www.cybereason.com Open in urlscan Pro
2606:4700::6811:86b4 Public Scan

Go To Rescan
Add Verdict Report

URL:
https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,c...
Submission: On January 29 via manual (January 29th 2020, 2:27:44 am UTC) from IN

Summary HTTP 90 Redirects Links 5 Behaviour Indicators

Summary

This website contacted 36 IPs in 7 countries across 31 domains to perform 90 HTTP transactions. The main IP is 2606:4700::6811:86b4, located in United States and belongs to CLOUDFLARENET, US. The main domain is www.cybereason.com.
TLS certificate: Issued by CloudFlare Inc ECC CA-2 on September 17th 2019. Valid for: a year.

This is the only time www.cybereason.com was scanned on urlscan.io!

urlscan.io Verdict: No classification

Domain & IP information

	IP Address	AS Autonomous System
31	2606:4700::68... 2606:4700::6811:86b4	13335 (CLOUDFLAR...) (CLOUDFLARENET)
15	104.111.215.74 104.111.215.74	16625 (AKAMAI-AS) (AKAMAI-AS)
1 2	172.217.16.130 172.217.16.130	15169 (GOOGLE) (GOOGLE)
1 4	2606:4700::68... 2606:4700::6811:f3cc	13335 (CLOUDFLAR...) (CLOUDFLARENET)
2	2606:4700::68... 2606:4700::6811:4004	13335 (CLOUDFLAR...) (CLOUDFLARENET)
1	2.18.234.190 2.18.234.190	16625 (AKAMAI-AS) (AKAMAI-AS)
1	151.101.12.65 151.101.12.65	54113 (FASTLY) (FASTLY)
2	2a03:2880:f01... 2a03:2880:f01c:8012:face:b00c:0:3	32934 (FACEBOOK) (FACEBOOK)
1	34.192.123.20 34.192.123.20	14618 (AMAZON-AES) (AMAZON-AES)
1	147.75.32.13 147.75.32.13	54825 (PACKET) (PACKET)
1	2a00:1450:400... 2a00:1450:4001:81f::2002	15169 (GOOGLE) (GOOGLE)
1	2a00:1450:400... 2a00:1450:4001:806::200a	15169 (GOOGLE) (GOOGLE)
2	2a00:1450:400... 2a00:1450:4001:821::2003	15169 (GOOGLE) (GOOGLE)
1 2	2a00:1450:400... 2a00:1450:4001:81b::2004	15169 (GOOGLE) (GOOGLE)
2	2a00:1450:400... 2a00:1450:4001:824::2003	15169 (GOOGLE) (GOOGLE)
1	70.42.32.31 70.42.32.31	22075 (AS-OUTBRAIN) (AS-OUTBRAIN)
1	64.202.112.95 64.202.112.95	22075 (AS-OUTBRAIN) (AS-OUTBRAIN)
1	2606:4700::68... 2606:4700::6811:e7cc	13335 (CLOUDFLAR...) (CLOUDFLARENET)
1	2606:4700::68... 2606:4700::6811:73b0	13335 (CLOUDFLAR...) (CLOUDFLARENET)
1	2606:4700::68... 2606:4700::6811:44b0	13335 (CLOUDFLAR...) (CLOUDFLARENET)
1	147.75.84.91 147.75.84.91	54825 (PACKET) (PACKET)
1	147.75.84.39 147.75.84.39	54825 (PACKET) (PACKET)
2	2a03:2880:f11... 2a03:2880:f11c:8183:face:b00c:0:25de	32934 (FACEBOOK) (FACEBOOK)
6 9	34.252.172.232 34.252.172.232	16509 (AMAZON-02) (AMAZON-02)
1 2	52.21.56.60 52.21.56.60	14618 (AMAZON-AES) (AMAZON-AES)
1	104.244.42.195 104.244.42.195	13414 (TWITTER) (TWITTER)
1 1	2a00:1288:110... 2a00:1288:110:c305::a000	34010 (YAHOO-IRD) (YAHOO-IRD)
1	34.206.200.99 34.206.200.99	14618 (AMAZON-AES) (AMAZON-AES)
1 2	34.95.120.147 34.95.120.147	15169 (GOOGLE) (GOOGLE)
1	69.173.144.136 69.173.144.136	26667 (RUBICONPR...) (RUBICONPROJECT)
1 2	185.33.223.203 185.33.223.203	29990 (ASN-APPNEX) (ASN-APPNEX)
1 2	2a00:1450:400... 2a00:1450:4001:816::200e	15169 (GOOGLE) (GOOGLE)
1	2606:4700::68... 2606:4700::6811:c8cc	13335 (CLOUDFLAR...) (CLOUDFLARENET)
2	2606:4700::68... 2606:4700::6810:fb05	13335 (CLOUDFLAR...) (CLOUDFLARENET)
1 1	2a00:1450:400... 2a00:1450:400c:c06::9c	15169 (GOOGLE) (GOOGLE)
1	2606:4700::68... 2606:4700::6810:f905	13335 (CLOUDFLAR...) (CLOUDFLARENET)
1	2a02:26f0:6c0... 2a02:26f0:6c00:28c::25ea	20940 (AKAMAI-ASN1) (AKAMAI-ASN1)
1 2	2a05:f500:10:... 2a05:f500:10:101::b93f:9105	14413 (LINKEDIN) (LINKEDIN)
1 1	2a05:f500:11:... 2a05:f500:11:101::b93f:9001	14413 (LINKEDIN) (LINKEDIN)
90	36

31 2606:4700::6811:86b4 (United States)

ASN13335 (CLOUDFLARENET, US)

www.cybereason.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

15 104.111.215.74 (Netherlands)

ASN16625 (AKAMAI-AS, US)
PTR: a104-111-215-74.deploy.static.akamaitechnologies.com

use.typekit.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools
p.typekit.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 172.217.16.130 (United States) 1 redirects

ASN15169 (GOOGLE, US)
PTR: fra15s46-in-f2.1e100.net

www.googleadservices.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools
cm.g.doubleclick.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

4 2606:4700::6811:f3cc (United States) 1 redirects

ASN13335 (CLOUDFLARENET, US)

cdn2.hubspot.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2606:4700::6811:4004 (United States)

ASN13335 (CLOUDFLARENET, US)

cdnjs.cloudflare.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2.18.234.190 (Ascension Island)

ASN16625 (AKAMAI-AS, US)
PTR: a2-18-234-190.deploy.static.akamaitechnologies.com

amplify.outbrain.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 151.101.12.65 (Frankfurt am Main, Germany)

ASN54113 (FASTLY, US)

tag.marinsm.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a03:2880:f01c:8012:face:b00c:0:3 (Ireland)

ASN32934 (FACEBOOK, US)

connect.facebook.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 34.192.123.20 (Ashburn, United States)

ASN14618 (AMAZON-AES, US)
PTR: ec2-34-192-123-20.compute-1.amazonaws.com

t.sf14g.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 147.75.32.13 (Amsterdam, Netherlands)

ASN54825 (PACKET, US)
PTR: pkt-ams-k2-shared-ingress9

static.hotjar.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:81f::2002 (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

googleads.g.doubleclick.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:806::200a (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

fonts.googleapis.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a00:1450:4001:821::2003 (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

fonts.gstatic.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a00:1450:4001:81b::2004 (Frankfurt am Main, Germany) 1 redirects

ASN15169 (GOOGLE, US)

www.google.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a00:1450:4001:824::2003 (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

www.google.de	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 70.42.32.31 (United States)

ASN22075 (AS-OUTBRAIN, US)
PTR: ny.outbrain.com

tr.outbrain.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 64.202.112.95 (United States)

