{ "type": "MD5", "indicator": "a511410d5889fca07a0dd0a8c84d6c8a", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "a511410d5889fca07a0dd0a8c84d6c8a", "validation": [], "base_indicator": { "id": 2187628377, "indicator": "a511410d5889fca07a0dd0a8c84d6c8a", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "5dfcfffe67cf6fca9b9c290c", "name": "TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking", "description": "ServHelper is a backdoor first spotted at the end of 2018 by Proofpoint and linked to TA505. This threat actor is known to have distributed Dridex and Locky in the past, in addition to FlawedAmmyy, FlawedGrace and Get2/SDBBot more recently, amongst others.", "modified": "2020-01-23T15:07:04.860000", "created": "2019-12-20T17:08:14.623000", "tags": [ "TA505" ], "references": [ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/" ], "public": 1, "adversary": "TA505", "targeted_countries": [], "malware_families": [ { "id": "ServHelper", "display_name": "ServHelper", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 30, "URL": 10, "FileHash-MD5": 13, "FileHash-SHA256": 26, "hostname": 2, "email": 2 }, "indicator_count": 83, "is_author": false, "is_subscribing": null, "subscriber_count": 376742, "modified_text": "2273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/" ], "related": { "alienvault": { "adversary": [ "TA505" ], "malware_families": [ "Servhelper" ], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "5dfcfffe67cf6fca9b9c290c", "name": "TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking", "description": "ServHelper is a backdoor first spotted at the end of 2018 by Proofpoint and linked to TA505. This threat actor is known to have distributed Dridex and Locky in the past, in addition to FlawedAmmyy, FlawedGrace and Get2/SDBBot more recently, amongst others.", "modified": "2020-01-23T15:07:04.860000", "created": "2019-12-20T17:08:14.623000", "tags": [ "TA505" ], "references": [ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/" ], "public": 1, "adversary": "TA505", "targeted_countries": [], "malware_families": [ { "id": "ServHelper", "display_name": "ServHelper", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 30, "URL": 10, "FileHash-MD5": 13, "FileHash-SHA256": 26, "hostname": 2, "email": 2 }, "indicator_count": 83, "is_author": false, "is_subscribing": null, "subscriber_count": 376742, "modified_text": "2273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "a511410d5889fca07a0dd0a8c84d6c8a", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "a511410d5889fca07a0dd0a8c84d6c8a", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776228408.0283613 }