{
	"id": "ab6f9468-07f9-4b16-86a7-f54cda92a43e",
	"created_at": "2026-04-06T00:08:33.927495Z",
	"updated_at": "2026-04-10T03:24:24.513879Z",
	"deleted_at": null,
	"sha1_hash": "fc37424a54497569b5418520fe4073d16ff728d2",
	"title": "Hancitor activity resumes after a hoilday break - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2343070,
	"plain_text": "Hancitor activity resumes after a hoilday break - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 21:08:54 UTC\r\nIntroduction\r\nCampaigns spreading Hancitor malware were active from October through December 2020, but Hancitor went quiet\r\nafter 2020-12-17.  On Tuesday 2021-01-12, criminals started sending malicious spam (malspam) pushing Hancitor\r\nagain.  Some people have already tweeted about this year's first wave of Hancitor.  See the links below.\r\nhttps://twitter.com/James_inthe_box/status/1349015970220748809\r\nhttps://twitter.com/ffforward/status/1349018081486659587\r\nhttps://twitter.com/r_jordan3/status/1349058833964961794\r\nhttps://twitter.com/executemalware/status/1349106968569536518\r\nToday's diary reviews recent Hancitor activity from Tuesday 2021-01-12, where we also saw Cobalt Strike after the\r\ninitial infection.\r\nShown above:  Flow chart for recent Hancitor infection activity.\r\nThe malspam\r\nOn Tuesday 2021-01-12, malspam spreading used the same fake DocuSign template we saw several times last year. \r\nThese emails have a link to a Google Docs page.\r\nhttps://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/\r\nPage 1 of 7\n\nShown above:  Screenshot from one of the emails distributing Hancitor on Tuesday 2021-01-12.\r\nhttps://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/\r\nPage 2 of 7\n\nShown above:  Link from the email redirects to a page that can generate a Word document for Hancitor.\r\nShown above:  Word document with macros for Hancitor.\r\nhttps://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/\r\nPage 3 of 7\n\nInfection traffic\r\nAs you might expect, traffic to the Google Docs page and clicking on the link generates a great deal of related web\r\nactivity, mostly HTTPS traffic. Shortly after the Word document is sent, we find indicators of Hancitor and Cobalt\r\nStrike malware.  I've always seen Cobalt Strike when I test Hancitor in an Active Directory (AD) environment.  if you're\r\ninvestigating an actual Hancitor infection, be aware that it will likely send Cobalt Strike if the victim host is signed into\r\nan work environment that uses AD.\r\nShown above:  Traffic caused by the Google Docs page before the infection filtered in Wireshark.\r\nShown above:  Hancitor and Cobalt Strike traffic within an AD environment.\r\nhttps://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/\r\nPage 4 of 7\n\nIndicators of Compromise (IOCs)\r\nThe following are indicators associated with Hancitor infections from Tuesday 2021-01-12.