ASN22075 (AS-OUTBRAIN, US)
PTR: ny.outbrain.com

amplifypixel.outbrain.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2606:4700::6811:e7cc (United States)

ASN13335 (CLOUDFLARENET, US)

js.hsleadflows.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2606:4700::6811:73b0 (United States)

ASN13335 (CLOUDFLARENET, US)

js.hsadspixel.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2606:4700::6811:44b0 (United States)

ASN13335 (CLOUDFLARENET, US)

js.hs-analytics.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 147.75.84.91 (Parsippany, United States)

ASN54825 (PACKET, US)

script.hotjar.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 147.75.84.39 (Parsippany, United States)

ASN54825 (PACKET, US)

vars.hotjar.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a03:2880:f11c:8183:face:b00c:0:25de (Ireland)

ASN32934 (FACEBOOK, US)

www.facebook.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

9 34.252.172.232 (Dublin, Ireland) 6 redirects

ASN16509 (AMAZON-02, US)
PTR: ec2-34-252-172-232.eu-west-1.compute.amazonaws.com

pixel-geo.prfct.co	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 52.21.56.60 (Ashburn, United States) 1 redirects

ASN14618 (AMAZON-AES, US)
PTR: ec2-52-21-56-60.compute-1.amazonaws.com

tracking.leadlander.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 104.244.42.195 (United States)

ASN13414 (TWITTER, US)

analytics.twitter.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1288:110:c305::a000 (United Kingdom) 1 redirects

ASN34010 (YAHOO-IRD, GB)

ads.yahoo.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 34.206.200.99 (Ashburn, United States)

ASN14618 (AMAZON-AES, US)
PTR: ec2-34-206-200-99.compute-1.amazonaws.com

pixel.prfct.co	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 34.95.120.147 (United States) 1 redirects

ASN15169 (GOOGLE, US)
PTR: 147.120.95.34.bc.googleusercontent.com

us-u.openx.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 69.173.144.136 (Frankfurt am Main, Germany)

ASN26667 (RUBICONPROJECT, US)

pixel.rubiconproject.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 185.33.223.203 (Netherlands) 1 redirects

ASN29990 (ASN-APPNEX, US)
PTR: 317.bm-nginx-loadbalancer.mgmt.ams1.adnexus.net

secure.adnxs.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a00:1450:4001:816::200e (Frankfurt am Main, Germany) 1 redirects

ASN15169 (GOOGLE, US)

www.google-analytics.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2606:4700::6811:c8cc (United States)

ASN13335 (CLOUDFLARENET, US)

api.hubapi.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2606:4700::6810:fb05 (United States)

ASN13335 (CLOUDFLARENET, US)

track.hubspot.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:400c:c06::9c (Brussels, Belgium) 1 redirects

ASN15169 (GOOGLE, US)

stats.g.doubleclick.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2606:4700::6810:f905 (United States)

ASN13335 (CLOUDFLARENET, US)

forms.hubspot.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a02:26f0:6c00:28c::25ea (Ascension Island)

ASN20940 (AKAMAI-ASN1, US)

snap.licdn.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a05:f500:10:101::b93f:9105 (Ireland) 1 redirects

ASN14413 (LINKEDIN, US)

px.ads.linkedin.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a05:f500:11:101::b93f:9001 (Ireland) 1 redirects

ASN14413 (LINKEDIN, US)

www.linkedin.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
31	cybereason.com www.cybereason.com	3 MB
15	typekit.net use.typekit.net p.typekit.net	181 KB
10	prfct.co 6 redirects pixel-geo.prfct.co pixel.prfct.co	4 KB
4	hubspot.net 1 redirects cdn2.hubspot.net	70 KB
3	linkedin.com 2 redirects px.ads.linkedin.com www.linkedin.com	3 KB
3	hubspot.com track.hubspot.com forms.hubspot.com	2 KB
3	doubleclick.net 2 redirects googleads.g.doubleclick.net cm.g.doubleclick.net stats.g.doubleclick.net	2 KB
3	hotjar.com static.hotjar.com script.hotjar.com vars.hotjar.com	73 KB
3	outbrain.com amplify.outbrain.com tr.outbrain.com amplifypixel.outbrain.com	4 KB
2	google-analytics.com 1 redirects www.google-analytics.com	18 KB
2	adnxs.com 1 redirects secure.adnxs.com	2 KB
2	openx.net 1 redirects us-u.openx.net	491 B
2	leadlander.com 1 redirects tracking.leadlander.com	644 B
2	facebook.com www.facebook.com	507 B
2	google.de www.google.de	219 B
2	google.com 1 redirects www.google.com	311 B
2	gstatic.com fonts.gstatic.com	18 KB
2	facebook.net connect.facebook.net	144 KB
2	cloudflare.com cdnjs.cloudflare.com	83 KB
1	licdn.com snap.licdn.com	2 KB
1	hubapi.com api.hubapi.com	590 B
1	rubiconproject.com pixel.rubiconproject.com	239 B
1	yahoo.com 1 redirects ads.yahoo.com	648 B
1	twitter.com analytics.twitter.com	557 B
1	hs-analytics.net js.hs-analytics.net	26 KB
1	hsadspixel.net js.hsadspixel.net	2 KB
1	hsleadflows.net js.hsleadflows.net	61 KB
1	googleapis.com fonts.googleapis.com	699 B
1	sf14g.com t.sf14g.com	37 KB
1	marinsm.com tag.marinsm.com	10 KB
1	googleadservices.com www.googleadservices.com	10 KB
90	31

	Domain	Requested by
31	www.cybereason.com	www.cybereason.com
12	use.typekit.net	www.cybereason.com use.typekit.net
9	pixel-geo.prfct.co	6 redirects www.cybereason.com
4	cdn2.hubspot.net	1 redirects www.cybereason.com
3	p.typekit.net	www.cybereason.com
2	px.ads.linkedin.com	1 redirects
2	track.hubspot.com
2	www.google-analytics.com	1 redirects www.cybereason.com
2	secure.adnxs.com	1 redirects www.cybereason.com
2	us-u.openx.net	1 redirects www.cybereason.com
2	tracking.leadlander.com	1 redirects www.cybereason.com
2	www.facebook.com	www.cybereason.com
2	www.google.de	www.cybereason.com
2	www.google.com	1 redirects www.cybereason.com
2	fonts.gstatic.com	www.cybereason.com
2	connect.facebook.net	www.cybereason.com connect.facebook.net
2	cdnjs.cloudflare.com	www.cybereason.com
1	www.linkedin.com	1 redirects
1	snap.licdn.com	js.hsadspixel.net
1	forms.hubspot.com	js.hsleadflows.net
1	stats.g.doubleclick.net	1 redirects
1	api.hubapi.com	js.hsadspixel.net
1	cm.g.doubleclick.net	1 redirects
1	pixel.rubiconproject.com	www.cybereason.com
1	pixel.prfct.co	www.cybereason.com
1	ads.yahoo.com	1 redirects
1	analytics.twitter.com	www.cybereason.com
1	vars.hotjar.com	static.hotjar.com
1	script.hotjar.com	static.hotjar.com
1	js.hs-analytics.net	www.cybereason.com
1	js.hsadspixel.net	www.cybereason.com
1	js.hsleadflows.net	www.cybereason.com
1	amplifypixel.outbrain.com	www.cybereason.com
1	tr.outbrain.com	www.cybereason.com
1	fonts.googleapis.com	www.cybereason.com
1	googleads.g.doubleclick.net	www.googleadservices.com
1	static.hotjar.com	www.cybereason.com
1	t.sf14g.com	www.cybereason.com
1	tag.marinsm.com	www.cybereason.com
1	amplify.outbrain.com	www.cybereason.com
1	www.googleadservices.com	www.cybereason.com
90	41

This site contains links to these domains. Also see Links.

