Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Tags
cmtmf-attack-pattern: Native Code Obfuscated Files Or Information Process Injection
country: Russia Ukraine
maec-delivery-vectors: Watering Hole
attack-pattern: Data Domains - T1583.001 Domains - T1584.001 Ingress Tool Transfer - T1544 Input Capture - T1417 Installer Packages - T1546.016 Ip Addresses - T1590.005 Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Msiexec - T1218.007 Non-Standard Port - T1509 Non-Standard Port - T1571 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Remote Access Software - T1663 Scheduled Task - T1053.005 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Software - T1592.002 Ssh - T1021.004 Windows Service - T1543.003 Tool - T1588.002 Credential Dumping - T1003 Remote File Copy - T1105 Input Capture - T1056 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Hollowing - T1093 Process Injection - T1055 Remote Access Tools - T1219 Scheduled Task - T1053 Screen Capture - T1113 Scripting - T1064 Screen Capture Scripting
Show in Graph
Common Information
Type Value
UUID 4503fa9d-7c79-4b9e-95d3-1d01d0b0abb4
Fingerprint be6125d0cc372768
Analysis status DONE
Considered CTI value 2
Text language
Published Aug. 12, 2021, 8 a.m.
Added to db Sept. 11, 2022, 12:47 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Vulnerability Information
Title Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Detected Hints/Tags/Attributes 123/4/167
Source URLs
Redirection Url
Details Source https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html
URL Provider
Details Provider Source level domain
Details talosintelligence.com blog.talosintelligence.com
Attributes
Details Type #Events CTI Value
Details Domain 1 
ethermine.org
Details Domain 2 
novacation.cn
Details Domain 904 
snort.org
Details Domain 1 
www.homate.xyz
Details Domain 1 
www.dsfamsi4b.cn
Details Domain 1 
www.afspfigjeb.cn
Details Domain 1 
www.pgf5ga4g4b.cn
Details Domain 1 
www.wheredoyougo.cn
Details Domain 1 
www.novacation.cn
Details Domain 1 
dssagrgbe3irggg.xyz
Details Domain 1 
dsgiutugagb.cn
Details Domain 2 
asfggagsa3.xyz
Details Domain 2 
sagbbrrww2.cn
Details Domain 2 
kbpsorjbus6.pw
Details Domain 1 
www.sdfisdgj.xyz
Details Domain 1 
www.kbpsorjbus6.pw
Details Domain 1 
sdfisdgj.xyz
Details Domain 2 
dsfamsi4b.cn
Details Domain 3 
wheredoyougo.cn
Details Domain 2 
asdjausg.cn
Details Domain 2 
pgf5ga4g4b.cn
Details Domain 2 
homate.xyz
Details Domain 1 
www.asdjausg.cn
Details Domain 1 
geyaeb.dev
Details Domain 15 
telete.in
Details Domain 1 
ww16.enroter1984.cn
Details Domain 1 
enroter1984.cn
Details Domain 2 
bromide.xyz
Details Domain 3 
ssh.zip
Details Domain 3 
beautyiconltd.cn
Details Domain 1 
mepcontechnologies.com
Details Domain 291 
raw.githubusercontent.com
Details Domain 62 
stackoverflow.com
Details File 22 
start.vbs
Details File 1 
bi.ps1
Details File 2 
ready.ps1
Details File 1 
resolve-domain.ps1
Details File 39 
amsi.dll
Details File 1 
c:\windows\branding\mediasvc.png
Details File 1 
c:\windows\branding\mediasrv.png
Details File 1 
c:\windows\branding\wupsvc.jpg
Details File 3 
c:\windows\system32\rdpclip.exe
Details File 1 
c:\windows\system32\rfxvmt.dll
Details File 2 
m5.php
Details File 1 
c:\windows\system32\update-request.ps1
Details File 1 
u:\environment\windir to contain the call to the modified slmgr.vbs
Details File 1 
update-request.ps1
