ServHelper Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (386)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en334
zh28
fr12
de6
es6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us202
cn102
ru10
ce8
gb6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Cobalt Strike14
NetSupportManager RAT11
Raccoon9
SideWinder8
RecordBreaker8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined144
Content Management System22
Firewall Software20
WordPress Plugin18
Operating System12

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined120
Microsoft14
Sophos8
Linux6
Oracle6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

cPanel8
Linux Kernel6
Joomla CMS6
SonicWALL SMA1006
Sophos Firewall6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Atmail Remote Code Execution9.89.4$0-$5k$0-$5kNot DefinedOfficial Fix0.002510.04CVE-2013-5033
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
3Palo Alto PAN-OS GlobalProtect Clientless VPN buffer overflow8.88.6$0-$5k$0-$5kNot DefinedOfficial Fix0.001120.03CVE-2021-3056
4Sophos Firewall User Portal/Webadmin improper authentication8.58.5$0-$5k$0-$5kHighNot Defined0.974340.00CVE-2022-1040
5WordPress sql injection6.86.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.004670.07CVE-2022-21664
6Microsoft Exchange Server ProxyShell Remote Code Execution9.58.7$25k-$100k$5k-$25kHighOfficial Fix0.973190.07CVE-2021-34473
7WordPress WP_Query sql injection6.36.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.938470.07CVE-2022-21661
8VeronaLabs wp-statistics Plugin API Endpoint Blind sql injection8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.002500.00CVE-2019-13275
9D-Link DCS-5009/DCS-5010/DCS-5020L alphapd setSystemAdmin command injection7.57.5$5k-$25k$5k-$25kNot DefinedNot Defined0.012140.04CVE-2017-17020
10Linksys WRT54GL Web Management Interface SysInfo1.htm information disclosure4.34.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.000460.07CVE-2024-1406
11RoundCube Webmail Email Message rcube_string_replacer.php linkref_addindex cross site scripting3.53.4$0-$5k$0-$5kHighOfficial Fix0.006120.00CVE-2020-35730
12Adobe Dreamweaver untrusted search path5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000570.04CVE-2021-21055
13SourceCodester Human Resource Management System employeeadd.php sql injection5.55.4$0-$5k$0-$5kProof-of-ConceptNot Defined0.001480.04CVE-2022-4278
14Joomla CMS Password Reset access control7.37.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.001770.04CVE-2012-1598
15Teclib GLPI unlock_tasks.php sql injection8.58.5$0-$5k$0-$5kNot DefinedOfficial Fix0.121490.04CVE-2019-10232
16Check Point Gaia Portal Security Management GUI Client os command injection4.34.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000440.03CVE-2021-30361
17Sophos Firewall User Portal/Webadmin code injection8.58.5$0-$5k$0-$5kHighNot Defined0.127880.04CVE-2022-3236
18CutePHP CuteNews unrestricted upload7.56.8$0-$5k$0-$5kProof-of-ConceptNot Defined0.021070.08CVE-2019-11447
19WordPress Object injection5.35.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.004320.04CVE-2022-21663
20OpenProject Activities API sql injection7.77.5$0-$5k$0-$5kNot DefinedOfficial Fix0.962010.04CVE-2019-11600

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • servhelper

IOC - Indicator of Compromise (16)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.181.156.795-181-156-79.mivocloud.comServHelper03/27/2021verifiedHigh
25.181.156.250no-rdns.mivocloud.comServHelper03/16/2021verifiedHigh
345.63.101.21045.63.101.210.vultr.comTA505servhelper12/20/2020verifiedMedium
445.77.122.10845.77.122.108.vultrusercontent.comServHelper03/31/2021verifiedHigh
5XXX.XXX.XXX.XXxxxxxxxxx05/23/2021verifiedHigh
6XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxxxxxxxxxxxx.xxxXxxxxxxxxx04/03/2021verifiedHigh
7XXX.XXX.XX.XXxx.xx.xxx.xxx.xx-xxxx.xxxxXxxxxXxxxxxxxxx12/20/2020verifiedHigh
8XXX.XXX.XXX.XXXxxx.xx.xxxxxxxxxx.xxxXxxxxXxxxxxxxxx12/20/2020verifiedHigh
9XXX.XXX.XX.XXxxx-xxx-xx-xx.xxxxxxxxx.xxxXxxxxxxxxx06/28/2021verifiedHigh
10XXX.XXX.XX.XXxx-xxxx.xxxxxxxxx.xxxXxxxxxxxxx07/16/2021verifiedHigh
11XXX.XXX.XX.XXXxx-xxxx.xxxxxxxxx.xxxXxxxxxxxxx09/29/2021verifiedHigh
12XXX.XXX.XX.XXXxx-xxxx.xxxxxxxxx.xxxXxxxxxxxxx07/09/2021verifiedHigh
13XXX.XXX.XX.XXXxxx-xxx-xx-xxx.xxxxxxxxx.xxxXxxxxxxxxx07/19/2021verifiedHigh
14XXX.XXX.XX.XXXxx-xxxx.xxxxxxxxx.xxxXxxxxxxxxx03/16/2021verifiedHigh
15XXX.XXX.XXX.XXxxx-xxx-xxx-xx.xxxxxxxxx.xxxXxxxxxxxxx08/11/2021verifiedHigh
16XXX.XXX.XXX.XXxx-xxxx.xxxxxxxxx.xxxXxxxxxxxxx08/14/2021verifiedHigh