Domain
twitter.com
www.linkedin.com
www.youtube.com
www.facebook.com
www.instagram.com

Subject Issuer	Validity	Valid
www.cybereason.com CloudFlare Inc ECC CA-2	`2019-09-17` - `2020-09-16`	a year	crt.sh
*.typekit.net DigiCert SHA2 Secure Server CA	`2019-12-06` - `2021-12-10`	2 years	crt.sh
www.googleadservices.com GTS CA 1O1	`2020-01-14` - `2020-04-07`	3 months	crt.sh
hubspot.net CloudFlare Inc ECC CA-2	`2019-04-16` - `2020-04-16`	a year	crt.sh
cloudflare.com CloudFlare Inc ECC CA-2	`2020-01-07` - `2020-10-09`	9 months	crt.sh
*.outbrain.com DigiCert SHA2 Secure Server CA	`2018-12-14` - `2020-03-14`	a year	crt.sh
g.ssl.fastly.net GlobalSign Organization Validation CA - SHA256 - G2	`2019-09-23` - `2020-09-23`	a year	crt.sh
*.facebook.com DigiCert SHA2 High Assurance Server CA	`2020-01-16` - `2020-04-15`	3 months	crt.sh
t.sf14g.com Go Daddy Secure Certificate Authority - G2	`2019-07-09` - `2020-09-07`	a year	crt.sh
static.hotjar.com Let's Encrypt Authority X3	`2019-12-05` - `2020-03-04`	3 months	crt.sh
*.g.doubleclick.net GTS CA 1O1	`2020-01-07` - `2020-03-31`	3 months	crt.sh
*.storage.googleapis.com GTS CA 1O1	`2020-01-07` - `2020-03-31`	3 months	crt.sh
*.google.com GTS CA 1O1	`2020-01-07` - `2020-03-31`	3 months	crt.sh
www.google.com GTS CA 1O1	`2020-01-07` - `2020-03-31`	3 months	crt.sh
www.google.de GTS CA 1O1	`2020-01-07` - `2020-03-31`	3 months	crt.sh
ssl817706.cloudflaressl.com COMODO ECC Domain Validation Secure Server CA 2	`2020-01-21` - `2020-07-29`	6 months	crt.sh
ssl803643.cloudflaressl.com COMODO ECC Domain Validation Secure Server CA 2	`2019-11-06` - `2020-05-14`	6 months	crt.sh
ssl803670.cloudflaressl.com COMODO ECC Domain Validation Secure Server CA 2	`2019-11-06` - `2020-05-14`	6 months	crt.sh
script.hotjar.com Let's Encrypt Authority X3	`2019-12-05` - `2020-03-04`	3 months	crt.sh
vars.hotjar.com Let's Encrypt Authority X3	`2019-12-05` - `2020-03-04`	3 months	crt.sh
*.prfct.co DigiCert SHA2 Secure Server CA	`2019-09-03` - `2021-10-27`	2 years	crt.sh
*.leadlander.com Go Daddy Secure Certificate Authority - G2	`2019-07-09` - `2020-09-07`	a year	crt.sh
*.twitter.com DigiCert SHA2 High Assurance Server CA	`2019-04-09` - `2020-04-01`	a year	crt.sh
*.openx.net GeoTrust RSA CA 2018	`2018-01-04` - `2020-07-09`	3 years	crt.sh
*.rubiconproject.com DigiCert SHA2 Secure Server CA	`2019-01-10` - `2021-01-14`	2 years	crt.sh
*.adnxs.com DigiCert ECC Secure Server CA	`2019-01-23` - `2021-03-08`	2 years	crt.sh
*.google-analytics.com GTS CA 1O1	`2020-01-07` - `2020-03-31`	3 months	crt.sh
hubapi.com CloudFlare Inc ECC CA-2	`2020-01-21` - `2020-10-09`	9 months	crt.sh
hubspot.com CloudFlare Inc ECC CA-2	`2019-12-04` - `2020-10-09`	10 months	crt.sh
*.licdn.com DigiCert SHA2 Secure Server CA	`2019-04-01` - `2021-05-07`	2 years	crt.sh
px.ads.linkedin.com DigiCert SHA2 Secure Server CA	`2019-05-29` - `2021-06-29`	2 years	crt.sh

This page contains 2 frames:

Primary Page: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Frame ID: 4C58575DD74033D1E106F2E4D398B7FC
Requests: 89 HTTP requests in this frame

Frame: https://vars.hotjar.com/box-b736908ce6b0e933fad3a2e45df61b38.html
Frame ID: EA48B08754179D364F3C5711843E33E6
Requests: 1 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Detected technologies

CloudFlare (CDN) Expand

Overall confidence: 100%
Detected patterns

headers server /^cloudflare$/i

Facebook (Widgets) Expand

Overall confidence: 100%
Detected patterns

script /\/\/connect\.facebook\.net\/[^\/]*\/[a-z]*\.js/i

Google Analytics (Analytics) Expand

Overall confidence: 100%
Detected patterns

script /google-analytics\.com\/(?:ga|urchin|analytics)\.js/i

jQuery (JavaScript Libraries) Expand

Overall confidence: 100%
Detected patterns

script /jquery[.-]([\d.]*\d)[^\/]*\.js/i
script /jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?/i

Page Statistics

90
Requests

100 %
HTTPS

56 %
IPv6

31
Domains

41
Subdomains

36
IPs

7
Countries

4097 kB
Transfer

5698 kB
Size

8
Cookies

5 Outgoing links

These are links going to different origins than the main page.

URL: https://twitter.com/cybereason
Title:

Search URL Search Domain Scan URL

URL: https://www.linkedin.com/company/cybereason
Title:

Search URL Search Domain Scan URL

URL: https://www.youtube.com/channel/UCOm7AaB0HiNH4Phe66sK0Ew
Title:

Search URL Search Domain Scan URL

URL: https://www.facebook.com/Cybereason/
Title:

Search URL Search Domain Scan URL

URL: https://www.instagram.com/cybereason/?hl=en
Title:

Search URL Search Domain Scan URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 57

https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Files/Fonts/DINNextLTPro-Condensed.woff HTTP 301
https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Files/fonts/DINNextLTPro-Condensed.woff

Request Chain 70

https://pixel-geo.prfct.co/tagjs?a_id=71641&source=js_tag HTTP 302
https://pixel-geo.prfct.co/tagjs?check_cookie=1&a_id=71641&source=js_tag

Request Chain 71

https://tracking.leadlander.com/api/tracking?accountId=27717&page=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&referer=&fp=46b0604f6a632a0d294665c9ac64fb79 HTTP 302
https://tracking.leadlander.com/tracking.png

Request Chain 72

https://pixel-geo.prfct.co/cs/?partnerId=twtr HTTP 302
https://analytics.twitter.com/i/adsct?p_id=48571&p_user_id=pa_RBXx9dGQdRmB9V4io

Request Chain 73

https://pixel-geo.prfct.co/cs/?partnerId=yah HTTP 302
https://ads.yahoo.com/cms/v1?nwid=10001073209&eid=pa_RBXx9dGQdRmB9V4io&sigv=1&esig=2~3a7eb07647aa89322a772d2d5457ecca4c0c4fa1 HTTP 302
https://pixel.prfct.co/cb?partnerId=yah&xid=E0&eid=pa_RBXx9dGQdRmB9V4io

Request Chain 74

https://pixel-geo.prfct.co/cs/?partnerId=opx HTTP 302
https://us-u.openx.net/w/1.0/sd?id=537114372&val=pa_RBXx9dGQdRmB9V4io HTTP 302
https://us-u.openx.net/w/1.0/sd?cc=1&id=537114372&val=pa_RBXx9dGQdRmB9V4io

