Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- TA505, known group that targets Banks around the world, evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking
- IOC Comment
- 9aa1b6bb7d53b008b6529b4a2f6bfada ServHelper
- a2e77ee41f4d4d3e8814d07d26ec5be3 Malicious .docx
- 77f46b13d858f83c3ce5bdc6ffbc8a95 WinDef.msi
- de70f256b9fd194f6844d7aa81b17b4e crypted.exe (Predator)
- 6954cee9db2533337e4425aceacc547b DEFOFF.exe
- a606d454b408b99aa9fc7ad774951621 LDR_5622.js
- 92cc85c53e169b330fd8686d35259261 file1.exe
- a511410d5889fca07a0dd0a8c84d6c8a signed.exe
- c3c226ec03f393103b9df764df50f0bc msi.dll
- hxxp://96.9.211[.]157/sdf4r3r3/WinDef.msi WinDef Download URL
- hxxps://soul-fly[.]xyz/api/gate.get Predator C2
- hxxps://artrolife[.]club/fhj37f34fdd/file1.exe LDR_5622 URL1
- hxxp://supremeconnect[.]xyz/fdfg83574gd/file2.exe LDR_5622 URL2
- hxxp://0926tv[.]xyz/mystt34834ujf37data/ Team Viewer Panel
- hxxp://gabardine[.]xyz/log.txt ServHelper NetSupport
- hxxp://kuarela[.]xyz/1.txt ServHelper NetSupport
- hxxp://foxlnklnk[.]xyz/pf1.txt ServHelper NetSupport
- hxxp://cafafafa[.]xyz/pf1.txt ServHelper NetSupport
- hxxp://letitbe[.]icu/2.txt ServHelper NetSupport
- ATT&CK TTPs
- Tactic Technique
- Initial Access T1193 – Spearphishing Attachment
- T1192 – Spearphishing Link
- Execution T1059 – Command-Line Interface
- T1086 – PowerShell
- T1085 – Rundll32
- T1053 – Scheduled Task
- T1064 – Scripting
- Persistence T1098 – Account Manipulation
- T1136 – Create Account
- T1078 – Valid Accounts
- T1053 – Scheduled Task
- Privilege Escalation T1038 – DLL Search Order Hijacking
- Defense Evasion T1089 – Disabling Security Tools
- T1107 – File Deletion
- T1143 – Hidden Window
- Credential Access T1179 – Hooking
- T1503 – Credentials from Web Browsers
- Discovery T1069 – Permission Groups Discovery
- T1087 – Account Discovery
- T1082 – System Information Discovery
- Collection T1119 – Automated Collection
- T1056 – Input Capture
- Command and Control
- T1132 – Data Encoding
- T1001 – Data obfuscation
- T1219 – Remote Access Tools
- T1105 – Remote File Copy
- T1071 – Standard Application Layer Protocol
- Exfiltration T1022 – Data encryption
- Impact T1529 – System Shutdown/Reboot
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement