# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: ta505, servhelper

# Reference: https://www.cyberswachhtakendra.gov.in/alerts/ServHelper_Malware.html

officemysuppbox.com
checksolutions.pw
rgoianrdfa.pw
arhidsfderm.pw
offficebox.com
office365onlinehome.com
afgdhjkrm.pw
dedsolutions.bit
dedoshop.pw
asgaage.pw
sghee.pw
vesecase.com

# Reference: https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

afgdhjkrm.pw
arepos.bit
checksolutions.pw
dedoshop.pw
dedsolutions.bit
pointsoft.pw

# Reference: https://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments

89.144.25.32:5655

# Reference: https://twitter.com/malwrhunterteam/status/1117012829951995905

aasdkkkdsa3442.icu
joisff333.icu

# Reference: https://twitter.com/bczyz1/status/1116660163522572292

http://79.141.171.160/alg

# Reference: https://twitter.com/TweeterCyber/status/1109088973039624197

cdnavupdate.icu

# Reference: https://twitter.com/avman1995/status/1094111896473608192

rgdsghhdfa.pw

# Reference: https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently/ (Chinese)

add3565office.com
afsssdrfrm.pw
office365advance.com
office365homepod.com

# Reference: https://twitter.com/Dinosn/status/1121264330710900738
# Reference: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware

joisf333.icu
zxskjkkjsk3232.pw

# Reference: https://twitter.com/VK_Intel/status/1124541340124053505
# Reference: https://twitter.com/anyrun_app/status/1118829445543006208

fjiisiis33.icu
houusha33.icu

# Reference: https://branbot.ninja/2019/05/ta505-using-lolb-and-free-remote-access-program-rms/

canyoning-austria.at
159.69.48.50:5655

# Reference: https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/

nettubex.top

# Reference: https://blog.yoroi.company/research/ta505-is-expanding-its-operations/

hans.me
217.12.201.159:5655

# Reference: https://twitter.com/HONKONE_K/status/1110757861779341313
# Reference: https://otx.alienvault.com/pulse/5cee5e811bfb0840b6f2c14b

http://202.168.154.158
http://27.102.106.138
http://92.38.135.204
keepneedjust.info

# Reference: https://otx.alienvault.com/pulse/5d00f923684ce2bac6dd094c

amenyan.zouri.jp
angelmariotti.xyz
billyjimmyer.top
canyoning-austria.at
citroenmehari.dk
dannysannyer.top
datdepot.net
furhatsth.net
globe-trotterltd.com
gohaiendo.com
govhotel.us
homeone.co.kr
ianhennessee.com
kabatas.ch
kerrison.com
kupitorta.net
lecmess.top
losabetos.com.sv
profan.es
slemend.com
statesdr.top
tommyhalfigero.top
topdalescotty.top
traveser.net
tunnelview.co.uk
vairina.top
waiireme.com
zonaykan.com
169.239.129.103:8080
94.156.133.183:8080
http://103.73.66.137
http://109.234.38.177
http://116.203.180.29
http://163.172.84.54
http://167.179.119.235
http://169.239.128.168
http://169.239.128.169
http://172.104.117.15
http://172.104.104.166
http://195.123.227.20
http://45.76.206.149
http://45.76.223.177
http://66.42.45.55

# Reference: https://twitter.com/VK_Intel/status/1139154944202878977

trailerbla.icu

# Reference: https://twitter.com/sS55752750/status/1143176372514381824

medastr.com

# Reference: https://securityaffairs.co/wordpress/79836/cyber-crime/ta505-group-malware.html

arepos.bit
dedsolutions.bit

# Reference: https://twitter.com/reegun21/status/1144611338536099840
# Reference: https://medium.com/@reegun/ta505-group-latest-analysis-found-unregistered-domains-4ea7dc4696c5

http://169.239.129.61
dsfk3322442fr44446g.icu
gdskjkkkss.pw

# Reference: https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south (#AndroMut)

kreewalk.com

# Generic trails

/aggdst/Hasrt.php
/ghuae/huadh.php
/rest/serv.php
/docs/s.php
/sav/s.php
/x/s.php