Request Chain 75

https://pixel-geo.prfct.co/cs/?partnerId=rbcn HTTP 302
https://pixel.rubiconproject.com/tap.php?v=189868&nid=4106&expires=30&put=pa_RBXx9dGQdRmB9V4io

Request Chain 76

https://pixel-geo.prfct.co/cs/?partnerId=goo HTTP 302
https://cm.g.doubleclick.net/pixel?google_nid=nowspots_bidder&google_hm=cGFfUkJYeDlkR1FkUm1COVY0aW8 HTTP 302
https://pixel-geo.prfct.co/cb?partnerId=goo

Request Chain 78

https://secure.adnxs.com/seg?t=2&add=8257847 HTTP 302
https://secure.adnxs.com/bounce?%2Fseg%3Ft%3D2%26add%3D8257847

Request Chain 83

https://www.google-analytics.com/r/collect?v=1&_v=j79&a=600435042&t=pageview&_s=1&dl=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&ul=en-us&de=UTF-8&sd=24-bit&sr=1600x1200&vp=1585x1200&je=0&_u=IEBAAEAB~&jid=1924893207&gjid=1094317344&cid=1090695643.1580264848&tid=UA-56367941-1&_gid=1401977510.1580264848&_r=1&z=1977197227 HTTP 302
https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-56367941-1&cid=1090695643.1580264848&jid=1924893207&_gid=1401977510.1580264848&gjid=1094317344&_v=j79&z=1977197227 HTTP 302
https://www.google.com/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-56367941-1&cid=1090695643.1580264848&jid=1924893207&_v=j79&z=1977197227 HTTP 302
https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-56367941-1&cid=1090695643.1580264848&jid=1924893207&_v=j79&z=1977197227&slf_rd=1&random=2678009514

Request Chain 86

https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=994281&url=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&time=1580264848449 HTTP 302
https://www.linkedin.com/px/li_sync?redirect=https%3A%2F%2Fpx.ads.linkedin.com%2Fcollect%3Fv%3D2%26fmt%3Djs%26pid%3D994281%26url%3Dhttps%253A%252F%252Fwww.cybereason.com%252Fblog%252Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%252Ccommunity-threat-briefing%252CTA505%252CServHelper%252Cbackdoor%26time%3D1580264848449%26liSync%3Dtrue HTTP 302
https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=994281&url=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&time=1580264848449&liSync=true

90 HTTP transactions
0 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H2 404 Primary Request threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor Show response
www.cybereason.com/blog/ 48 KB
10 KB 536ms
298ms Document
text/html 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

3ebb579939eedb322901bf540c8e40df8176e375120b6638547bb8f270c3e33f

Security Headers

Name	Value
Strict-Transport-Security	max-age=0

Request headers

:method: GET
:authority: www.cybereason.com
:scheme: https
:path: /blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
pragma: no-cache
cache-control: no-cache
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
sec-fetch-user: ?1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: none
sec-fetch-mode: navigate
accept-encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Sec-Fetch-User: ?1

Response headers

status: 404
date: Wed, 29 Jan 2020 02:27:26 GMT
content-type: text/html;charset=utf-8
set-cookie: __cfduid=d6ba6d33f7618fb7c874616d0863116161580264845; expires=Fri, 28-Feb-20 02:27:25 GMT; path=/; domain=.www.cybereason.com; HttpOnly; SameSite=Lax __cfruid=f624d47d1c414b79bfcf5dc96a12fb1859c0c18a-1580264846; path=/; domain=.www.cybereason.com; HttpOnly; Secure; SameSite=None
cf-ray: 55c7c45718e6c290-FRA
cache-control: s-maxage=5,max-age=5
strict-transport-security: max-age=0
vary: Accept-Encoding
cf-cache-status: MISS
access-control-allow-credentials: false
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-hs-reason: No view mapper found to handle request
x-hubspot-notfound: true
x-trace: 2B7FD1186FF06B7AD84D7F180F83DBEE3E8C87AEB663D4295752D9EB2D01
server: cloudflare
content-encoding: br

GET
H2 200 jquery-1.11.2.js Show response
www.cybereason.com/hs/hsstatic/jquery-libs/static-1.4/jquery/ 94 KB
32 KB 53ms
47ms Script
application/javascript 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hs/hsstatic/jquery-libs/static-1.4/jquery/jquery-1.11.2.js
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 acb5e0138f17ffe7929a4d64a50c4a24.cloudfront.net (CloudFront)
cf-cache-status: HIT
age: 6672783
x-cache: Hit from cloudfront
status: 200
content-encoding: br
content-type: application/javascript; charset=utf-8
last-modified: Thu, 08 Jan 2015 18:08:00 GMT
server: cloudflare
etag: W/"5790ead7ad3ba27397aedfa3d263b867"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
x-amz-version-id: null
cache-control: s-maxage=31536000, max-age=31536000
access-control-allow-credentials: false
x-amz-cf-pop: IAD79-C1
cf-ray: 55c7c4591b81c290-FRA
x-amz-cf-id: 4M9snjgk68qsYmuXR1mQhGXvjuiT4GNKfjfK6rWLBXxkvsUIVrgGQQ==

GET
H2 200 module_14462747638_DKS_-_Menu.min.css
www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/14462747638/1579800880846/ 7 KB
2 KB 29ms
21ms Stylesheet
text/css 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/14462747638/1579800880846/module_14462747638_DKS_-_Menu.min.css
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 9c0603ffab91caf9bd61d6572282a99b3a1dd8c139745f6e9d8f2577ca6ee9cd

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: br
cf-cache-status: HIT
age: 2486
status: 200
content-type: text/css
x-amz-request-id: 115E22BA20A17B23
x-amz-id-2: aveHj4hvPutNeOhox7DmHXNVv/r8VOHXv7ouxJjm5pAzWMEOKpWaQm4i7STnnd3GXHHV5Ygm6bw=
last-modified: Thu, 23 Jan 2020 17:34:41 GMT
server: cloudflare
etag: W/"91cc3bb7e64b0e42c2ee50d00889a61f"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
x-amz-version-id: LadfTcBoMN2sV7e_5aXl8veojavLZ.qP
cache-control: s-maxage=31536000, max-age=31536000
access-control-allow-credentials: false
cf-ray: 55c7c4591b87c290-FRA

GET
H2 200 module_17578879074_DKS_-_Footer_V2_Black.min.css
www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/17578879074/1578493251481/ 3 KB
1 KB 30ms
20ms Stylesheet
text/css 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/17578879074/1578493251481/module_17578879074_DKS_-_Footer_V2_Black.min.css
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 45462bf2bd5ec8a2557b0b5c8ceffe241c458f3336db3fc3cc16ab51cf7094f3

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: br
cf-cache-status: HIT
age: 2486
status: 200
content-type: text/css
x-amz-request-id: 54CA6412CAA4F4D6
x-amz-id-2: 4mz13nfwLEBW1J/tuES85ovSDkKZtuL5NTAZkDQzFxvEi+t0JFvvtPnrPnoZB3TMX7LAzEvk3yE=
last-modified: Wed, 08 Jan 2020 14:20:52 GMT
server: cloudflare
etag: W/"474a2d28fb116e79be3d319d4a1367dc"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
x-amz-version-id: _X6vTLw8LTmaFyOerhJDiHVzcIGrbb2E
cache-control: s-maxage=31536000, max-age=31536000
access-control-allow-credentials: false
cf-ray: 55c7c4592b8cc290-FRA

