{ "id": "1d022616-3d17-4d05-9132-2215497401e6", "created_at": "2026-04-06T00:09:25.083592Z", "updated_at": "2026-04-10T13:11:57.184032Z", "deleted_at": null, "sha1_hash": "e4b29c59db295c610f55d0852acaf4a3cf518447", "title": "Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1226713, "plain_text": "Signed MSI files, Raccoon and Amadey are used for installing\r\nServHelper RAT\r\nBy Vanja Svajcer\r\nPublished: 2021-08-12 · Archived: 2026-04-05 15:40:59 UTC\r\nThursday, August 12, 2021 08:00\r\nBy Vanja Svajcer.\r\nNews summary\r\nGroup TA505 has been active for at least seven years, making wide-ranging connections with other threat actors\r\ninvolved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505's\r\narsenal is ServHelper. In mid-June, Cisco Talos detected an increase in ServHelper's activity. We investigated the\r\nactivity and discovered a set of intertwined malware families and TTPs.\r\nWe found that ServHelper is being installed onto the targeted systems using several different mechanisms, ranging\r\nfrom fake installers for popular software to using other malware families such as Raccoon and Amadey as the\r\ninstallation proxies.\r\nThis threat demonstrates several techniques of the MITRE ATT\u0026CK framework, most notably Scripting - T1064,\r\nPowerShell - T1059.001, Process Injection - T1055, Non-Standard Port - T1571, Remote Access Software - T1219,\r\nInput Capture - T1056, Obfuscated Files or Information - T1027, Ingress Tool Transfer - T1105, and Registry Run\r\nKeys/Startup Folder - T1547.001.\r\nWhat's new? Although ServHelper has existed since at least early 2019, we detected the use of other malware families\r\nto install it. The installation comes as a GoLang dropper, .NET dropper or PowerShell script. Its activity is generally\r\nlinked to Group TA505, but we cannot be certain that they are the exclusive users of this RAT.\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 1 of 17\n\nServHelper will also sometimes install a module that includes either Monero or Ethereum cryptocurrency mining tools.\r\nHow did it work? One path for infection starts with the compromise of a legitimate site that hosts cryptographically\r\nsigned MSI installers. These install popular software such as Discord. However, they also launch a variant of the\r\nRaccoon stealer, which downloads and installs a ServHelper RAT if instructed by the command and control (C2)\r\nserver.\r\nAttackers also deploy the ServHelper RAT with a variant of the Amadey malware which gets a full command line from the\r\nserver to install an initial PowerShell downloader component for ServHelper.\r\nServHelper includes the functionality to remotely control the infected system, log keystrokes, exfiltrate users' confidential\r\ndata, launch RDP sessions, install cryptomining software and install the NetSupport remote access tool.\r\nSo what? Although many threat actors, such as TA505 or its associated groups — to which we attribute these\r\ncampaigns with moderate confidence — have been affected by the arrests of several CLOP members in Ukraine, they\r\ncontinued to operate using a different set of tools. These attacks are geared toward taking control over the infected\r\nsystems and stealing confidential data which the group will likely leverage for financial gain later on.\r\nUsers need to make sure they install software only from trusted sources. Even if installers are signed with a valid certificate,\r\nthat does not mean that the functionality is legitimate.\r\nTechnical details\r\nIntroduction This investigation started as a single and simple call to an IP address hosting a PowerShell script found\r\nin Cisco Secure product telemetry. Initially, while looking at the code, we thought it is just one of many cryptomining\r\nmalware campaigns.