← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking
WHITE TA505 AlienVault 2019-12-20 Modified: 2020-01-23
83
IOCs
HIGH VOLUME
ServHelper is a backdoor first spotted at the end of 2018 by Proofpoint and linked to TA505. This threat actor is known to have distributed Dridex and Locky in the past, in addition to FlawedAmmyy, FlawedGrace and Get2/SDBBot more recently, amongst others.
TA505
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
ServHelper
Indicators of Compromise (83)
All domain URL FileHash-MD5 FileHash-SHA256 hostname email
TYPEINDICATORDESCRIPTIONCREATED
domain cafafafa.xyz 2019-12-20
domain letitbe.icu 2019-12-20
domain 0926tv.xyz 2019-12-20
domain foxlnklnk.xyz 2019-12-20
domain gabardine.xyz 2019-12-20
domain artrolife.club 2019-12-20
domain supremeconnect.xyz 2019-12-20
domain soul-fly.xyz 2019-12-20
domain kuarela.xyz 2019-12-20
URL https://soul-fly.xyz/api/gate.get 2019-12-20
URL http://foxlnklnk.xyz/pf1.txt 2019-12-20
URL http://cafafafa.xyz/pf1.txt 2019-12-20
URL http://kuarela.xyz/1.txt 2019-12-20
URL http://letitbe.icu/2.txt 2019-12-20
URL http://gabardine.xyz/log.txt 2019-12-20
URL http://0926tv.xyz/mystt34834ujf37data/ 2019-12-20
URL http://96.9.211.157/sdf4r3r3/WinDef.msi 2019-12-20
URL http://supremeconnect.xyz/fdfg83574gd/file2.exe 2019-12-20
URL https://artrolife.club/fhj37f34fdd/file1.exe 2019-12-20
FileHash-MD5 c3c226ec03f393103b9df764df50f0bc 2019-12-20
FileHash-MD5 9aa1b6bb7d53b008b6529b4a2f6bfada 2019-12-20
FileHash-MD5 a606d454b408b99aa9fc7ad774951621 2019-12-20
FileHash-MD5 92cc85c53e169b330fd8686d35259261 2019-12-20
FileHash-MD5 a2e77ee41f4d4d3e8814d07d26ec5be3 2019-12-20
FileHash-MD5 6954cee9db2533337e4425aceacc547b 2019-12-20
FileHash-MD5 a511410d5889fca07a0dd0a8c84d6c8a 2019-12-20
FileHash-MD5 de70f256b9fd194f6844d7aa81b17b4e 2019-12-20
FileHash-MD5 77f46b13d858f83c3ce5bdc6ffbc8a95 2019-12-20
domain iluj.in 2020-01-23
domain jpiluj.in 2020-01-23
domain nagomi-753.jp 2020-01-23
domain elast.pw 2020-01-23
domain solsin.top 2020-01-23
domain appmakosoft.hu 2020-01-23
domain fakers.co.jp 2020-01-23
domain microsoftsyncservice.biz 2020-01-23
domain test-service012505.com 2020-01-23
domain koppepan.app 2020-01-23
domain 0141koppepan.com 2020-01-23
domain newfolder2-service.space 2020-01-23
domain greenthumbsup.jp 2020-01-23
domain nanepashemet.com 2020-01-23
domain windows-several-update.com 2020-01-23
domain windows-update-02-en.com 2020-01-23
domain makosoft.hu 2020-01-23
domain office365onlinehome.com 2020-01-23
domain bigpresense.top 2020-01-23
domain fakers.co 2020-01-23
domain kentona.su 2020-01-23
FileHash-SHA256 af32547cb924616388bc3dbe2381f7f5162bf4c6c9c7257b17464de72642898f 2020-01-23