GET
H2 200 vyv2ljd.js Show response
use.typekit.net/ 20 KB
8 KB 46ms
36ms Script
text/javascript 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL

https://use.typekit.net/vyv2ljd.js

Requested by

Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),

Reverse DNS

a104-111-215-74.deploy.static.akamaitechnologies.com

Software

nginx /

Resource Hash

cd7908a80313043ae934d5f599a062460c50f94370cee5dc092e0cb9b8d123ef

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains;

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; includeSubDomains;
content-encoding: gzip
server: nginx
access-control-allow-origin: *
date: Wed, 29 Jan 2020 02:27:26 GMT
vary: Accept-Encoding
content-type: text/javascript;charset=utf-8
status: 200
cache-control: public, max-age=600, stale-while-revalidate=604800
timing-allow-origin: *
content-length: 7640

GET
H2 200 conversion.js Show response
www.googleadservices.com/pagead/ 25 KB
10 KB 79ms
30ms Script
text/javascript 172.217.16.130
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://www.googleadservices.com/pagead/conversion.js

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

172.217.16.130 , United States, ASN15169 (GOOGLE, US),

Reverse DNS

fra15s46-in-f2.1e100.net

Software

cafe /

Resource Hash

cff3976cac7138e8f00fcc062246391c24320fbbb27de20e73f444dfb0175dea

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
content-disposition: attachment; filename="f.txt"
alt-svc: quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q050="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 9861
x-xss-protection: 0
server: cafe
etag: 760867605304960766
vary: Accept-Encoding
content-type: text/javascript; charset=UTF-8
cache-control: private, max-age=3600
timing-allow-origin: *
expires: Wed, 29 Jan 2020 02:27:26 GMT

GET
H2 200 layout.min.css
cdn2.hubspot.net/hub/-1/hub_generated/template_assets/1495141902003/hubspot_default/shared/responsive/ 5 KB
2 KB 37ms
12ms Stylesheet
text/css 2606:4700::6811:f3cc
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://cdn2.hubspot.net/hub/-1/hub_generated/template_assets/1495141902003/hubspot_default/shared/responsive/layout.min.css
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:f3cc , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 341a4d40ad1b2560db940f906716d0e9539d4c0785399d7e0348fd0d3af00170

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: gzip
cf-cache-status: HIT
age: 3639
status: 200
x-amz-meta-md5-hash: 0b0c633d59ab0af9553a98c0e7d97349
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 43
last-modified: Thu, 18 May 2017 21:11:43 GMT
server: cloudflare
etag: W/"0b0c633d59ab0af9553a98c0e7d97349"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
content-type: text/css
cache-control: s-maxage=1209600, max-age=1209600
x-amz-cf-pop: IAD89-C2
cf-ray: 55c7c4594ecec2f9-FRA

GET
H2 200 cybereason-custom-style.min.css
www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5348736541/1580220491334/Custom/page/web_page_basic/ 140 KB
24 KB 29ms
18ms Stylesheet
text/css 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5348736541/1580220491334/Custom/page/web_page_basic/cybereason-custom-style.min.css
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 40951851856bfd237871f8f651d606c91ca562229e7bb5b56e0e1fe7c44c120d

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: br
cf-cache-status: HIT
age: 2486
status: 200
content-type: text/css
x-amz-request-id: AAF7592D202353A2
x-amz-id-2: 9lOb0c1T0u48kb0EqX7RtI8k4Aczw7V8GK/hCk6GIgTsJ8r7ULD+ipoWLccQci9sEu0MQkeyzjQ=
last-modified: Tue, 28 Jan 2020 14:08:12 GMT
server: cloudflare
etag: W/"ec6e6cd1f856a08ec982259a0b269e2f"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
x-amz-version-id: IGQKFYAcMGadA5A_yHrfdBiVRxrtUyGk
cache-control: s-maxage=31536000, max-age=31536000
access-control-allow-credentials: false
cf-ray: 55c7c4592b8fc290-FRA

GET
H2 200 cybereason-product.min.css
www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5350675680/1569776472016/Custom/page/web_page_basic/ 25 KB
5 KB 33ms
22ms Stylesheet
text/css 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5350675680/1569776472016/Custom/page/web_page_basic/cybereason-product.min.css
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: fbdacf704d25985f21e496696895dc3006cdaf8ad5ff0fbc2b9b2b82a720ec45

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: br
cf-cache-status: HIT
age: 2486
status: 200
content-type: text/css
x-amz-request-id: D38C179390E39FD6
x-amz-id-2: 57fY/+Wa7CSKkAoRamCBrNbsXQjF/l6wmuZFD3kAWpbD68Y0j1V1EpAZcug+gfN0uCZg379YUP8=
last-modified: Sun, 29 Sep 2019 17:01:13 GMT
server: cloudflare
etag: W/"f9e1f4154bf18a46db5c0d5339be1eae"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
x-amz-version-id: .jyPJU5MUnjZZbvo9tuoNMCxcUUQxu8b
cache-control: s-maxage=31536000, max-age=31536000
access-control-allow-credentials: false
cf-ray: 55c7c4592b90c290-FRA

GET
H2 200 cr-error-page-style.min.css
www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5456085634/1578413166577/Custom/page/web_page_basic/ 16 KB
4 KB 152ms
142ms Stylesheet
text/css 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5456085634/1578413166577/Custom/page/web_page_basic/cr-error-page-style.min.css
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: bd2e9cca4744aba9195b6307d2afc4657d0070e8d973f3082ac77fb42c88008b

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: br
cf-cache-status: REVALIDATED
x-amz-request-id: F4B14806197C33AF
status: 200
content-type: text/css
x-amz-id-2: a4hzJ5+MwKDovDx/FA3PkfN5GSFD6ii8lL+uIq2BtlwC6pbjyUBcdphKE44px23iJ4v6xR6bW6w=
last-modified: Tue, 07 Jan 2020 16:06:07 GMT
server: cloudflare
etag: W/"fa20a98742ad9d96a041ebd08c2045be"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
x-amz-version-id: aTysfmTur4._7Th6lrEprXyfppkIShku
cache-control: s-maxage=31536000, max-age=31536000
access-control-allow-credentials: false
cf-ray: 55c7c4592b91c290-FRA

GET
H2 200 animate.css
www.cybereason.com/hubfs/Cybereason%20Files/ 71 KB
5 KB 28ms
19ms Stylesheet
text/css 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hubfs/Cybereason%20Files/animate.css
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: d34c3af0d3b74cbb878ca4472668ebae02410ed1bfe8e85b244bb582d1dcb2ea

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 a56d6b55603697d6c44b19d4f907baaa.cloudfront.net (CloudFront)
cf-cache-status: HIT
x-amz-meta-cache-tag: F-5350556817,P-3354902,FLS-ALL
age: 2486
edge-cache-tag: F-5350556817,P-3354902,FLS-ALL
status: 200
x-cache: Miss from cloudfront
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
content-encoding: br
x-amz-request-id: ADAC73586C779BA6
x-amz-id-2: u8sM0+Q2C9VCjJ5Uiiz5nT9PinvF/27z8QC80PFTn7JIDiU+ZGr0NK/B/dV0ZJZ6xy+fMb9ey1o=
last-modified: Sun, 08 Oct 2017 14:12:46 GMT
server: cloudflare
etag: W/"07f146141537e04ee282a965d8053198"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
content-type: text/css
x-amz-meta-edge-cache-tag: F-5350556817,FD-5348465344,P-3354902
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: obfNN9HIvzQju6mWvHM.vbfWve767qSn
x-amz-cf-pop: FRA6-C1
cf-ray: 55c7c4592b92c290-FRA
x-amz-cf-id: uzzorhHB1Bq2SOIXWyqP6Y6G_6l7cedVyjq0Km0URJaLxKsXt07RJA==