\r\nHowever, we realized soon that the main payload is a variant of a ServHelper backdoor. The usage of the tool is generally\r\nlinked with the activity of the threat group TA505. TA505 is a crimeware-focused group active since at least 2014. They are\r\nmostly known for their usage of the Dridex and CLOP ransomware families in their campaigns. There are some theories that\r\nCLOP ransomware gang members, arrested in Ukraine in June 2021, originated from the group TA505.\r\nWhat started as an investigation into an Ethereum cryptominer, turned out to be a never-ending whirlwind of different\r\nmalware families. Apart from the usual suspects, often attributed to TA505, such as the Raccoon stealer and Amadey\r\nstealer/loader, we have encountered a couple of newer techniques from this group. TA505 now uses an MSI installer signed\r\nwith a valid certificate and a GoLang go-clr-based dropper that can load a .NET assembly from memory.\r\nInitial discovery While looking at the daily report of suspicious command lines, we encountered a call to a\r\nPowerShell script hosted at the IP address 94.158.245.88.\r\nInitial command in product telemetry.\r\nThe downloaded script was a simple PowerShell script to download additional scripts and launch a VBScript file,\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 2 of 17\n\n\"start.vbs.\" We first assumed this was another cryptocurrency miner, but we decided to analyze the scripts because, as a\r\ncryptocurrency miner, it was not immediately familiar.\r\nDownloaded PowerShell script, \"bi.ps1.\"\r\nStart.vbs is a simple driver that seems to check for the size of the System Management BIOS memory to avoid executing\r\nwithin virtual machines, and then launches the script \"ready.ps1.\"\r\nStart.vbs first checks for the amount of SMBIOS memory before it launches the initial loader.\r\nBefore executing the next stage, ready.ps1 decodes a base64-encoded string to reveal a tool for disabling the Microsoft\r\nAMSI interface, which is often used by anti-malware software for scanning the content of obfuscated PowerShell, VBA,\r\nVBS and scripts written in other Microsoft scripting languages. Once AMSI is disabled, ready.ps1 launches the next stage,\r\nwhich is the main PowerShell loader, resolve-domain.ps1.\r\nAMSI bypass in ready.ps1.\r\nThe AMSI bypass first loads the amsi.dll library and then gets the address of the function AmsiScanBuffer. The first six\r\nbytes of the function are patched with 2 x86 instructions \"MOV EAX,80070057;RET\" to return the value 0x80070057\r\n(INVALID ARG) to the caller so that it seems as if the scan has failed.\r\nMain PowerShell loader The loader starts with a function for decrypting the content of a variable containing the real PowerShell code of the\r\nloader. The function derives a TripleDES password from the parameters submitted to the function call.\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 3 of 17\n\nTripleDES is used to decrypt the actual PowerShell loader.\r\nWhen decrypted, the main loader contains several base64-encoded buffers and a logic to drop and load files decoded from\r\nthose buffers. Before it's dropped to disc, the buffers need to be decrypted using a simple byte XOR scheme with a fixed\r\nseven-byte XOR key.\r\nThe main loader needs to deobfuscate the file content after Base64 decoding.\r\nThe loader will, depending on the characteristics of the system, attempt to drop the payloads into the following locations:\r\nC:\\Windows\\branding\\mediasvc.png\r\nC:\\Windows\\branding\\mediasrv.png\r\nC:\\Windows\\branding\\wupsvc.jpg\r\nC:\\Windows\\system32\\rdpclip.exe\r\nC:\\Windows\\system32\\rfxvmt.dll\r\nThese locations are a telltale sign of ServHelper infection, a RAT that's been active since at least early 2019.\r\nWhile reading the deobfuscated PowerShell script we noticed the download and execution of another URL:\r\nhxxp://45[.]61[.]136[.]223/get/m5.php. The call to this URL will be executed only if the amount of memory in the graphics\r\ncard is larger than 4MB, which may be a way to evade some virtual machines or just a check for a machine with sufficient\r\ncapacity to download the module, which is used for cryptocurrency mining.