\r\nDate/time of the six messages:\r\nTue, 12 Jan 2021 15:06:25 +0000 (UTC)\r\nTue, 12 Jan 2021 16:06:06 +0000 (UTC)\r\nTue, 12 Jan 2021 16:41:01 +0000 (UTC)\r\nTue, 12 Jan 2021 16:48:35 +0000 (UTC)\r\nTue, 12 Jan 2021 17:09:10 +0000 (UTC)\r\nTue, 12 Jan 2021 18:06:56 +0000 (UTC)\r\nIP addresses the malspam was received from:\r\nReceived: from digital-negative.com ([179.154.63.198])\r\nReceived: from digital-negative.com ([74.85.247.234])\r\nReceived: from digital-negative.com ([181.137.227.228])\r\nReceived: from digital-negative.com ([104.161.24.86])\r\nReceived: from digital-negative.com ([23.236.75.32])\r\nReceived: from digital-negative.com ([112.15.74.137])\r\nSpoofed sending addresses:\r\nFrom: \"DocuSign Signature  Service\" \u003cqybacy@digital-negative.com\u003e\r\nFrom: \"DocuSign Signature and Invoice\" \u003ciqinica@digital-negative.com\u003e\r\nFrom: \"DocuSign Electronic Signature and Invoice Service\" \u003ceupanic@digital-negative.com\u003e\r\nFrom: \"DocuSign Electronic Signature \" \u003cuvizao@digital-negative.com\u003e\r\nFrom: \"DocuSign Signature  Service\" \u003cnuxzoj@digital-negative.com\u003e\r\nFrom: \"DocuSign Electronic Signature  Service\" \u003czwtmicy@digital-negative.com\u003e\r\nSubject lines:\r\nSubject: You received notification from DocuSign Electronic Service\r\nSubject: You received notification from DocuSign Service\r\nSubject: You got notification from DocuSign Electronic Signature Service\r\nSubject: You got invoice from DocuSign Electronic Signature Service\r\nSubject: You got notification from DocuSign Service\r\nSubject: You received notification from DocuSign Electronic Signature Service\r\nLinks from the malspam:\r\nhxxps://docs.google[.]com/document/d/e/2PACX-1vSEfjWipv61XyrbNDn1neBUGeHzEPM35pYN5QRYrpUy4X-sbHybYEZ7-\r\nb6Zf8yGyA_1e4wNj452FD_O/pub\r\nhxxps://docs.google[.]com/document/d/e/2PACX-1vTiMxxKYdtOy98JFAiBaNe1W-VVdRGcZOZurDYA1jhcat-mcbcA8Uw7m_v4BvJ-H3o9m7ML_TtRNPQP/pub\r\nhttps://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/\r\nPage 5 of 7\n\nhxxps://docs.google[.]com/document/d/e/2PACX-1vShuUk4DvIVthVxqc8UIUgZ7hOQzBQ1Dop8sXP73qBfS-JrlSrdIaZslExSyrr459kvaMmWbOAUkYii/pub\r\nhxxps://docs.google[.]com/document/d/e/2PACX-1vRQ8skYzE8fzy9FnmU06fNCSEBTGwdYCxE1_NyLjxTCG7uEhpFtmI_IWAtk1FFmuQyAReDSuUCdyCFs/pub\r\nhxxps://docs.google[.]com/document/d/e/2PACX-1vT_UMMUFR8J8IbN7rthTdttvciBU-17slZ2anuIq4A-8zT4xtF9ngzzyiEjlE8HSDZQ5tWu_w6HBFMf/pub\r\nhxxps://docs.google[.]com/document/d/e/2PACX-1vQgYON0ZqbynIRhybfOxzkN8jUzIa-DkiYp-KOTxKzhFaDt2miDJBp14XJw8lMPHtU1tkIXDcwquIr-/pub\r\nURLs that returned script to create the Word docs:\r\nhxxp://savortrading[.]com/toweringly.php\r\nhxxps://libifield.co[.]za/figs.php\r\nhxxps://expertcircles[.]co[.]uk/assotiation.php\r\nhxxps://libifield[.]co[.]za/oilcan.php\r\nhxxp://3.133.244[.]105/irs.php\r\n8 examples of downloaded Word docs (read: SHA256 hash - file name):\r\n080bade36015dd79925bab0975ac0f30f18424bdd1e7836d63c2dee350bdbd69 - 0112_528419802.doc\r\n2ac3b573d70c40c5c0fafe4e5914c723f2322a1c9cd76d232447654604ff8b76 - 0112_929792452.doc\r\n385425e94ed8ac21d7888550743b7a2b89afbeb51341713adb6da89cd63b5aff - 0112_203089882.doc\r\n7b013a271432cc9dea449ea9fcf727ed3caf7ce4cc6a9ba014b3dd880b5668dd - 0112_1079750132.doc\r\n8bcf45c2de07f322b8efb959e3cef38fb9983fdb8b932c527321fd3db5e444c8 - 0112_1005636132.doc\r\ncab2a47456a2c51504a79ff24116a4db3800b099ec50d0ebea20c2c77739276d - 0112_722674781.doc\r\nd6755718c70e20345c85d18c5411b67c99da5b2f8740d63221038c1d35ccc0b8 - 0112_153569242.doc\r\ned3fa9e193f75e97c02c48f5c7377ff7a76b827082fdbfb9d6803e1f7bd633ca - 0112_114086062.doc\r\nNote: Each of the above files is 753,152 bytes in size.