GET
H2 200 font-awesome.min.css
cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/ 30 KB
7 KB 21ms
12ms Stylesheet
text/css 2606:4700::6811:4004
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2606:4700::6811:4004 , United States, ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

799aeb25cc0373fdee0e1b1db7ad6c2f6a0e058dfadaa3379689f583213190bd

Security Headers

Name	Value
Strict-Transport-Security	max-age=15780000; includeSubDomains

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: br
cf-cache-status: HIT
age: 7753691
cf-ray: 55c7c45929fbd719-FRA
status: 200
strict-transport-security: max-age=15780000; includeSubDomains
alt-svc: h3-24=":443"; ma=86400, h3-23=":443"; ma=86400
last-modified: Thu, 17 May 2018 09:19:53 GMT
server: cloudflare
etag: W/"5afd4939-7918"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
content-type: text/css
access-control-allow-origin: *
expires: Mon, 18 Jan 2021 02:27:26 GMT
cache-control: public, max-age=30672000
timing-allow-origin: *
served-in-seconds: 0.001

GET
H2 200 hamburgers.css
www.cybereason.com/hubfs/Cybereason%20Files/ 26 KB
3 KB 28ms
20ms Stylesheet
text/css 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hubfs/Cybereason%20Files/hamburgers.css
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: f9d2c69dd090f9e7939e843b439d1fcec1969f8f3a03eee39bc15e5aae11a7d2

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 21da0a66bafe2c8de8be4a4d8039346b.cloudfront.net (CloudFront)
cf-cache-status: HIT
x-amz-meta-cache-tag: F-5363488069,P-3354902,FLS-ALL
age: 2486
edge-cache-tag: F-5363488069,P-3354902,FLS-ALL
status: 200
x-cache: Miss from cloudfront
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
content-encoding: br
x-amz-request-id: 26D8810C4B7E6961
x-amz-id-2: aijhJuGt6LxSGMMauZT/emTj8DxqfJQcWd+ZFDNKEveRSijKXZ+sT8rJlxQvivp9um670ykxpWk=
last-modified: Sun, 08 Oct 2017 14:13:25 GMT
server: cloudflare
etag: W/"f460b27b7f43507f41d1e073135f17a0"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
content-type: text/css
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: j00H_hHfEv0esfOFOi.DmEbkn25fJDN1
x-amz-cf-pop: FRA6-C1
cf-ray: 55c7c4592b93c290-FRA
x-amz-cf-id: nUFJS6XFa-7JLhzJJxUo2AOAQIpjc6ZXser3TU99Yz6zzs8gJW8j-w==

GET
H2 200 cybereason-custom.js Show response
www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5350539849/1569776480490/Custom/page/web_page_basic/ 5 KB
2 KB 33ms
25ms Script
application/javascript 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5350539849/1569776480490/Custom/page/web_page_basic/cybereason-custom.js
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: caa333db2175837df41125b50f0c0169c55f919427ee2c6992e2566948e9e518

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: br
cf-cache-status: HIT
age: 2486
status: 200
content-type: application/javascript; charset=utf-8
x-amz-request-id: F2C3858ED0C4821B
x-amz-id-2: uFANtJt21qLbKxYPnLI6kb3sG8jXcXTKDVWlf3zc70cgCWUu4iMK0qJEX6qIWICZfJv68z2G5YU=
last-modified: Sun, 29 Sep 2019 17:01:21 GMT
server: cloudflare
etag: W/"5ef74fad1c1382e5acb9ca424910aae0"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
x-amz-version-id: QSLj7gaEL7IC2nt4kS1_hdFjsekt2ki6
cache-control: s-maxage=31536000, max-age=31536000
access-control-allow-credentials: false
cf-ray: 55c7c4592b96c290-FRA

GET
H2 200 LOGO-Web-Owl-Mono-Copy.png
www.cybereason.com/hs-fs/hubfs/ 4 KB
4 KB 32ms
24ms Image
image/webp 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hs-fs/hubfs/LOGO-Web-Owl-Mono-Copy.png?width=306&name=LOGO-Web-Owl-Mono-Copy.png
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 6561b2dd1e1b0f9b2f678dfd01a29e1174ec8ac628405a546e42b717a2d3388b

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 ae3759c8dc48487a424a60bd577ad555.cloudfront.net (CloudFront)
cf-cache-status: HIT
age: 969625
cf-polished: origFmt=png, origSize=8547
edge-cache-tag: F-6694579067,P-3354902,FLS-ALL
status: 200
content-disposition: inline; filename="LOGO-Web-Owl-Mono-Copy.webp"
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
content-length: 4120
x-cache: Miss from cloudfront
last-modified: Mon, 03 Dec 2018 23:05:56 GMT
server: cloudflare
etag: "272c915f8898375baf0a61f20d6a437c"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept, Accept-Encoding
content-type: image/webp
cache-control: s-maxage=1209600, max-age=1209600
access-control-allow-credentials: false
x-amz-cf-pop: IAD89-C2
accept-ranges: bytes
cf-ray: 55c7c4592b97c290-FRA
x-amz-cf-id: yyXHpR6XBm5qIK351CvZMMktdsalbRbKJTPU9yRaphqvaphXsQhsTw==
cf-bgj: imgq:85

GET
H2 200 CR%20Logo%20copy.png
www.cybereason.com/hs-fs/hubfs/Cybereason%20Logos/ 2 KB
2 KB 199ms
192ms Image
image/webp 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hs-fs/hubfs/Cybereason%20Logos/CR%20Logo%20copy.png?width=228&name=CR%20Logo%20copy.png
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: a4aeba3c62a91ed236d5acdc5ea52f5e051801379d306817ad8f4c850e550d2a

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 8fc9659fc06389e49927f68638e9bc94.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-cf-pop: IAD89-C1
cf-polished: origFmt=png, origSize=3695
edge-cache-tag: F-6696434934,FD-5166594488,P-3354902,FLS-ALL
status: 200
content-disposition: inline; filename="CR%20Logo%20copy.webp"
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
content-length: 1838
x-cache: Miss from cloudfront
last-modified: Tue, 04 Dec 2018 06:42:08 GMT
server: cloudflare
etag: "23310787edb9779a8e7eaeb7b306639b"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept, Accept-Encoding
content-type: image/webp
cache-control: s-maxage=1209600, max-age=1209600
access-control-allow-credentials: false
accept-ranges: bytes
cf-ray: 55c7c4592b98c290-FRA
x-amz-cf-id: F3o02Uo0T26u7gLkb0T-eR8f61ovFx6pxWXd2E1AHtEgdAZtt9uznQ==
cf-bgj: imgq:85

GET
H2 200 cr-owl-logomobile.png
www.cybereason.com/hs-fs/hubfs/Cybereason%20Files/images/ 5 KB
6 KB 22ms
22ms Image
image/webp 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hs-fs/hubfs/Cybereason%20Files/images/cr-owl-logomobile.png?width=220&name=cr-owl-logomobile.png
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 1a6e3510af52bd4c550e719eef6ae49cfd1ff4be530c8240b4c8233a2860747d