\r\nCryptomining module m5.php The cryptomining module hosted on hxxp://45[.]61[.]136[.]223/get/m5.php is what prompted us to initially\r\nassume that the final payload of the campaign is just a cryptominer and not confidential information stealing and remote control of the\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 4 of 17\n\ninfected systems which may be attributed, based on the known TTPs, to Group TA505.\r\nm5.php will only be downloaded if the size of the video controller memory is larger than 4MB.\r\nThe m5 is lightly obfuscated, first by adding a decimal 92 to each of the characters and then by base64 encoding it. The\r\nscript creates another PowerShell script in the C:\\Windows\\system32\\update-request.ps1. The update-request module will be\r\nlaunched through a UAC bypass attempt which abuses a scheduled task \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup by\r\nmodifying the registry value HKCU:\\Environment\\windir to contain the call to the modified slmgr.vbs script containing the\r\ncall to launch update-request.ps1.\r\nUAC bypass to launch update-request.ps1.\r\nUpdate-request.ps1 is obfuscated in a similarly simple manner to m5.php content. The script contains another layer of\r\nobfuscation with TripleDES similar to the one seen in resolve-domain.ps1. An interesting fact is that the decrypting function\r\nhas a name decra, which is the same name as an export of a ServHelper service loader, which will be described a bit later.\r\nOnce decoded, update-request contains instructions to download and run cryptomining software. In some previous instances,\r\nServHelper installations were linked to Monero mining but in this campaign, a choice is made between mining Monero with\r\nXMRig and Ethereum. Ethermine and its configuration file are downloaded if Ethereum is the chosen miner.\r\nThe Ethminer payload is saved into the drive as C:\\windows\\system32\\mui_pack_es.json as a base64-encoded file, which is\r\nalso encrypted using XOR with the byte-based key \"Asfianweiw\". The Monero mining XMRig payload may be downloaded\r\ninto C:\\windows\\system32\\mui_pack.json and decrypted before loading into memory using the same method. This tactic is\r\nlikely designed to avoid the detection of PE files by anti-malware software.\r\nThe mining payloads will only exist in the memory as PE modules and it will be loaded by injecting them reflectively into\r\nthe legitimate process c:\\windows\\system32\\msiexec.exe. The method to hollow msiexec seems to be a PowerShell port of\r\nthe C++ RunPE process hollowing project. It loads an embedded base64-encoded custom .NET assembly which is simply\r\nused as a trampoline to avoid having to import all the required functions from the kernel32.dll module.\r\nLooking at the Ethereum payouts for the address 0x12420E4083F1E37b91AFA0E054682d049F9505C6 at the blockchain\r\nexplorer on ethermine.org, we can see that the pool of miners with this address earned just over 17 Ethereums over the\r\nperiod of fewer than four months, which at the time of writing this post is worth slightly more than $33,000 USD.\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 5 of 17\n\nEthermine payouts to the address associated with the TA505 ServHelper campaigns.\r\nServHelper installation  In this campaign, the PowerShell loader resolve-domain.ps1 is responsible for dropping and\r\ninstalling the ServHelper payload. In this case, the main loader is downloaded from a website, but in some other\r\ncases, the main PowerShell loader is dropped by an executable dropper.\r\nThe PowerShell loader uses the same SilentCleanup UAC bypass seen in the mining module to execute the registry. The file\r\nsystem can change without the UAC prompt.