TTP - Tactics, Techniques, Procedures (22)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5T1068CAPEC-122CWE-264, CWE-269, CWE-284Execution with Unnecessary PrivilegespredictiveHigh
6TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-1CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCAPEC-184CWE-XXXXxxxxxxx Xx Xxxx Xxxxxxx Xxxxxxxxx XxxxxpredictiveHigh
12TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-102CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
16TXXXX.XXXCAPEC-CWE-XXXXxxxxxxx Xxxxxx XxxxpredictiveHigh
17TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
18TXXXX.XXXCAPEC-133CWE-XXXXxxxxxxxpredictiveHigh
19TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
20TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
21TXXXX.XXXCAPEC-CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
22TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (190)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/.envpredictiveLow
2File/admin/admin_login.phppredictiveHigh
3File/api/adduserspredictiveHigh
4File/api/RecordingList/DownloadRecord?file=predictiveHigh
5File/apply.cgipredictiveMedium
6File/debug/pprofpredictiveMedium
7File/etc/config/rpcdpredictiveHigh
8File/hrm/employeeadd.phppredictiveHigh
9File/licensespredictiveMedium
10File/loginpredictiveLow
11File/OA_HTML/cabo/jsps/a.jsppredictiveHigh
12File/php/ping.phppredictiveHigh
13File/public/login.htmpredictiveHigh
14File/rapi/read_urlpredictiveHigh
15File/scripts/unlock_tasks.phppredictiveHigh
16File/sendKeypredictiveMedium
17File/setSystemAdminpredictiveHigh
18File/signup_script.phppredictiveHigh
19File/SysInfo1.htmpredictiveHigh
20File/sysinfo_json.cgipredictiveHigh
21File/system/user/modules/mod_users/controller.phppredictiveHigh
22File/xxxpredictiveLow
23File/xxxx.xxxpredictiveMedium
24File/xxxxxxx/predictiveMedium
25File/xxxx-xxxxxxxx.xxxpredictiveHigh
26File/xx-xxxxx/xxxxx-xxxx.xxx?xx_xxxx=x&xxxxxx_xxxxpredictiveHigh
27Filexxxxxxx.xxxpredictiveMedium
28Filexxxxx/xxxxx.xxxpredictiveHigh
29Filexxxxxxxxxxxxxx/xxxxxxxxxxx/xxxxxxxxxxxxxxxx.xxpredictiveHigh
30Filexxxxxxxxxxxxx/xxxx/xxxxxxxx.xxxpredictiveHigh
31Filexxxxxxx/xxxx.xxxpredictiveHigh
32Filexxxxxxx.xxx/xxxxxxxxxxxx.xxxpredictiveHigh
33Filexxxxxxxxxx.xxxpredictiveHigh
34Filex:\xxxxxxpredictiveMedium
35Filexxx-xxx/predictiveMedium
36Filexxx-xxx/xxxxx/xxxxx.xxxpredictiveHigh
37Filexxxxxx/xxx.xpredictiveMedium
38Filexxxxxxxxx.xxx.xxxpredictiveHigh
39Filexxxxx/xxxxx.xxxpredictiveHigh
40Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
41Filexxxx_xxxxx.xxxpredictiveHigh
42FilexxxxxxxxxxxpredictiveMedium
43Filexxxxx.xxxpredictiveMedium
44Filexxxxxx.xxxpredictiveMedium
45Filexxxxxxxx.xpredictiveMedium
46Filexxx/xxxx/xxxx.xpredictiveHigh
47Filexx/xx-xx.xpredictiveMedium
48Filexxx/xxxx_xxxx.xpredictiveHigh
49Filexx-xxxxxxx/xxxxxxxpredictiveHigh
50Filexxxxxx/xxxxxxxxxxxpredictiveHigh
51Filexxxx_xxxxxx.xpredictiveHigh
