0x0005 jitter                           0x0001 0x0002 0
0x0007 publickey                        0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a70991d69d816a601ffa80976473830f0d3b41276d2790401ddedb18e2d3cab3c315e3222325be42b65adb2878f33f5a03ff5010b23e842a510c1482ad6a42f1e7e5726eb31813e7437640ed7879955f401e172c34d3517241596dd41f8e48d3d1b1c288e6c8752ff65dc27acccba4ba9cd6d0e4de6196cea4da480d3b99d0ed020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0x0008 server,get-uri                   0x0003 0x0100 '23.160.193.55,/push'
0x0043                                  0x0001 0x0002 0
0x0044                                  0x0002 0x0004 4294967295
0x0045                                  0x0002 0x0004 4294967295
0x0046                                  0x0002 0x0004 4294967295
0x000e SpawnTo                          0x0003 0x0010 (NULL ...)
0x001d spawnto_x86                      0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
0x001e spawnto_x64                      0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
0x001f CryptoScheme                     0x0001 0x0002 0
0x001a get-verb                         0x0003 0x0010 'GET'
0x001b post-verb                        0x0003 0x0010 'POST'
0x001c HttpPostChunk                    0x0002 0x0004 0
0x0025 license-id                       0x0002 0x0004 1580103824
0x0026 bStageCleanup                    0x0001 0x0002 0
0x0027 bCFGCaution                      0x0001 0x0002 0
0x0009 useragent                        0x0003 0x0100 'Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.4.1263.203; Windows NT 6.1; WOW64; Trident/5.0)'
0x000a post-uri                         0x0003 0x0040 '/submit.php'
0x000b Malleable_C2_Instructions        0x0003 0x0100 '\x00\x00\x00\x04'
0x000c http_get_header                  0x0003 0x0200
  b'Cookie'
0x000d http_post_header                 0x0003 0x0200
  b'&Content-Type: application/octet-stream'
  b'id'
0x0036 HostHeader                       0x0003 0x0080 (NULL ...)
0x0032 UsesCookies                      0x0001 0x0002 1
0x0023 proxy_type                       0x0001 0x0002 2 IE settings
0x003a                                  0x0003 0x0080 '\x00\x04'
0x0039                                  0x0003 0x0080 '\x00\x04'
0x0037                                  0x0001 0x0002 0
0x0028 killdate                         0x0002 0x0004 0
0x0029 textSectionEnd                   0x0002 0x0004 0
0x002b process-inject-start-rwx         0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
0x002c process-inject-use-rwx           0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
0x002d process-inject-min_alloc         0x0002 0x0004 0
0x002e process-inject-transform-x86     0x0003 0x0100 (NULL ...)
0x002f process-inject-transform-x64     0x0003 0x0100 (NULL ...)
0x0035 process-inject-stub              0x0003 0x0010 '"+\x8f\'Ûßº\x8dÝU\x9eì¢~¦H'
0x0033 process-inject-execute           0x0003 0x0080 '\x01\x02\x03\x04'
0x0034 process-inject-allocation-method 0x0001 0x0002 0
0x0000


File: l7vC
xorkey(chain): 0x2cf39417
length: 0x00033800
payloadType: 0x10015044
payloadSize: 0x00000000
intxorkey: 0x00000000
id2: 0x00000000
Config found: xorkey b'.' 0x00030620 0x00033800
0x0001 payload type                     0x0001 0x0002 0 windows-beacon_http-reverse_http
0x0002 port                             0x0001 0x0002 80
0x0003 sleeptime                        0x0002 0x0004 60000
0x0004 maxgetsize                       0x0002 0x0004 1048576
0x0005 jitter                           0x0001 0x0002 0
0x0007 publickey                        0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a70991d69d816a601ffa80976473830f0d3b41276d2790401ddedb18e2d3cab3c315e3222325be42b65adb2878f33f5a03ff5010b23e842a510c1482ad6a42f1e7e5726eb31813e7437640ed7879955f401e172c34d3517241596dd41f8e48d3d1b1c288e6c8752ff65dc27acccba4ba9cd6d0e4de6196cea4da480d3b99d0ed020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0x0008 server,get-uri                   0x0003 0x0100 '23.160.193.55,/ca'
0x0043                                  0x0001 0x0002 0
0x0044                                  0x0002 0x0004 4294967295
0x0045                                  0x0002 0x0004 4294967295
0x0046                                  0x0002 0x0004 4294967295
0x000e SpawnTo                          0x0003 0x0010 (NULL ...)
0x001d spawnto_x86                      0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
0x001e spawnto_x64                      0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
0x001f CryptoScheme                     0x0001 0x0002 0
0x001a get-verb                         0x0003 0x0010 'GET'
0x001b post-verb                        0x0003 0x0010 'POST'
0x001c HttpPostChunk                    0x0002 0x0004 0
0x0025 license-id                       0x0002 0x0004 1580103824
0x0026 bStageCleanup                    0x0001 0x0002 0
0x0027 bCFGCaution                      0x0001 0x0002 0
0x0009 useragent                        0x0003 0x0100 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAM2)'
0x000a post-uri                         0x0003 0x0040 '/submit.php'
0x000b Malleable_C2_Instructions        0x0003 0x0100 '\x00\x00\x00\x04'
0x000c http_get_header                  0x0003 0x0200
  b'Cookie'
0x000d http_post_header                 0x0003 0x0200
  b'&Content-Type: application/octet-stream'
  b'id'
0x0036 HostHeader                       0x0003 0x0080 (NULL ...)
0x0032 UsesCookies                      0x0001 0x0002 1
0x0023 proxy_type                       0x0001 0x0002 2 IE settings
0x003a                                  0x0003 0x0080 '\x00\x04'
0x0039                                  0x0003 0x0080 '\x00\x04'
0x0037                                  0x0001 0x0002 0
0x0028 killdate                         0x0002 0x0004 0
0x0029 textSectionEnd                   0x0002 0x0004 0
0x002b process-inject-start-rwx         0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
0x002c process-inject-use-rwx           0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
0x002d process-inject-min_alloc         0x0002 0x0004 0
0x002e process-inject-transform-x86     0x0003 0x0100 (NULL ...)
0x002f process-inject-transform-x64     0x0003 0x0100 (NULL ...)
0x0035 process-inject-stub              0x0003 0x0010 '"+\x8f\'Ûßº\x8dÝU\x9eì¢~¦H'
0x0033 process-inject-execute           0x0003 0x0080 '\x01\x02\x03\x04'
0x0034 process-inject-allocation-method 0x0001 0x0002 0
0x0000