# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: ta505, servhelper

# Reference: https://www.cyberswachhtakendra.gov.in/alerts/ServHelper_Malware.html

officemysuppbox.com
checksolutions.pw
rgoianrdfa.pw
arhidsfderm.pw
offficebox.com
office365onlinehome.com
afgdhjkrm.pw
dedsolutions.bit
dedoshop.pw
asgaage.pw
sghee.pw
vesecase.com

# Reference: https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

afgdhjkrm.pw
arepos.bit
checksolutions.pw
dedoshop.pw
dedsolutions.bit
pointsoft.pw

# Reference: https://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments

89.144.25.32:5655

# Reference: https://twitter.com/malwrhunterteam/status/1117012829951995905

aasdkkkdsa3442.icu
joisff333.icu

# Reference: https://twitter.com/bczyz1/status/1116660163522572292

http://79.141.171.160/alg

# Reference: https://twitter.com/TweeterCyber/status/1109088973039624197

cdnavupdate.icu

# Reference: https://twitter.com/avman1995/status/1094111896473608192

rgdsghhdfa.pw

# Reference: https://twitter.com/anyrun_app/status/1118829445543006208

houusha33.icu

# Reference: https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently/ (Chinese)

add3565office.com
afsssdrfrm.pw
office365advance.com
office365homepod.com

# Reference: https://twitter.com/Dinosn/status/1121264330710900738
# Reference: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware

joisf333.icu
zxskjkkjsk3232.pw

# Generic trails

/aggdst/Hasrt.php
/ghuae/huadh.php
/rest/serv.php
/sav/s.php
/x/s.php