52FilexxxxxxxxxxxxxxxxxpredictiveHigh
53Filexxxxxx.xxxpredictiveMedium
54Filexxxx/x.xpredictiveMedium
55Filexxxx/xxxxxxx.xpredictiveHigh
56Filexxxx_xxxx.xpredictiveMedium
57Filexxx/xxxxxx.xxxpredictiveHigh
58Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
59Filexxxxxxxx/xxxxx-xxxxxx-xxxx-xxxxxxx.xxxpredictiveHigh
60Filexxxxxxxx/xxxxxxxx/xxxxx-xxxxxxxx-xxxxx.xxxpredictiveHigh
61Filexxxxx.xxxpredictiveMedium
62Filexxxxx.xxx?xxxx=xxxxxxx_xxxxxpredictiveHigh
63Filexxxxx.xxx?xxx=xxxx&xxx=xxxxxxxxpredictiveHigh
64Filexxxxxxxxxx.xxxpredictiveHigh
65Filexxxxx.xxxxxxx.xxxpredictiveHigh
66Filexxxx_xxxx.xxxpredictiveHigh
67Filexx/xx/xxxxxxxxxxxxxxx.xxpredictiveHigh
68Filexxxxx.xxxpredictiveMedium
69Filexxxx.xxxpredictiveMedium
70Filexxxx/xxxxxxxxx/xxxxxx/xxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
71Filexxx/xxx.xxxpredictiveMedium
72Filexxxxxx/xxxx_xxxxxx.xxpredictiveHigh
73Filexxxxxxx/xxx_xxxxxxxx.xxxpredictiveHigh
74Filexxx/xxxxxxxxx/xx_xxxxxx_xxx.xpredictiveHigh
75Filexxx/xxxxx.xxxxpredictiveHigh
76Filexxxx_xxxxxxx.xxxpredictiveHigh
77Filexxxxx.xxxx.xxxpredictiveHigh
78Filexxxx.xxxpredictiveMedium
79Filexxxxxxx/xxx/xxxxxxx/xxxxxx/xxxx-xxxxxxxxxx/<xxxxxx>/xx.xxxpredictiveHigh
80Filexxxxxxxx.xxxpredictiveMedium
81Filexxxxxx.xpredictiveMedium
82Filexxxx.xxxpredictiveMedium
83Filexxxxxxxxxx.xxxpredictiveHigh
84Filexxxxx.xxxpredictiveMedium
85Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
86Filexxxxx_xxxxxx_xxxxxxxx.xxxpredictiveHigh
87Filexxxxxxxx.xxxpredictiveMedium
88Filex/xxxxx/xxxxxxx/xxxx/xxxpredictiveHigh
89Filexxxxxxxxxxxxxx.xxxpredictiveHigh
90Filexxxxxx-xxxxxxxx.xxxpredictiveHigh
91Filexxxx_xxx.xxxpredictiveMedium
92Filexxxx.xxxpredictiveMedium
93Filexxxxx/xxxxx.xxxpredictiveHigh
94Filexxxxxxxx.xxxpredictiveMedium
95Filexxxxxx-xxxxxx.xxxpredictiveHigh
96Filexxxx-xxxpredictiveMedium
97Filexxxxxxxx.xxxxpredictiveHigh
98Filexxxxxxxxx.xxxpredictiveHigh
99Filexxxxx_xxxxx.xxxpredictiveHigh
100Filexxxxxxxxxxx_xxxxxx_xxxx.xxxx.xxxpredictiveHigh
101Filexxxxx/xxx/xxxxxxx/xxxxxx.xxxpredictiveHigh
102Filexxxxxxxxx.xxxpredictiveHigh
103Filexxxxxxxxx/xxxxxxx/xxxxx/xxxxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
104Filexxxx.xpredictiveLow
105Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
106FilexxxxxxxxxxpredictiveMedium
107Filexxxxxxx/xxxxx.xxxpredictiveHigh
108Filexx-xxxxx/xxxxx-xxxx.xxxpredictiveHigh
109Filexx-xxxxxxxxxx.xxxpredictiveHigh
110Filexxxx.xxpredictiveLow
111ArgumentxxxxxxpredictiveLow
112ArgumentxxxxxxxpredictiveLow
113Argumentxxxxxxx_xxxxpredictiveMedium
114Argumentxxxxxxxx_x/xxxxxxxx_xpredictiveHigh
115Argumentxxxxxx_xxxxpredictiveMedium
116ArgumentxxxxxxxxpredictiveMedium
117ArgumentxxxxxpredictiveLow
118ArgumentxxxxxpredictiveLow
119ArgumentxxxpredictiveLow
120Argumentxxxx_xxpredictiveLow
121ArgumentxxxxxxxxxxxxxxxxxpredictiveHigh
122ArgumentxxxxxpredictiveLow
123Argumentxxxxxxxxxxx/xxxxxxxx/xxx/xxxxxpredictiveHigh
124ArgumentxxxxpredictiveLow
