ioc[.]one - OSINT Cyber Threat Intelligence Database

Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Clipboard Data - T1414 Dll Side-Loading - T1574.002 Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Software - T1592.002 Tool - T1588.002 Clipboard Data - T1115 Dll Side-Loading - T1073 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	97146f77-145d-41f2-b6b6-4c0bbc011792
Fingerprint	b4853022443703c1
Analysis status	DONE
Considered CTI value	2
Text language
Published	May 22, 2020, 1:46 p.m.
Added to db	Sept. 26, 2022, 9:31 a.m.
Last updated	Nov. 15, 2024, 4:38 p.m.
Headline	Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2
Title	Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2
Detected Hints/Tags/Attributes	50/2/77

Source URLs

	Redirection	Url
Details	Source	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/

URL Provider

Details	Provider	Source level domain
Details	ptsecurity.com	www.ptsecurity.com

Attributes

Details	Type	#Events	Value
Details	Domain	911	any.run
Details	Domain	1	letitbe.icu
Details	Domain	2	fdguyt5ggs.pw
Details	Domain	1	foxlnklnk.xyz
Details	Domain	1	gidjshrvz.xyz
Details	Domain	1	pofasfafha.xyz
Details	File	20	sysprep.exe
Details	File	40	cryptbase.dll
Details	File	1	c:\windows\system32\sysprep using the wusa.exe
Details	File	1	%systemroot%\help\hlp11.dat
Details	File	1	c:\windows\help\hlp12.dat
Details	File	1	%systemroot%\help\hlp12.dat
Details	File	1	%systemroot%\help\hlp13.dat
Details	File	2	%systemroot%\system32\rdpclip.exe
Details	File	1	%systemroot%\system32\rfxvmt.dll
Details	File	5	rfxvmt.dll
Details	File	1	hlp11.dat
Details	File	1	hlp12.dat
Details	File	35	2.txt
Details	File	11	client32.ini
Details	File	1	wrkn157.exe
Details	File	1	shipkat.ps1
Details	File	1	hlp13.dat
Details	File	30	rdpclip.exe
Details	File	1	cksini.exe
Details	File	27	client32.exe
Details	File	6	htctl32.dll
Details	File	42	msvcr100.dll
Details	File	6	nskbfltr.inf
Details	File	5	nsm.ini
Details	File	6	pcicapi.dll
Details	File	6	pcichek.dll
Details	File	6	pcicl32.dll
Details	File	6	remcmdstub.exe
Details	File	6	tcctl32.dll
Details	md5	1	0528104f496dd13438dd764e747d0778
Details	md5	1	5b79a0c06aec6126364ce1d5cbfedf66
Details	md5	1	d2a062ca772fa3ace7c7edadbd95eaf7
Details	md5	1	0cacea3329f35e88a4f9619190e3746f
Details	md5	1	fb609b00e29689db74c853ca7d69f440
Details	md5	1	843288a35906aa90b2d1cc6179588a26
Details	md5	1	445cd6df302610bb640baf2d06438704
Details	md5	1	083f66cc0e0f626bbcc36c7f143561bd
Details	md5	1	40bae264ea08b0fa115829c5d74bf3c1
Details	md5	1	ac72ab230608f2dca1da1140e70c92ad
Details	md5	1	07f1dc2a9af208e88cb8d5140b54e35e
Details	md5	1	1690e3004f712c75a2c9ff6bcde49461
Details	md5	1	dc39d23e4c0e681fad7a3e1342a2843c
Details	md5	1	953896600dfb86750506706f1599d415
Details	md5	1	8d9709ff7d9c83bd376e01912c734f0a
Details	md5	1	2d3b207c8a48148296156e5725426c7f
Details	md5	1	0e37fbfa79d349d672456923ec5fbbe3
Details	md5	2	26e28c01461f7e65c402bdf09923d435
Details	md5	2	88b1dab8f4fd1ae879685995c90bd902
Details	md5	1	7067af414215ee4c50bfcd3ea43c84f0
Details	md5	1	dcde2248d19c778a41aa165866dd52d0
Details	md5	1	a0b9388c5f18e27266a31f8c5765b263
Details	md5	1	00587238d16012152c2e951a087f2cc9
Details	md5	2	2a77875b08d4d2bb7b654db33a88f16c
Details	md5	2	eab603d12705752e3d268d86dff74ed4
Details	IPv4	1	179.43.146.90
Details	IPv4	1	185.225.17.175
Details	IPv4	1	179.43.156.32
Details	IPv4	1	185.163.45.124
Details	IPv4	2	185.163.45.175
Details	IPv4	1	185.225.17.150
Details	IPv4	1	185.225.17.169
Details	IPv4	1	185.225.17.98
Details	IPv4	1	195.123.221.66
Details	IPv4	1	195.123.246.192
Details	IPv4	1	37.252.8.63
Details	IPv4	1	94.158.245.123
Details	IPv4	1	94.158.245.154
Details	IPv4	1	94.158.245.232
Details	IPv4	1	185.225.17.66
Details	Url	1	http://letitbe.icu/2.txt
Details	Url	1	http://185.225.17.175/wrkn157.exe