Details File 1 
c:\windows\system32\mui_pack_es.json
Details File 1 
c:\windows\system32\mui_pack.json
Details File 27 
c:\windows\system32\msiexec.exe
Details File 748 
kernel32.dll
Details File 2 
mediasrv.png
Details File 3 
termserv.dll
Details File 1 
aipackagechainer.exe
Details File 269 
msiexec.exe
Details File 21 
filename.exe
Details File 1 
al.exe
Details File 2 
get-content.ps1
Details File 8 
b.php
Details File 3 
ssh.zip
Details File 1 
drc.ps1
Details File 3 
ethged.txt
Details File 3 
ethcnf.txt
Details File 2 
rigged.txt
Details File 2 
cnf.txt
Details File 1 
discordsetup.msi
Details File 1 
speed.ps1
Details File 2 
mediasvc.png
Details File 2 
wupsvc.jpg
Details File 1 
get_content.ps1
Details File 1 
mae.ps1
Details sha256 1 
7516b2271e4a887156d52f661cdfc561fded62338a72b56f50bf188c2f5f222a
Details sha256 1 
baad7552e8fc0461babc0293f7a3191509b347596d9ca8d2a82560992ff2c48e
Details sha256 1 
f36277c6faaed23129efacc83847153091cd1ef0b05650e0b8c29d13d95182a5
Details sha256 1 
a9fa2da9be5b473da0f2367f78494d3dc865774bf1ad93c729bbe329a29a1f9d
Details sha256 1 
f80df34accc8780a1eb9c733e4e5e5874cce6ad22e57ec8b827aa7f28318c5d1
Details sha256 1 
0fde5e73f96e6df0b75cc15cffb8d7ff0d7a1cda33777e7ee23c5d07011e6ae8
Details sha256 1 
569d0618131bbbe08498c1f90518df90d394c37e5c146ac3bc74429c4f7f113a
Details sha256 1 
45732f9c8b3e853484464d5748a8879a7095dc0c1c08e66854d350254c38bb42
Details sha256 1 
a2b0ef2413399dbdb01de3a0d2dd310ba127bbfdad09352fecb8444d88a05662
Details sha256 1 
02390b9368add3c496f779db617d19171379b36f1d79c0fa4ab3a07afc7c3e46
Details sha256 1 
9c7fc1304f9dada69594f64d230cb20ce3c1f83a41ca0e27b6274361941b3c67
Details sha256 1 
74333b02f97c1fbf44592463210a6962f1601ab91a4e28d037756b9804c5b2a0
Details sha256 1 
5b6b7899dd459fa0bb234a0b102af91f4ee412abf36b1c54d1253ae59dda6ee2
Details sha256 1 
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
Details sha256 1 
f00f8b0d2602fc2e8bcf5899377f6a23beae9ea9df2c0a3c4e9aad4cae2ef522
Details sha256 1 
b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfacff1fd5d
Details sha256 1 
0d650a1ab25e820a8bcd2b49144daef20439c931d5bbd5b547c65511aab6d334
Details sha256 1 
5d4a0661cfb3cca59acd8a9fa433ec2c48d686da36f3890b73e7b9f37c60e980
Details sha256 1 
a1351912f8ffeeb5ebe2eb8abf45e50a52b67f82328090ad4b1ba89f30106e00
Details sha256 1 
7a9fae49143829692253d09fa7c66f6c2809d29cff52734567db688c91a01924
Details sha256 1 
20eb050c3c94f134ca7c812c712deb45870f6952086608a11d4d4e78ca3c8ff6
Details sha256 1 
ffcdccdae62c13b61f32d6fa0ad73ddbfda89d0e4fcab3bf074003ca73d522a5
Details sha256 1 
4390543ecc7f39f0dcf6db2816edaaa6b64f720263c401c108f18df291241cb5
Details sha256 1 
1f2f7c7e0ad496e8991e4495b8830961314baee109fb7e0d15d2c3dc0857ef0b
Details sha256 1 
42c277ada9c6f8ddcd6211e4792a8df1fa0d0ad8cbb867eee1a431cc1b79834d
Details sha256 1 
0b25a462efbb3c5459febae122e434f4a6ec6d2dbfacf03e4537e437f91c5dcc
Details sha256 1 
64926d011513a3083b0af3425b38fbfc66d2bad0e3993898ec4651252812685b
Details sha256 1 
45e81832542da0e190a1bf44c58b0c96f3ec11b488450aad7eb7a3e6e16f0703
Details sha256 1 
fe40b63a00a7d737baa87f493751a1b92ac782baaef2304b0ae65c5a1cbec58d
Details sha256 1 
5202c92268cb86785644bf0fd22eb6290498034878b6c41e84ac5b4bcc7d671a
Details sha256 1 
44815a42eb3317c7e567f8e20388bd9e28cf71096f45f4ee6094f26888dcfb0c
Details sha256 1 
8aa55a77613e1246a7ce499a85cd52ee2d48b4f4730d62850e249d6249214abf