125Argumentxxxxxx_xxpredictiveMedium
126ArgumentxxxxxpredictiveLow
127ArgumentxxxxxpredictiveLow
128ArgumentxxxxxpredictiveLow
129ArgumentxxxxpredictiveLow
130ArgumentxxxxxxxxpredictiveMedium
131ArgumentxxxxxxpredictiveLow
132Argumentxx_xxxx [xx][x]/xx_xxxx [xx][x]/xx_xxxx [xx][x]/xx_xxxx [xx][x]/xxxxxpredictiveHigh
133Argumentx_xxpredictiveLow
134ArgumentxxxxpredictiveLow
135ArgumentxxxxpredictiveLow
136ArgumentxxxxxxxxpredictiveMedium
137ArgumentxxpredictiveLow
138Argumentxx_xxxxxpredictiveMedium
139Argumentxxxxx_xxxxpredictiveMedium
140Argumentxxxx_xxpredictiveLow
141Argumentxxxxxxxx[xx]predictiveMedium
142ArgumentxxxxxxxpredictiveLow
143Argumentxxx_xxxxpredictiveMedium
144Argumentxxxxxxxxx_xxxxxxxx_xxxxpredictiveHigh
145Argumentxxxx/xxxxxxpredictiveMedium
146Argumentxx_xxpredictiveLow
147Argumentxxxx_xxxxxpredictiveMedium
148ArgumentxxxxxxxxpredictiveMedium
149ArgumentxxxxxxxxxxxxxpredictiveHigh
150Argumentxxxx_xxxxxxpredictiveMedium
151ArgumentxxxxxxxxpredictiveMedium
152Argumentxxxxxxxx_xxpredictiveMedium
153ArgumentxxxxxxxxxpredictiveMedium
154Argumentxxxxxxx/xxxxxpredictiveHigh
155ArgumentxxxxxxxxpredictiveMedium
156ArgumentxxxxxxxpredictiveLow
157Argumentxxxxxx_xxxpredictiveMedium
158Argumentxxxxxx_xxxxxxxxpredictiveHigh
159Argumentxxxx_xxpredictiveLow
160Argumentxxxxxxxx_xxxxxxxxpredictiveHigh
161ArgumentxxxxxxxxxxpredictiveMedium
162ArgumentxxxxxxxxxxxxpredictiveMedium
163ArgumentxxxxxxxxpredictiveMedium
164ArgumentxxxxxxxxxxxxxxxxxxxxxpredictiveHigh
165Argumentxxxx_xxpredictiveLow
166ArgumentxxxpredictiveLow
167ArgumentxxxpredictiveLow
168ArgumentxxxxpredictiveLow
169ArgumentxxxxxxxxpredictiveMedium
170ArgumentxxxxpredictiveLow
171Argumentxxxx/xx/xxxx/xxxpredictiveHigh
172Argument_xxxxx_xxxxxxx_xxxxxxxxx_xxxxxxx-xxxpredictiveHigh
173Input Value%xx%xx%xxxxx%xxxxx%xx%xxxxxx.xxx%xx%xxxxxxxxx%xxxxxxxxxxxx%xxxxxxx('xxx')%xxpredictiveHigh
174Input Value.%xx.../.%xx.../predictiveHigh
175Input Value../../../../../xxx/xxx/xxxxx/xxxx/xxxxxxxx/xxxxx/xxx.xxxpredictiveHigh
176Input Value.xxx?/../../xxxx.xxxpredictiveHigh
177Input Value/\xxxxxxx.xxxpredictiveHigh
178Input Valuex" xxxxxxxxxxx=xxxxxx(xxxxxx) xxx="predictiveHigh
179Input Valuex' xx x=x -- -predictiveHigh
180Input Valuexxxxxxx -xxxpredictiveMedium
181Input ValuexxxxxxxxxxpredictiveMedium
182Input Valuexxxxx"><xxxxxx>xxxxx(%xxxxxxxxxxxx%xx)</xxxxxx>predictiveHigh
183Network PortxxxxpredictiveLow
184Network PortxxxxpredictiveLow
185Network Portxxxx xxxxpredictiveMedium
186Network Portxxx/xxxpredictiveLow
187Network Portxxx/xxxx (xx-xxx)predictiveHigh
188Network Portxxx/xxxxpredictiveMedium
189Network Portxxx/xxx (xxxx)predictiveHigh
190Network Portxxx xxxxxx xxxxpredictiveHigh

References (3)

The following list contains external sources which discuss the actor and the associated activities:

Samples (6)

The following list contains associated samples:

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!