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 d4b41c13595dcfd327649d8cdea72ce8.cloudfront.net (CloudFront)
cf-cache-status: HIT
age: 969624
cf-polished: origFmt=png, origSize=9128
edge-cache-tag: F-6598017767,FD-5348774744,P-3354902,FLS-ALL
status: 200
content-disposition: inline; filename="cr-owl-logomobile.webp"
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
content-length: 5558
x-cache: Miss from cloudfront
last-modified: Fri, 23 Nov 2018 19:10:03 GMT
server: cloudflare
etag: "766b51e70e55d99809346026aba1e8ce"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept, Accept-Encoding
content-type: image/webp
cache-control: s-maxage=1209600, max-age=1209600
access-control-allow-credentials: false
x-amz-cf-pop: IAD89-C3
accept-ranges: bytes
cf-ray: 55c7c459ac2fc290-FRA
x-amz-cf-id: U0WIHBGncZ_SxdGhXvnhbaICDFZOTvqePh0U7_KcOl8jboR_BDeuwg==
cf-bgj: imgq:85

GET
H2 200 cr-nav-platform-cta-sm.png
www.cybereason.com/hubfs/Award%20Logos/ 45 KB
45 KB 284ms
284ms Image
image/webp 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/Award%20Logos/cr-nav-platform-cta-sm.png
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 0d111c83d2520fd8d1ec059493162072af6e97b725aa4b56eb846f09a01f8e9c

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 c05282a87474a55ae2a8dd2aa77d1233.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-19074217591,FD-5876486557,P-3354902,FLS-ALL
x-amz-cf-pop: FRA6-C1
cf-polished: origFmt=png, origSize=49423
edge-cache-tag: F-19074217591,FD-5876486557,P-3354902,FLS-ALL
status: 200
content-length: 45704
content-disposition: inline; filename="cr-nav-platform-cta-sm.webp"
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
x-amz-request-id: 99CF5EB5330C54D4
x-amz-id-2: pxgujia/zvXePEhCCPbGT5wLYdQTRTn3LTSNYRfwtHtdODob/eOC5JET+DQYNmSsF30PyGC7UYw=
x-cache: Miss from cloudfront
last-modified: Wed, 23 Oct 2019 18:39:48 GMT
server: cloudflare
etag: "954ec251009f855ca41c27fb77257c50"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept, Accept-Encoding
content-type: image/webp
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: mzDN6bdznDFNk4FUdOIJrHxzn9JFsv4o
accept-ranges: bytes
cf-ray: 55c7c459dc66c290-FRA
x-amz-cf-id: vTHw_7MYBmC9sXhNCGfTMzeFaOXX_jmgr1zOrQEwJFiwjmhXORSBXg==
cf-bgj: imgq:85

GET
H2 200 andy-feliciotti-8cvjI48SFtY-unsplash-1.jpg
www.cybereason.com/hubfs/ 3 MB
3 MB 33ms
31ms Image
image/webp 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/andy-feliciotti-8cvjI48SFtY-unsplash-1.jpg
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 0b95fde1d439e2f692fed3050704dd9c215db5e5633cbf58e533e69e4a7a4201

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 32e3b86ae254a231182567c0124af893.cloudfront.net (CloudFront)
cf-cache-status: HIT
x-amz-meta-cache-tag: F-24933586851,P-3354902,FLS-ALL
age: 47076
cf-polished: qual=85, origFmt=jpeg, origSize=3632844
edge-cache-tag: F-24933586851,P-3354902,FLS-ALL
status: 200
content-length: 2638212
content-disposition: inline; filename="andy-feliciotti-8cvjI48SFtY-unsplash-1.webp"
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 53
x-amz-request-id: 350BC6346E257F29
x-amz-id-2: PfEY0mKCONwEN9NwXOB1AAwCjZOMwhmbeHZo4JQn3iLfcQa3k9+D4cu4tQOglD3Zyyx1stFeXWE=
x-cache: Miss from cloudfront
last-modified: Tue, 28 Jan 2020 04:28:06 GMT
server: cloudflare
etag: "b35b00c9b8e02e3151ab1313651020d5"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept, Accept-Encoding
content-type: image/webp
cache-control: s-maxage=1814400, max-age=1209600, stale-while-revalidate=900
x-amz-version-id: VUsJBG66ZOXR11aEUncD5AOVmo9qEWft
x-amz-cf-pop: FRA2-C2
accept-ranges: bytes
cf-ray: 55c7c45a1caac290-FRA
x-amz-cf-id: LMDrCp-rm-56uHvcPbgXP5zZAmHIB3s7lJV_YmO7JenJ4-9LvTF3NQ==
cf-bgj: imgq:85

GET
H2 200 Best-ML_Eps-Featured-Image.jpg
www.cybereason.com/hubfs/ 156 KB
157 KB 237ms
235ms Image
image/webp 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/Best-ML_Eps-Featured-Image.jpg
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 81df013a0d95c9d2f07390ea55bac2fb08ad4a78641630b67cbe0e673ebab173

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 ee6ddabcc69c6aa1c28ad24a4a8f86b2.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-24325046611,P-3354902,FLS-ALL
x-amz-cf-pop: FRA50-C1
cf-polished: qual=85, origFmt=jpeg, origSize=223949
edge-cache-tag: F-24325046611,P-3354902,FLS-ALL
status: 200
content-length: 159876
content-disposition: inline; filename="Best-ML_Eps-Featured-Image.webp"
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
x-amz-request-id: 3987C3BEB1BBF9BB
x-amz-id-2: auX+rsPi0K+bVpW82Jlv2UtkJ/r+fmeHvyqR1w/xXJQymB2lw62teVjHmp6SO0lxib7KtRA750M=
x-cache: Miss from cloudfront
last-modified: Mon, 13 Jan 2020 17:02:42 GMT
server: cloudflare
etag: "40dda2b4adadfd21899328ddaa10831d"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept, Accept-Encoding
content-type: image/webp
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: 02INLsDHf.ZlZqVHuVq2ztcP9qAjWnJU
accept-ranges: bytes
cf-ray: 55c7c45a1cabc290-FRA
x-amz-cf-id: qrJtCyPtx32VKDREFnhlnrZqzpIwwpKYftcK4_ttqfU-bXiadp-6eg==
cf-bgj: imgq:85

GET
H2 200 Iran-US-Blog-Image-sm.jpg
www.cybereason.com/hubfs/ 53 KB
53 KB 148ms
146ms Image
image/webp 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/Iran-US-Blog-Image-sm.jpg
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: afae720ab42e55b7d00fab2ded53702ebbd40d1cc64d353103ec07a2fc2b4219

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 fd2756277dcf50743fb09f4526b54aca.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-24022758805,P-3354902,FLS-ALL
x-amz-cf-pop: VIE50-C1
cf-polished: qual=85, origFmt=jpeg, origSize=104282
edge-cache-tag: F-24022758805,P-3354902,FLS-ALL
status: 200
content-length: 54120
content-disposition: inline; filename="Iran-US-Blog-Image-sm.webp"
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
x-amz-request-id: 15487D66999C740F
x-amz-id-2: NND5NPMPTNJ4eRRM54mZkrogYlhZKZwGzv0lFs7pnTg0EmCSSQ6+3K5jmzugazUGthFaG4cwKRE=
x-cache: Miss from cloudfront
last-modified: Fri, 03 Jan 2020 20:29:46 GMT
server: cloudflare
etag: "95297af73e9ab1a8af62fcc9860589cd"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept, Accept-Encoding
content-type: image/webp
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: F3WcFlzNs17oxc2g1rAx4ETCDrzHbTYA
accept-ranges: bytes
cf-ray: 55c7c45a1cadc290-FRA
x-amz-cf-id: _3ON-ZzIHIhzxsWCdAwVyU1fc0wDckrI3YgxTNuBy7kwKextnkbk3Q==
cf-bgj: imgq:85

GET
H2 200 cr-logo.svg
www.cybereason.com/hubfs/ 7 KB
4 KB 241ms
240ms Image
image/svg+xml 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/cr-logo.svg
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 173db45379b49d9271f8638f9f80936b5e74671a2bbb8376e394090ae9db931e

