2021-07-12 (MONDAY) - HANCITOR (CHANITOR/MAN1/MOSKALVZAPOE/TA511) ACTIVITY DATA FROM 20 MALSPAM EXAMPLES: 19 SENDING IP ADDRESSES USING SPOOFED DOMAIN NAME: - Received: from convertuid.com ([43.128.105.214]) - Received: from convertuid.com ([45.248.84.19]) - Received: from convertuid.com ([46.173.205.194]) - Received: from convertuid.com ([61.231.156.8]) - Received: from convertuid.com ([88.7.254.144]) - Received: from convertuid.com ([88.12.57.72]) - Received: from convertuid.com ([91.90.176.250]) - Received: from convertuid.com ([82.81.111.233]) - Received: from convertuid.com ([92.177.111.98]) - Received: from convertuid.com ([98.189.198.251]) - Received: from convertuid.com ([103.142.191.248]) - Received: from convertuid.com ([103.214.146.63]) - Received: from convertuid.com ([107.15.74.101]) - Received: from convertuid.com ([114.241.109.197]) - Received: from convertuid.com ([123.171.14.52]) - Received: from convertuid.com ([173.82.64.61]) - Received: from convertuid.com ([189.39.36.221]) - Received: from convertuid.com ([198.15.119.68]) - Received: from convertuid.com ([212.139.18.30]) 20 SPOOFED SENDING ADDRESSES - From: "DocuSign Electronic Signature Service" - From: "DocuSign Electronic Signature Service" - From: "DocuSign Electronic Signature Service" - From: "DocuSign Electronic Signature " - From: "DocuSign Electronic Signature " - From: "DocuSign Electronic Signature " - From: "DocuSign Electronic Signature " - From: "DocuSign Electronic Signature and Invoice Service" - From: "DocuSign Electronic Signature and Invoice Service" - From: "DocuSign Electronic Signature and Invoice" - From: "DocuSign Electronic Signature and Invoice" - From: "DocuSign Signature Service" - From: "DocuSign Signature " - From: "DocuSign Signature " - From: "DocuSign Signature " - From: "DocuSign Signature " - From: "DocuSign Signature " - From: "DocuSign Signature and Invoice Service" - From: "DocuSign Signature and Invoice" - From: "DocuSign Signature and Invoice" 10 DIFFERENT SUBJECT LINES: - Subject: You got invoice from DocuSign Electronic Signature Service - Subject: You got invoice from DocuSign Service - Subject: You got invoice from DocuSign Signature Service - Subject: You got notification from DocuSign Electronic Service - Subject: You got notification from DocuSign Signature Service - Subject: You received invoice from DocuSign Electronic Service - Subject: You received invoice from DocuSign Electronic Signature Service - Subject: You received notification from DocuSign Electronic Service - Subject: You received notification from DocuSign Service - Subject: You received notification from DocuSign Signature Service 20 FEEDPROXY LINKS FROM THE MESSAGE TEXT: - hxxp://feedproxy.google[.]com/~r/aamzrouwzqw/~3/OIhl8zukDU4/jobber.php - hxxp://feedproxy.google[.]com/~r/aofdoxjeqea/~3/iuK0EQr0s50/adding.php - hxxp://feedproxy.google[.]com/~r/bgizyfo/~3/My1gbwbdQxM/autobiography.php - hxxp://feedproxy.google[.]com/~r/ddmdrwopkh/~3/n3v8VgU-6JI/electro.php - hxxp://feedproxy.google[.]com/~r/dlyzzl/~3/08yRj-vKY0g/bomber.php - hxxp://feedproxy.google[.]com/~r/ghebljiz/~3/fejWuMiBjQs/bouncer.php - hxxp://feedproxy.google[.]com/~r/jwswdkj/~3/PboyzzdLDzw/achievement.php - hxxp://feedproxy.google[.]com/~r/kgamcgzjlon/~3/ybcUXP6ULUE/sake.php - hxxp://feedproxy.google[.]com/~r/lwckewphq/~3/dlZPlGSDwA8/signaler.php - hxxp://feedproxy.google[.]com/~r/nmrygkkelcn/~3/cRNAP-4Kchk/participating.php - hxxp://feedproxy.google[.]com/~r/pqfapkof/~3/cg3hQOyyv1c/sad.php - hxxp://feedproxy.google[.]com/~r/qxepbiho/~3/I1LSZq1PR8s/trafficked.php - hxxp://feedproxy.google[.]com/~r/tbyvifzlqxc/~3/hSHgPh0RRlE/staunchness.php - hxxp://feedproxy.google[.]com/~r/tjazygwa/~3/46rfXdUDOlg/pollinate.php - hxxp://feedproxy.google[.]com/~r/ubheca/~3/0HrENsYcYg0/clasp.php - hxxp://feedproxy.google[.]com/~r/ufyezjtkhb/~3/sl-3zP5QZiY/vantage.php - hxxp://feedproxy.google[.]com/~r/xzjaqidozp/~3/uiizj9uzuds/decanter.php - hxxp://feedproxy.google[.]com/~r/yycztyeynb/~3/O_L0Y0pHPn8/wheeze.php - hxxp://feedproxy.google[.]com/~r/zfrke/~3/kbXdKMeWXXI/skimmer.php - hxxp://feedproxy.google[.]com/~r/zqztw/~3/Yhw5DKajWQQ/wastefully.php ABOVE LINKS REDIRECT TO 20 URLS THAT SEND THE WORD DOCUMENT: - hxxp://2020disposalservices[.]com/bouncer.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ghebljiz+%28eruditionrack%29 - hxxp://an.nastena[.]lv/achievement.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+jwswdkj+%28promptingliquidate%29 - hxxp://mohammadtalks[.]com/skimmer.