\r\nThe loading of ServHelper consists of two main DLL modules combined with helper modules to allow communication over\r\nRDP. The PowerShell module changes the registry keys related to the Windows service Terminal Server. The Terminal\r\nServer service is changed so that it listens on a non-default TCP port 7201 instead of the default port 3389. A new Remote\r\nDesktop service Termservice is created and its ServiceDLL value is set to point into the ServHelper DLL loader\r\nC:\\Windows\\branding\\mediasrv.png.\r\nThe loader DLL mediasrv.png is packed with UPX and employs a simple XOR decryption of strings that are dynamically\r\nconstructed in memory. The loader is a service DLL with the ServiceMain function containing the ability to load the main\r\nServHelper DLL module from C:\\Windows\\branding\\mediasvc.png.\r\nThe mediasrv.png contains the usual exports for a svchost-based service DLL, such as ServiceMain,\r\nSvcHostPushServiceGlobals and an additional export decra, which seems to be used for decryption.\r\nSvcHostPushServiceGlobals seems to be used to load the standard Remote Desktop DLL termserv.dll and loads an\r\nRDPWrapper configuration from the dropped file C:\\Windows\\branding\\wupsvc.jpg. Some earlier analyses indicate that the\r\nfirst stage of the ServHelper DLL loader is in fact a modified variant of RDPWrapper which allows for remote concurrent\r\nRDP sessions on the host. This would also explain the loading of the RDPWrap configuration file.\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 6 of 17\n\nModified RDPWrap DLL first decrypts the name and then loads the main ServHelper module.\r\nThe main ServHelper RAT module is written in Delphi using the compilation to native code. It uses a modified Vigneres\r\ncipher to encrypt and decrypt the strings used in the file. We used IDAPython to create a simple script for decoding the\r\nstrings and assigned a function key to patch the strings back into an IDA database file. We'll share this script at the bottom of\r\nthis post.\r\nThe ServHelper module contains typical backdoor functionality. It launches many threads, some for tunneling the traffic\r\nover OpenSSH (which may be downloaded from a C2 server) tunnel and some as a main command processing loop, which\r\nfor the sample under analysis, accepts the following commands:\r\nxl\r\ninfo\r\nfixrdp\r\nreboot\r\nupdateuser\r\ndeployns\r\nkeylogadd\r\nkeylogdel\r\nkeyloglist\r\nkeylogreset\r\nkeylogstart\r\nsshurl\r\ngetkeylog\r\ngetchromepasswords\r\ngetmozillacookies\r\ngetchromecookies\r\nsearch\r\nbkport\r\nhijack\r\npersist\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 7 of 17\n\nstophijack\r\nsethijack\r\nsetcopyurl\r\nforcekill\r\nnop\r\ntun\r\nslp\r\nkilltun\r\nshell\r\nupdate\r\nload\r\nsocks Although the hijack and keylogging commands are accepted by the RAT, it seems like they are not\r\nimplemented by the variant. From the analysed code, it seems that, for example, the hijack functionality should be\r\nimplemented by one of the DLL exports, gusiezo3. However, this functionality actually enters an infinite sleep loop.\r\nOther researchers have previously described the other functions in depth.\r\nGusiezo3 export is supposed to handle the command hijack but it simply enters an infinite loop.\r\nThis is similar to other exports, like euefnaiw, which should handle keylogging and hitit, but no functionality is\r\nimplemented.\r\nThe C2 domain name for this sample is \"novacation.cn.\" While searching for other related samples, we discovered another\r\ndropper written in GoLang.\r\nGoLang go-clr dropper The dropper uses the go-clr loader, which allows a GoLang executable to load a .NET\r\nassembly from memory or from the disk. The dropper extracts a base64-encoded buffer from its own rdate section,\r\ndecompresses the buffer using gzip deflate, and loads the .NET ServHelper dropper into memory to execute it. The\r\nbase64 buffer is corrupt to avoid automatic extraction by anti-malware software. It automatically replaces itself\r\nbefore it is base64 decoded and decompressed.\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 8 of 17\n\nGzip buffer is corrected before it is base64 decoded into a binary buffer containing a .NET assembly.