Details sha256 1 
b3e3132a078fd8d266d709ecf351fc9283a63fbdcce4023c460363896593f6b8
Details sha256 1 
32c18e01aa78a0d07025e36ebaef5ae582cadb6d53d47aab1ee629ba4eee2fab
Details sha256 1 
526273ef0f1bfe161af24d9f1946bb72797d06a5b21ed750988797597d16c28d
Details sha256 1 
6ad5b2b54e8c01ca7f59a40564e897352c1e24ce0899ef10ee3c3e035f510c59
Details sha256 2 
6eca26fcfabbb12c6a37eb689de222e75b31574dd25e7fd3d8b446d700c40133
Details sha256 1 
8fa841c71a956755f6f393ca92a04d0a6950343a7a765a3035f4581dda198488
Details sha256 1 
82d290c62cb838a94e1948ba84c2a90c42c0ad44bb79413ea0b8ae2560436c8e
Details sha256 1 
3dccc313dcf21c5504ce1808595979dec90f94626bdc8ef18518176ab20418a2
Details sha256 1 
5f008ff774ae78a416b10f320840287d7c00affb9c1b2ea8e8c1931300135985
Details sha256 1 
e7e6e479b0fa5edb03f220084756fff778cf46865fe370924d272545e8181865
Details sha256 2 
db710c90eaa2f83be99f1004b9eda6cfbf905a1ab116d1738a89f4eac443f4fe
Details sha256 1 
fea63897b4634538e9e73c0f69c2e943aebc8cebcffc1415f5ce21207fdfef92
Details sha256 1 
fdc9788b38e06eafe34c6050f37224409e423f37d67d637ddac25e9cf879e2f2
Details sha256 1 
561e9e4263908c470bb2ef9b64cac7174e43aeb795cb0168699cd4c219eab93c
Details IPv4 1 
94.158.245.88
Details IPv4 2 
45.61.136.223
Details IPv4 1 
91.212.150.205
Details IPv4 3 
34.76.8.115
Details IPv4 1 
157.90.24.103
Details IPv4 1 
45.61.137.91
Details IPv4 1 
193.150.70.5
Details IPv4 1 
93.157.63.171
Details IPv4 1 
185.163.45.103
Details IPv4 1 
206.188.197.221
Details IPv4 1 
206.188.196.143
Details IPv4 1 
46.17.96.8
Details MITRE ATT&CK Techniques 80 
T1064
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 440 
T1055
Details MITRE ATT&CK Techniques 115 
T1571
Details MITRE ATT&CK Techniques 141 
T1219
Details MITRE ATT&CK Techniques 152 
T1056
Details MITRE ATT&CK Techniques 627 
T1027
Details MITRE ATT&CK Techniques 492 
T1105
Details MITRE ATT&CK Techniques 380 
T1547.001
Details Url 2 
http://45.61.136.223/get/m5.php
Details Url 1 
http://91.212.150.205/filename.exe
Details Url 1 
http://91.212.150.205/al.exe
Details Url 1 
http://94.158.245.88/bi.ps1
Details Url 1 
http://94.158.245.88/bf/start.vbs
Details Url 1 
http://94.158.245.88/bf/get-content.ps1
Details Url 1 
http://94.158.245.88/bf/ready.ps1
Details Url 1 
http://ww16.enroter1984.cn/bif/b.php
Details Url 1 
http://novacation..cn/bif/b.php
Details Url 1 
http://novacation.cn/juytfft/b.php
Details Url 1 
http://193.150.70.5/al.exe
Details Url 2 
http://bromide.xyz/ssh.zip
Details Url 1 
http://94.158.245.88/cap/get-content.ps1
Details Url 1 
http://94.158.245.88/drc.ps1
Details Url 1 
http://94.158.245.88/cap/start.vbs
Details Url 1 
http://94.158.245.88/cap/ready.ps1
Details Url 1 
http://94.158.245.88/mae/start.vbs
Details Url 1 
http://94.158.245.88/mae/get-content.ps1
Details Url 1 
http://94.158.245.88/mae/ready.ps1
Details Url 3 
http://beautyiconltd.cn/ethged.txt
Details Url 3 
http://beautyiconltd.cn/ethcnf.txt
Details Url 2 
http://beautyiconltd.cn/rigged.txt
Details Url 2 
http://beautyiconltd.cn/cnf.txt
Details Url 1 
http://93.157.63.171/filename.exe
Details Url 1 
http://93.157.63.171/al.exe
Details Url 1 
https://mepcontechnologies.com/discordsetup.msi
Details Url 1 
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Details Url 1 
http://94.158.245.88/cap
Details Url 1 
https://stackoverflow.com/questions/6800326/how-to-crypt-or-hide-a-string-in-delphi-exe/6801163