FileHash-SHA256 fa26eae15fb442870fd54923a0834dc21967de139d8ad90e29239ee46e05ca1e 2020-01-23
FileHash-SHA256 780e4c850a39d7ded84c4939fab7258a408b1e3d9539dd730423a88c0c83bee5 2020-01-23
FileHash-SHA256 6e820b5732cd8bb95546cf39aeb6babe90cf4cc7dde675b718710babcf1740b5 2020-01-23
FileHash-SHA256 5ccdc32028cbdd6f753ca9f014f5afde95cc1cf5ba34433d22296e3da68f496c 2020-01-23
FileHash-SHA256 b620f94f1cb6f6c98d7afb6fd36f14534de67e329fd6f92573b665d6076f4aab 2020-01-23
FileHash-SHA256 a26f24913d009a721e934c2156a6f4d062f685c38eec080e047b2d2577facd60 2020-01-23
FileHash-SHA256 6d588a14706bf9342e9d4079bc2b74ab397e92e11da933b074eea767dd770923 2020-01-23
FileHash-SHA256 b5c4c3762afe27d7463a13ec74f7579fb6d4c3be88bc4983d8b422584e97a4b1 2020-01-23
FileHash-SHA256 4bf7ea981b3e13b9aaae77a3588c466dce8ca5e3c93297eccac8cb5144ef17c8 2020-01-23
FileHash-SHA256 d3ceb6cdf60e88e7b29acba11edc6e46047843fa7cb47942ebaf5baf53760d76 2020-01-23
FileHash-SHA256 4a60e98cb166e9c5a990ad9d981930cce59691b4a5dd30417edba1e79e327c75 2020-01-23
FileHash-SHA256 6f90a4a63ad13b5aba41ae9699f33efc103b2243f85cb58bf7fe93bd6779d1c2 2020-01-23
FileHash-SHA256 537d3da83324795ebf52e8a471f6156ee63c285940405e3f901558984fccb90e 2020-01-23
FileHash-SHA256 526c06c8ab593c2c41170f58786ebdf3913d6c1361c53231f11bad70f90bc8bd 2020-01-23
FileHash-SHA256 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc273 2020-01-23
FileHash-SHA256 89261bfecbf9f3fe5387058c975cab3a3ec1cc21c6db19cc25d44f9d74403c5d 2020-01-23
FileHash-SHA256 b26b53e917d256cb4fc6876ccdf400b88d736ebe44180bad6ef4a54bffdf8cc4 2020-01-23
FileHash-SHA256 515cfe8187a3aaa2bf445b523a11dec7e775f303f56bcf8b9762f5827a789fe7 2020-01-23
FileHash-SHA256 56097c4fd04ad9acf45f9964494b0fcac33b0911e7a27b925e98e3444989af0c 2020-01-23
FileHash-SHA256 63b38f16efc54401f83a2432839dc4d0e402512a1f7588a241f36761b0a069db 2020-01-23
FileHash-SHA256 b5088b0ca7f3d2dcb5a2d0976dc64c19169d854201961205f67769db5191e6ed 2020-01-23
FileHash-SHA256 18dbe180b55a7f756ebbfabef3f6f045b6b859779dba8ccbc36503d17b0566d7 2020-01-23
FileHash-SHA256 ca1424b1fcb50dd65b804fc26ccf788e727e74c2d1bb052ee1859ef4ef72921c 2020-01-23
FileHash-SHA256 64213c2f1198aa38dafe28ddcc0cd7a010a6e2df44f2de160d7d82f304f7f7c7 2020-01-23
FileHash-SHA256 b475f14a1ffdeaf883c73e97724544b9bba0f6c481830bd25e3ba0d0f69b9181 2020-01-23
hostname ltd.dbaimena.ua 2020-01-23
hostname redmond.corp-microsoft.com 2020-01-23
FileHash-MD5 79d1a836423c7ee57b6127cf2930a9d9 2020-01-23
FileHash-MD5 5fc6f24d43bc7ca45a81d159291955d1 2020-01-23
FileHash-MD5 0cbeb424d96e5c268ec2525d603f64eb 2020-01-23
FileHash-MD5 c6e9d7280f77977a6968722e8124f51c 2020-01-23
email nox1u9bruzgg@contactprivacy.email 2020-01-23
email armstrongdom@slimemail.com 2020-01-23
References (1)
↗ https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/