\r\nThe loaded assembly is a usual dropper for ServHelper. It extracts the PowerShell loader components for the ServHelper\r\ninto the temporary files folder and runs ready.ps1, which launches the infection as described above.\r\n.NET ServHelper dropper drops and executes the PowerShell loader components.\r\nAs with every investigation, we tried to find similar files and their locations on the internet and found that GoLang droppers\r\nare downloaded and installed as a consequence of running a group of MSI installer packages signed with a valid certificate\r\nand not detected by any antimalware software. The installers purport to be MSI files that install various applications,\r\nincluding a video editor, a wiki program and Discord.\r\nMSI installer downloaders The certificate belongs to a Russian company SGP-GEOLOGIYA, OOO. The first sample\r\nhas been submitted to VirusTotal on May 2 and again on July 15.\r\nMalicious MSI installers signed by \"SGP-GEOLOGIYA, OOO\" are not detected.\r\nThe MSI installer file is created with a trial version of Advanced Installer. Files created with Advanced Installer contain a\r\nparser aipackagechainer.exe used to parse the package and communicate to msiexec.exe to download and run prerequisites.\r\nthe AI_PreRequisite table contains a URL hxxp://91[.]212[.]150[.]205/filename.exe that points to an executable file that the\r\ninstaller downloads and runs.\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 9 of 17\n\nMSI installer will download and run files from any URL specified in the AI_PreRequisite table.\r\nHowever, the URL of the GoLang ServHelper dropper, referenced as being downloaded by the MSI installer, is\r\nhxxp://91[.]212[.]150[.]205/al.exe and there is no reference to it in the MSI installation prerequisites. A logical assumption\r\nis that the filename.exe is a downloader of the ServHelper dropper.\r\nRaccoon and Amadey stealers entering the ServHelper play The sample filename.exe, (SHA256\r\n7516b2271e4a887156d52f661cdfc561fded62338a72b56f50bf188c2f5f222a), downloaded by the MSI installer is a\r\nvariant of the Raccoon information stealing malware. Raccoon is a stealer that attempts to find and exfiltrate\r\ninformation that can be used by the attacker to gain financial benefits, such as user credentials, cookies,\r\ncryptocurrency wallet details and credit card numbers.\r\nThe sample we analysed, referenced by the MSI installer, communicates with a C2 server hosted on 34[.]76[.]8[.]115.\r\nRaccoon uses HTTP for communication with the C2 server. The data submitted and received is encrypted with RC4 using an\r\nencryption key hardcoded within the body of the stealer. When run for the first time, the Raccoon executable sends a POST\r\nrequest to the C2 server. The request contains the basic information about the bot, such as a unique bot identifier, username,\r\nconfiguration identifier and the format of data expected and the C2 server responds with the configuration in a format\r\nspecified by the bot, usually JSON.\r\nThe RC4 passphrase and all other Raccoon strings are encrypted with a simple XOR scheme.\r\nThe analysed sample RC4 passphrase was \"$Z2s`ten\\@bE9vzR\". We used it to decrypt the response sent back to the bot\r\nfrom the C2 server. Then, we obtained the JSON configuration, which shows that the C2 instructs the bot to download the\r\nGoLang ServHelper dropper.\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 10 of 17\n\nDecrypted Raccoon configuration to download the ServHelper GoLang dropper.\r\nHowever, Raccoon is not the only family used to install ServHelper together with executing its information stealing\r\nobjective. Another stealer family samples, variants of Amadey are also instructed by its C2 server to download ServHelper\r\nsamples. This is done in a slightly different manner. The Amadey loader receives a PowerShell command line from its C2\r\nserver and executes it to download and install ServHelper samples in its PowerShell form. The usage of Amadey is also\r\nlinked to group TA505.