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+zfrke+%28semiexpendableflammability%29 - hxxp://mohammadtalks[.]com/vantage.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ufyezjtkhb+%28rectifierasterisk%29 - hxxp://odas.ubicuo[.]site/participating.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nmrygkkelcn+%28abasivemob%29 - hxxp://odas.ubicuo[.]site/sad.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+pqfapkof+%28rosecowgirl%29 - hxxp://odas.ubicuo[.]site/signaler.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+lwckewphq+%28absolutenessshovelling%29 - hxxp://pphc.welkinfortprojects[.]com/electro.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ddmdrwopkh+%28grenadieradvocacy%29 - hxxp://seatranscorp[.]com/adding.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+aofdoxjeqea+%28assessescopyholder%29 - hxxp://seatranscorp[.]com/decanter.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+xzjaqidozp+%28tubulerah%29 - hxxp://seatranscorp[.]com/wastefully.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+zqztw+%28salablesquatted%29 - hxxp://www.seryzpiekielnika[.]pl/wheeze.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+yycztyeynb+%28hatredsparing%29 - hxxp://turquoisecoaching[.]co[.]uk/staunchness.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+tbyvifzlqxc+%28mildewdeclass%29 - hxxp://www.agfphx[.]com/clasp.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ubheca+%28discontinuedsickish%29 - hxxp://www.mintechindia[.]com/jobber.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+aamzrouwzqw+%28rebussuggestion%29 - hxxps://affirmingyourlife[.]com/bomber.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+dlyzzl+%28protegeomega%29 - hxxps://amazingholidaysmaldives[.]com/sake.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+kgamcgzjlon+%28pretentiousnesstoffee%29 - hxxps://autoscrapforcash[.]com/trafficked.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+qxepbiho+%28glandularbundled%29 - hxxps://player.ebmstreaming[.]eu/autobiography.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+bgizyfo+%28oozequinary%29 - hxxps://www.ivrvirtualsolutions[.]com/pollinate.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+tjazygwa+%28headwaypalate%29 SIX EXAMPLES OF DOWNLOADED WORD DOCS: - ba50aec821d7d7ce4b89d46118bc403e4b1d1fbf1988bec8c1a916f2bfc971f0 0712_0270003238.doc - 37965d058a349b0f619051664bb9c703dea11f097a0f37ad4a9d924cb1e76101 0712_2172200614.doc - 6c23b78efd34d5f7207287ba8364147b04559c711c7f32f15814c374aabf3d4b 0712_3006077542.doc - b79e96afa72d526d19cc7f01a12ba48fd7d56b24f7f7521e4e01964b891834f4 0712_3830710356.doc - 92d61bfb563722fc32a78ba7aabfb98cf984004309ca32c09667de4d10592a13 0712_5782248107.doc - 3ce1b2cc72f6c38a2651fbbdc9ff8a48ab6d8209eb4eff1f8869f4f67d65d391 0712_7248864204.doc SIX EXAMAPLES OF HANCITOR DLL FILES DROPPED AFTER ENABLING MACROS: - 2d2827524542f1f2001a3e92f9ecdaa22cd05ef8ec41143f02eb5cd6dc2c0a16 - 346c87680684bd412d1e71c831512ea165f6ccf06cf2fb605b3cb5b2b7b0ee2d - 824618bdc40241bb5eeec62f833571dbad017a9f9b1b0b569dce76eddf099db6 - a2fdece6e4333d1aef1c9ae499c0771b2c1f5583dae865aee81bc769123481f8 - efa0bd07f38eed45809c73979c34fbde035c03539bd68df5d760576c39390ae1 - fcb1666d5a122088c6c0cede4308c43d25c0bce15e0825a0ee21c249403047d7 LOCATION OF HANCITOR DLL FILES: - C:\Users\[username]\AppData\Roaming\Microsoft\Templates\ier.dll HANCITOR DLL RUN METHOD: - rundll32.exe [filename],HINYYIMIVRX FICKER STEALER MALWARE: - SHA256 hash: dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019 - File size: 272,910 bytes - File location: hxxp://pirocont70l[.]ru/7hjujnfds.exe - Note: File first submitted to VirusTotal on 2021-06-09 HANCITOR C2 TRAFFIC: - port 80 - api.ipify[.]org - GET / - 194.147.115[.]74 port 80 - trictuatiove[.]com - GET /8/forum.php - 194.147.78[.]155 port 80 - olinsartain[.]ru - GET /8/forum.php - 194.147.115[.]74 port 80 - factoothfand[.]ru - GET /8/forum.php TRAFFIC FOR FICKER STEALER: - 8.211.241[.]0 port 80 - pirocont70l[.]ru - GET /7hjujnfds.exe - port 80 - api.ipify[.]org - GET /?format=xml - 95.213.179[.]67 port 80 - pospvisis[.]com - TCP traffic (not HTTP) TRAFFIC FOR COBALT STRIKE: - 8.211.241[.]0 port 80 - pirocont70l[.]ru - GET /1207.bin - 8.211.241[.]0 port 80 - pirocont70l[.]ru - GET /1207s.bin - 92.119.157[.]4 port 443 - HTTPS traffic - 92.119.157[.]4 port 80 - 92.119.157[.]4 - GET /8Qkh - 92.119.157[.]4 port 80 - 92.119.157[.]4 - GET /dot.gif NOTE: - traffic to api.ipify[.]org is a legitimate IP address checking service used by the malware to check the public IP address of the infected Windows host.