\r\nSHA256 for 8 examples of DLL files dropped by the Word docs:\r\n00b2312dd63960434d09962ad3e3e7203374421b687658bd3c02f194b172bfe3\r\n0941090d3eb785dbf88fbfafffad34c4ab42877b279129616a455347883e5738\r\n43690eaf47245d69f4bda877c562852e4a9715955c2160345cb6cc84b18ca907\r\n82c9bc479ea92c1900422666792877e00256996ce2f931984115598ed2c26f23\r\n878319795a84ebfe5122d6fc21d27b4b94b3c28ad66679f841dec28ccc05e801\r\nc3e06473c4c3d801c962e6c90ccbcab3d532fb5a6649077ea09cd989edf45eaf\r\ncdcd5ee8b80d3a3863e0c55d4af5384522144011b071d00c9c71ae009305f130\r\nedabef17fce2aaca61dbd17a57baf780cd82a2b0189b0cf3c5a7a3ca07e94a44\r\nNote 1: Each of the above file is 570,368 bytes in size.\r\nNote 2: Each file was saved at C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Templates\\W0rd.dll\r\nTraffic to retrieve the Word doc:\r\nport 443 - docs.google.com - HTTPS traffic\r\n104.31.80[.]93 port 80 - savortrading[.]com - GET /sacrifice.php\r\nHancitor post-infection traffic:\r\nhttps://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/\r\nPage 6 of 7\n\nport 80 - api.ipify.org - GET /\r\n185.87.194[.]148 port 80 - fruciand[.]com - POST /8/forum.php\r\nBinaries used to infect host with Cobalt Strike:\r\n47.254.175[.]0 port 80 - steroidi[.]pro - GET /2112.bin\r\n47.254.175[.]0 port 80 - steroidi[.]pro - GET /2112s.bin\r\nCobalt Strike Post-infection traffic:\r\n162.223.31[.]160 port 1080 - 162.223.31[.]160:1080 - GET /GvSL\r\n162.223.31[.]160 port 1080 - 162.223.31[.]160:1080 - GET /visit.js\r\n162.223.31[.]160 port 443 - HTTPS traffic\r\nFinal words\r\nHancitor has been active and evolving for years now, and it remains a notable presence in our current threat landscape. \r\nThis diary reviewed a recent infection on a vulnerable Windows host from malspam sent on Tuesday 2021-01-12.\r\nDecent spam filters and best security practices should help most people avoid Hancitor infections. Default security\r\nsettings in Windows 10 and Microsoft Office 2019 should prevent these these infections from happening.  However, it's\r\na \"cat-and-mouse\" game, with malware developers developing new ways to circumvent security measures, while\r\nvendors update their software/applications/endpoint protection to address these new developments.  And malware\r\ndistribution through email is apparently cheap enough to remain profitable for the criminals who use it.\r\nA pcap of the infection traffic, some emails, and malware associated with today's diary can be found here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/\r\nhttps://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/"
	],
	"report_names": [
		"26980"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434113,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc37424a54497569b5418520fe4073d16ff728d2.pdf",
		"text": "https://archive.orkl.eu/fc37424a54497569b5418520fe4073d16ff728d2.txt",
		"img": "https://archive.orkl.eu/fc37424a54497569b5418520fe4073d16ff728d2.jpg"
	}
}