\r\nThe sample with SHA256 baad7552e8fc0461babc0293f7a3191509b347596d9ca8d2a82560992ff2c48e, apart from it screen\r\ncapture and credential dumping plugins receives from the C2 server 157[.]90[.]24[.]103 the command which decodes to the\r\nsame IP address we initially observed in our telemetry: 94[.]158[.]245[.]88.\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 11 of 17\n\nAmadey C2 instructs the bot to download and run a ServHelper PowerShell installer.\r\nHowever, the pattern is similar: An information-stealing malware variant is instructed by its C2 server to download and\r\ninstall ServHelper.\r\nConclusion In this post we documented activities that may be attributed with moderate confidence to the threat\r\ngroup TA505 or a related group. The activities include several malware families geared toward stealing and\r\nexfiltrating confidential data.\r\nAll documented families as well as signed MSI installers are used to download and run ServHelper - a RAT with different\r\nTTPs, such as usage of GoLang, .NET framework, PowerShell and Delphi.\r\nMalware families in modules observed in these campaigns.\r\nUsers need to make sure they install software only from trusted sources. Even if installers are signed with a valid certificate\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 12 of 17\n\nthat does not mean that the functionality is legitimate. The question of storage of confidential data is also important as\r\npasswords and credit card numbers are sometimes stored in insecure storage facilities such as sqlite databases, which are\r\neasy targets for criminals. Session cookies can also be used for hijacking accounts and they have a value for attackers.\r\nIt is very likely that we will see groupe similar to TA505 adapting these tools in the future as the detection for them\r\nimproves.\r\nCoverage Ways our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint is ideally suited to prevent the execution of the malware detailed in this post. New users can try\r\nCisco Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nCisco Secure Firewall and Meraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics helps identify malicious binaries and build protection into all Cisco Security products.\r\nCisco Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Cisco Secure\r\nFirewall Management Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nThe following SIDs have been released to detect this threat: 57975.\r\nThe following ClamAV signatures have been released to detect this threat as well as tools and malware related to these\r\ncampaigns:\r\nWin.Downloader.Powershell-9883640\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 13 of 17\n\nWin.Trojan.Powershell-9883642\r\nWin.Downloader.Powershell-9883641\r\nWin.Downloader.ServHelper-9883708\r\nWin.Downloader.Powershell-9883847\r\nWin.Trojan.ServHelper-9883848\r\nWin.Trojan.ServHelper-9883866\r\nWin.Trojan.ServHelper-9883867  Cisco Secure Endpoint (AMP) users can use Orbital Advanced Search to run\r\ncomplex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this\r\nthreat, click here, here, here and here.\r\nIOCs IPs\r\n45[.]61[.]137[.]91 - C2 IP\r\n91[.]212[.]150[.]205 - hosting a GoClr dropper variant\r\n193[.]150[.]70[.]5 - hosting a GoClr dropper variant\r\n94[.]158[.]245[.]88 - hosting original attack seen in the telemetry\r\n93[.]157[.]63[.]171 - hosting Raccoon and a GoClr dropper variant\r\nHosts\r\nwww[.]homate[.]xyz\r\nwww[.]dsfamsi4b[.]cn\r\nwww[.]afspfigjeb[.]cn\r\nwww[.]pgf5ga4g4b[.]cn\r\nwww[.]wheredoyougo[.]cn\r\nwww[.]novacation[.]cn - C2 from the samples 1 and 2 of ServHelper\r\ndssagrgbe3irggg[.]xyz - C2 alternative from ServHelper\r\ndsgiutugagb[.]cn - C2 alternative from ServHelper sample1\r\nasfggagsa3[.]xyz - C2 alternative from an earlier sample - sample2\r\nsagbbrrww2[.]cn - C2 alternative from sample 