Servhelper_IOCs_20190719_15-18_UTC

1. Malware Famaily: #Servhelper
2.  
3. MD5s:
4. 57484338303a48dffadf466f74db4bab
5.  
6. IPs:
7. 169.239.129[.]117
8.  
9. Domain:
10. towerprod3[.]com
11.  
12. URL:
13. hxxp://towerprod3[.]com/docs/saz.php
14.  
15. LOLBAS:
16. p1.exe 3628
17. rundll32.exe 3336 "rundll32.exe" C:\Users\user\AppData\Local\Temp\CLUBQCRHWH.dll, XHBBIGJC
18. cmd.exe 1444 cmd.exe /C powershell -ep bypass -f C:\Users\user\AppData\Local\Temp\en.ps1
19. powershell.exe 2236 powershell -ep bypass -f C:\Users\user\AppData\Local\Temp\en.ps1
20. net.exe 3864 "C:\Windows\system32\net.exe" localgroup Administrators
21. net1.exe 3832 C:\Windows\system32\net1 localgroup Administrators
22. cmd.exe 1988 cmd.exe /C whoami
23. whoami.exe 3120 whoami
24. svchost.exe 592 C:\Windows\system32\svchost.exe -k DcomLaunch
25. WmiPrvSE.exe 3728 C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
26.  
27. PowerShell:
28. Invoke-Expression -Command $([string]([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('aQBmACgAKABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBDAG8AbQBwAHUAdABlAHIAUwB5AHMAdABlAG0AKQAuAFAAYQByAHQATwBmAEQAbwBtAGEAaQBuACAALQBlAHEAIAAkAHQAcgB1AGUAKQAgAHsADQAKACAAIAAgACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiACQAZQBuAHYAOgBDAE8ATQBQAFUAVABFAFIATgBBAE0ARQAgAGkAcwAgAHAAYQByAHQAIABvAGYAIAB0AGgAZQAgAGQAbwBtAGEAaQBuADoAIAAkACgAKABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBDAG8AbQBwAHUAdABlAHIAUwB5AHMAdABlAG0AKQAuAEQAbwBtAGEAaQBuACkALgAiAA0ACgB9ACAAZQBsAHMAZQAgAHsADQAKACAAIAAgACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiACQAZQBuAHYAOgBDAE8ATQBQAFUAVABFAFIATgBBAE0ARQAgAGkAcwAgAG4AbwB0ACAAcABhAHIAdAAgAG8AZgAgAGEAIABkAG8AbQBhAGkAbgAuACIAOwANAAoAfQANAAoADQAKACQAZwByAG8AdQBwACAAPQAgAEcAdwBtAGkAIAB3AGkAbgAzADIAXwBnAHIAbwB1AHAAIAAtAEYAaQBsAHQAZQByACAAIgBEAG8AbQBhAGkAbgA9ACcAJABlAG4AdgA6AGMAbwBtAHAAdQB0AGUAcgBuAGEAbQBlACcAIABhAG4AZAAgAFMASQBEAD0AJwBTAC0AMQAtADUALQAzADIALQA1ADQANAAnACIAOwAgAA0ACgAkAGEAZABtACAAPQAgACQAZwByAG8AdQBwAC4ATgBhAG0AZQA7AA0ACgAkAHUAIAA9ACAAJABlAG4AdgA6AFUAcwBlAHIAbgBhAG0AZQA7ACAADQAKACQAdABlAHMAdAA9AG4AZQB0ACAAbABvAGMAYQBsAGcAcgBvAHUAcAAgACQAYQBkAG0AIAB8ACAAVwBoAGUAcgBlACAAewAkAF8AIAAtAG0AYQB0AGMAaAAgACQAdQB9ACAALQBvAHUAdAB2AGEAcgBpAGEAYgBsAGUAIAAkAHQAZQBzAHQADQAKAGkAZgAgACgAJAB0AGUAcwB0ACAALQBlAHEAIAAkAGUAbgB2ADoAdQBzAGUAcgBuAGEAbQBlACkAewBXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACIAaQBzACAAcABhAHIAdAAgAG8AZgAgAGEAZABtAGkAbgAgAGcAcgBvAHUAcAAiAH0AZQBsAHMAZQB7AFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAIgBuAG8AdAAgAGEAZABtAGkAbgAiAH0AOwANAAoADQAKACAAIAAgACAAJAB1AHMAZQByACAAPQAgAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEkAZABlAG4AdABpAHQAeQBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0ACgAKQA7AA0ACgAJACQAcgBlAHMAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMAUAByAGkAbgBjAGkAcABhAGwAIAAkAHUAcwBlAHIAKQAuAEkAcwBJAG4AUgBvAGwAZQAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEIAdQBpAGwAdABpAG4AUgBvAGwAZQBdADoAOgBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByACkAIAAgAA0ACgB3AHIAaQB0AGUALQBvAHUAdABwAHUAdAAgACIAYQBkAG0AaQBuACgAaABpAGcAaAAgAGkAbgB0AGUAZwByAGkAdAB5ACkAOgAgACQAcgBlAHMAIgAgAA0ACgANAAoAZwBkAHIAIAAtAFAAUwBQAHIAbwB2AGkAZABlAHIAIAAnAEYAaQBsAGUAUwB5AHMAdABlAG0AJwANAAoAIwBpAGYAIAAoACgAJAB1ACAAPQAgACIAJABlAG4AdgA6AFUAcwBlAHIAbgBhAG0AZQAiADsAIABuAGUAdAAgAGwAbwBjAGEAbABnAHIAbwB1AHAAIAAkAGEAZABtACAAfAAgAFcAaABlAHIAZQAgAHsAJABfACAALQBtAGEAdABjAGgAIAAkAHUAfQApACAALQBlAHEAIAAkAGUAbgB2ADoAdQBzAGUAcgBuAGEAbQBlACkAewBlAGMAaABvACAAZwBvAG8AZAB9AGUAbABzAGUAewBlAGMAaABvACAAYgBhAGQAfQA7AA0ACgANAAoA'))))
29.  
30. #malware #OSINT #IOC #MalBeacon #Lagos