2\r\nkbpsorjbus6[.]pw\r\nwww.sdfisdgj[.]xyz\r\nwww.kbpsorjbus6[.]pw\r\nsdfisdgj[.]xyz\r\ndsfamsi4b[.]cn\r\nnovacation[.]cn\r\nwheredoyougo[.]cn\r\nasdjausg[.]cn - C2 from a newer dropper\r\npgf5ga4g4b[.]cn\r\nhomate[.]xyz\r\nwww.asdjausg[.]cn\r\nafspfigje[.].cn\r\ngeyaeb[.]dev\r\ntelete[.]in - Raccoon C2\r\nC2 Domain's IP addresses, changing frequently\r\n185[.]163[.]45[.]103 - July 4, 2021 to July 15, 2021\r\n206[.]188[.]197[.]221 - July 2, 2021 to July 4, 2021\r\n206[.]188[.]196[.]143 - July 1, 2021 to July 2, 2021\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 14 of 17\n\n46[.]17[.]96[.]8 - June 29, 2021 to July 1, 2021\r\n45[.]61[.]137[.]91 - June 27, 2021 to June 29, 2021\r\nURLs\r\nhxxp://94[.]158[.]245[.]88/bi.ps1 - initial investigation point, also hosting Powershell versions of droppers without .NET\r\nand without GoClr\r\nhxxp://94[.]158[.]245[.]88/bf/start.vbs\r\nhxxp://94[.]158[.]245[.]88/bf/Get-Content.ps1\r\nhxxp://94[.]158[.]245[.]88/bf/ready.ps1\r\nhxxp://ww16[.]enroter1984[.]cn/bif/b.php - C2 (enroter1984.cn from at least November 2020)\r\nhxxp://novacation[.].cn/bif/b.php\r\nhxxp://novacation[.]cn/juytfft/b.php\r\nhxxp://193[.]150[.]70[.]5/al.exe\r\nhxxp://bromide[.]xyz/ssh.zip - hosts OpenSSH Zip use to tunnel the traffic\r\nhxxp://91[.]212[.]150[.]205/al.exe\r\nhxxp://94[.]158[.]245[.]88/cap/Get-Content.ps1 - earlier campaign, Feb 2021\r\nhxxp://94[.]158[.]245[.]88/drc.ps1 - downloaded by Amadey\r\nhxxp://94[.]158[.]245[.]88/cap/start.vbs\r\nhxxp://94[.]158[.]245[.]88/cap/ready.ps1 - campaign March 2021\r\nhxxp://94[.]158[.]245[.]88/mae/start.vbs\r\nhxxp://94[.]158[.]245[.]88/mae/Get-Content.ps1\r\nhxxp://94[.]158[.]245[.]88/mae/ready.ps1\r\nhxxp://45[.]61[.]136[.]223/get/m5.php - Cryptomining portion\r\nhxxp://beautyiconltd[.]cn/ethged.txt - Ethminer\r\nhxxp://beautyiconltd[.]cn/ethcnf.txt - Ethminer configuration\r\nhxxp://beautyiconltd[.]cn/rigged.txt - xmrig for Monero mining\r\nhxxp://beautyiconltd[.]cn/cnf.txt - xmrig configuration\r\nhxxp://93[.]157[.]63[.]171/filename.exe\r\nhxxp://93[.]157[.]63[.]171/al.exe\r\nhxxps://mepcontechnologies[.]com/DiscordSetup.msi\r\nLegitimate URLs\r\nhxxps://raw[.]githubusercontent[.]com/sqlitey/sqlite/master/speed.ps1\r\nSamples\r\nMSI Installers\r\nf36277c6faaed23129efacc83847153091cd1ef0b05650e0b8c29d13d95182a5\r\na9fa2da9be5b473da0f2367f78494d3dc865774bf1ad93c729bbe329a29a1f9d\r\nf80df34accc8780a1eb9c733e4e5e5874cce6ad22e57ec8b827aa7f28318c5d1\r\n0fde5e73f96e6df0b75cc15cffb8d7ff0d7a1cda33777e7ee23c5d07011e6ae8\r\n569d0618131bbbe08498c1f90518df90d394c37e5c146ac3bc74429c4f7f113a\r\nServHelper samples\r\n45732f9c8b3e853484464d5748a8879a7095dc0c1c08e66854d350254c38bb42 - mediasrv.png\r\na2b0ef2413399dbdb01de3a0d2dd310ba127bbfdad09352fecb8444d88a05662 - mediasvc.png\r\n02390b9368add3c496f779db617d19171379b36f1d79c0fa4ab3a07afc7c3e46 - wupsvc.jpg config file\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 15 of 17\n\n9c7fc1304f9dada69594f64d230cb20ce3c1f83a41ca0e27b6274361941b3c67 - PowerShell dropper Get_Content.ps1\r\n74333b02f97c1fbf44592463210a6962f1601ab91a4e28d037756b9804c5b2a0 - drc.ps1\r\n5b6b7899dd459fa0bb234a0b102af91f4ee412abf36b1c54d1253ae59dda6ee2 - ready.ps1\r\n9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9 - ready.ps1\r\nf00f8b0d2602fc2e8bcf5899377f6a23beae9ea9df2c0a3c4e9aad4cae2ef522 - Get-Content.ps1\r\nb65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfacff1fd5d - Get-Content.ps1 earlier variant\r\n0d650a1ab25e820a8bcd2b49144daef20439c931d5bbd5b547c65511aab6d334 - Get-Content.ps1\r\n5d4a0661cfb3cca59acd8a9fa433ec2c48d686da36f3890b73e7b9f37c60e980 - start.vbs\r\na1351912f8ffeeb5ebe2eb8abf45e50a52b67f82328090ad4b1ba89f30106e00 - start.vbs\r\n7a9fae49143829692253d09fa7c66f6c2809d29cff52734567db688c91a01924 - bi.ps1\r\n20eb050c3c94f134ca7c812c712deb45870f6952086608a11d4d4e78ca3c8ff6 - mediasrv.png\r\nffcdccdae62c13b61f32d6fa0ad73ddbfda89d0e4fcab3bf074003ca73d522a5 - mediasvc.png\r\n4390543ecc7f39f0dcf6db2816edaaa6b64f720263c401c108f18df291241cb5 - wupsvc.jpg\r\n1f2f7c7e0ad496e8991e4495b8830961314baee109fb7e0d15d2c3dc0857ef0b - update-request.ps1\r\n42c277ada9c6f8ddcd6211e4792a8df1fa0d0ad8cbb867eee1a431cc1b79834d - mae.ps1\r\nPowerShell mining loader\r\n0b25a462efbb3c5459febae122e434f4a6ec6d2dbfacf03e4537e437f91c5dcc - m5.php\r\nAmadey samples downloading ServHelper from hxxp://94[.]158[.]245[.]88/cap/\r\n64926d011513a3083b0af3425b38fbfc66d2bad0e3993898ec4651252812685b\r\n45e81832542da0e190a1bf44c58b0c96f3ec11b488450aad7eb7a3e6e16f0703\r\nbaad7552e8fc0461babc0293f7a3191509b347596d9ca8d2a82560992ff2c48e\r\nGoCLR droppers for ServHelper (some samples downloaded by Raccoon)\r\nfe40b63a00a7d737baa87f493751a1b92ac782baaef2304b0ae65c5a1cbec58d\r\n5202c92268cb86785644bf0fd22eb6290498034878b6c41e84ac5b4bcc7d671a\r\n44815a42eb3317c7e567f8e20388bd9e28cf71096f45f4ee6094f26888dcfb0c\r\n8aa55a77613e1246a7ce499a85cd52ee2d48b4f4730d62850e249d6249214abf\r\nb3e3132a078fd8d266d709ecf351fc9283a63fbdcce4023c460363896593f6b8\r\n32c18e01aa78a0d07025e36ebaef5ae582cadb6d53d47aab1ee629ba4eee2fab\r\n526273ef0f1bfe161af24d9f1946bb72797d06a5b21ed750988797597d16c28d\r\n6ad5b2b54e8c01ca7f59a40564e897352c1e24ce0899ef10ee3c3e035f510c59\r\n6eca26fcfabbb12c6a37eb689de222e75b31574dd25e7fd3d8b446d700c40133\r\nRaccoon samples downloading ServHelper\r\n8fa841c71a956755f6f393ca92a04d0a6950343a7a765a3035f4581dda198488\r\n82d290c62cb838a94e1948ba84c2a90c42c0ad44bb79413ea0b8ae2560436c8e\r\n3dccc313dcf21c5504ce1808595979dec90f94626bdc8ef18518176ab20418a2\r\n7516b2271e4a887156d52f661cdfc561fded62338a72b56f50bf188c2f5f222a\r\n5f008ff774ae78a416b10f320840287d7c00affb9c1b2ea8e8c1931300135985\r\ne7e6e479b0fa5edb03f220084756fff778cf46865fe370924d272545e8181865\r\ndb710c90eaa2f83be99f1004b9eda6cfbf905a1ab116d1738a89f4eac443f4fe\r\n.NET ServHelper dropper\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 16 of 17\n\nfea63897b4634538e9e73c0f69c2e943aebc8cebcffc1415f5ce21207fdfef92\r\nfdc9788b38e06eafe34c6050f37224409e423f37d67d637ddac25e9cf879e2f2\r\nEthminer\r\n561e9e4263908c470bb2ef9b64cac7174e43aeb795cb0168699cd4c219eab93c\r\nEthereum address\r\n0x12420E4083F1E37b91AFA0E054682d049F9505C6\r\nMonero address\r\n47EEBQeqq661AchrUwicX1Nxqeuizqoxp4XEV7dUyhkzQgpxGdbJLYGa4xLeQXiBDqQ8xZFUbLCK1Gj2qFmDEZAREwGLjD\r\nIDAPython script to deobfuscate ServHelper strings using Vigneres cypher\r\nimport sysimport idaapiimport idcimport ida_bytesimport ida_exprimport ida_kernwin#Load this Python script into IDAPro. T\r\n# Python code to implement Vigenere Cipher as implemented in the Delphi code at# https://stackoverflow.com/questions/68003\r\n# Generate the key stream from the keyworddef generateKey(string, key): key = list(key) if len(string) == len(key):\r\n# Decrypt the original text, skip non-alphabet characters\r\ndef originalText(cipher_text, key): orig_text = [] for i in range(len(cipher_text)): if (ord(cipher_text[i])\r\n else: orig_text.append(cipher_text[i]) return(\"\" . join(orig_text))\r\ndef patchString(strng): \"\"\"Patch a decrypted utf-16le encoded string back to IDAPro\"\"\" ida_bytes.patch_bytes(idc.get\r\ndef decryptString(keyword = 'WBORRHOS'): #change the keyword to a string appropriate for the sample under analysis k\r\n #Make sure what was patched is defined as a string literal ida_bytes.create_strlit(idc.get_screen_ea(),ida_bytes.ge\r\ndef key_decrypt(): decryptString( 'WBORRHOS')\r\n#Assign the decryption function to the function key F2ida_kernwin.add_hotkey('F2', key_decrypt)\r\nSource: https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nhttps://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html" ], "report_names": [ "raccoon-and-amadey-install-servhelper.html" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434165, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e4b29c59db295c610f55d0852acaf4a3cf518447.pdf", "text": "https://archive.orkl.eu/e4b29c59db295c610f55d0852acaf4a3cf518447.txt", "img": "https://archive.orkl.eu/e4b29c59db295c610f55d0852acaf4a3cf518447.jpg" } }