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 d07eabeb1ed60c06da1457f35fb5c8c5.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-21223925924,P-3354902,FLS-ALL
x-amz-cf-pop: FRA6-C1
edge-cache-tag: F-21223925924,P-3354902,FLS-ALL
status: 200
x-cache: Miss from cloudfront
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
content-encoding: br
x-amz-request-id: B9852A802F6921C4
x-amz-id-2: EbokLt1NT3eTvxkzzkQwhqmxN1+kzAL8/KV3dMsaPvFzivOazWOTqYuoAt6zGKJeI2NEV2Qe+tY=
last-modified: Thu, 14 Nov 2019 17:13:14 GMT
server: cloudflare
etag: W/"adecc79934699dcf241e9b6f8f8b280b"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
access-control-allow-methods: GET
content-type: image/svg+xml
access-control-allow-origin: *
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: B.7LxTlHESzhX6SLvf9EJR3NJ0vLM7Ei
cf-ray: 55c7c45a1caec290-FRA
x-amz-cf-id: Bscfc2k87AxwZrK-vVOH29kGZQdzTpxfaSqmQZbHtXqX4tx9tuYoew==

GET
H2 200 twitter.svg
www.cybereason.com/hubfs/social-icons/ 792 B
812 B 272ms
270ms Image
image/svg+xml 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/social-icons/twitter.svg
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 0005cf2627e9e54179f90c78bbf355fccafb3907c4ae9e699bc09c4a57d75bf6

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 8e04f5d6c745b231c10fce7c2aa9c70f.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-21232815295,FD-5415380040,P-3354902,FLS-ALL
x-amz-cf-pop: FRA6-C1
edge-cache-tag: F-21232815295,FD-5415380040,P-3354902,FLS-ALL
status: 200
x-cache: Miss from cloudfront
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
content-encoding: br
x-amz-request-id: 271E2E60DCB62DE6
x-amz-id-2: gHiiZWkF4X8/4VBempeeXpVgES5yfOhIE5K4WjhOR2gxs2qZsHsOaTRmpXJebNjK87SAihWFncc=
last-modified: Thu, 14 Nov 2019 17:24:01 GMT
server: cloudflare
etag: W/"14debb189e620cc0a3c4ea84a614b8d3"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
access-control-allow-methods: GET
content-type: image/svg+xml
access-control-allow-origin: *
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: IMkvHwxtEDDIUOZjgxuxmMpUX.nX82Sy
cf-ray: 55c7c45a1cafc290-FRA
x-amz-cf-id: jrMjODu3AZZXk_lOdW82rsAdmZr8hRjbKLKwApWIHqoCo8MbdSBF2g==

GET
H2 200 linkedin.svg
www.cybereason.com/hubfs/social-icons/ 529 B
797 B 149ms
147ms Image
image/svg+xml 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/social-icons/linkedin.svg
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 3fc1bd4c0666cad8d8af42cf8f26c59bc5535b3d907b4db560c7db627e1e5253

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 d5fb859c39a16d7f218b4c7fb1528ad6.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-21232480017,FD-5415380040,P-3354902,FLS-ALL
x-amz-cf-pop: FRA6-C1
edge-cache-tag: F-21232480017,FD-5415380040,P-3354902,FLS-ALL
status: 200
x-cache: Miss from cloudfront
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
content-encoding: br
x-amz-request-id: B25590D16E6D57E7
x-amz-id-2: Yysjy9jm0eZZwnFTeXb3/l5ZUs1NDVxO52Hcow855pkOxSekf+07wyOFBBXhH/rZW3QvUC9Zbbc=
last-modified: Thu, 14 Nov 2019 17:24:01 GMT
server: cloudflare
etag: W/"847da66019040cba5b0aed254309f083"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
access-control-allow-methods: GET
content-type: image/svg+xml
access-control-allow-origin: *
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: b893YG7fG7.uXMP.wuBYwG7bD7IigLB0
cf-ray: 55c7c45a1cb0c290-FRA
x-amz-cf-id: 47qGqXorWti_uQI06S-uPshXvuK6jWr4QeNQKZ9QFUv5JyopfdkIdg==

GET
H2 200 youtube.svg
www.cybereason.com/hubfs/social-icons/ 729 B
722 B 167ms
165ms Image
image/svg+xml 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/social-icons/youtube.svg
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 312c7a4e3e547301e162c0bf3a7788cf8d52caf2668fbafc01351c9185b97ce4

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 a56d6b55603697d6c44b19d4f907baaa.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-21232480018,FD-5415380040,P-3354902,FLS-ALL
x-amz-cf-pop: FRA6-C1
edge-cache-tag: F-21232480018,FD-5415380040,P-3354902,FLS-ALL
status: 200
x-cache: Miss from cloudfront
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
content-encoding: br
x-amz-request-id: 17CD4000B350DA93
x-amz-id-2: jot6WeG/mO+uYffq5Rzjg1+uLYNTdYw40hyotDOp3AEuPmnyFgaGXOYdOlrNOFxTyWnKIpIU0V8=
last-modified: Thu, 14 Nov 2019 17:24:01 GMT
server: cloudflare
etag: W/"8c8a5ac2ddb60a58a59c7236297f35e4"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
access-control-allow-methods: GET
content-type: image/svg+xml
access-control-allow-origin: *
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: FRY7VN7QoyOabw.AAGUdC1vw3qSDmi_m
cf-ray: 55c7c45a1cb1c290-FRA
x-amz-cf-id: IYPkOWARk6rWTqjtkz4HLWMw7BdvUjjJHwuCJjxx4RI7s5UZ9Zp7Fw==

GET
H2 200 facebook.svg
www.cybereason.com/hubfs/social-icons/ 433 B
808 B 152ms
150ms Image
image/svg+xml 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/social-icons/facebook.svg
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: b329852f8f537591d001152e26a1b598ef4e4466fa10d859135843c307d5344e

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 163be08bc1bc44818353c4fd88655bee.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-21224264479,FD-5415380040,P-3354902,FLS-ALL
x-amz-cf-pop: FRA6-C1
edge-cache-tag: F-21224264479,FD-5415380040,P-3354902,FLS-ALL
status: 200
x-cache: Miss from cloudfront
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
content-encoding: br
x-amz-request-id: B2257372163CBA21
x-amz-id-2: qVA4DACvAXq0Sj4JyR7qfB1xGeq4b9lQcnRUecHOfVFjaxLLhFQACIvy7j7pZwH2sxaCzr+o1pw=
last-modified: Thu, 14 Nov 2019 17:24:01 GMT
server: cloudflare
etag: W/"e97d7b693699cf2ee748031bf4de38f0"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
access-control-allow-methods: GET
content-type: image/svg+xml
access-control-allow-origin: *
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: C89llISjlQVo62IUPVtqXB4yDzHnmHiT
cf-ray: 55c7c45a1cb2c290-FRA
x-amz-cf-id: d7H1FxRzrJJ4EbD5VNAOgzul6InqOPuBb2g0ilKOB3LejadurzdIQQ==

GET
H2 200 instagram.svg
www.cybereason.com/hubfs/social-icons/ 2 KB
1 KB 245ms
243ms Image
image/svg+xml 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/social-icons/instagram.svg
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 008a6b447b38fe87dac9127b3e47c83f89df61e8ac7285a7e86051ee89e99af9

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 25c6baf0a31a5ef699c1e219b25ce7b9.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-21223960139,FD-5415380040,P-3354902,FLS-ALL
x-amz-cf-pop: FRA6-C1
edge-cache-tag: F-21223960139,FD-5415380040,P-3354902,FLS-ALL
status: 200
x-cache: Miss from cloudfront
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
content-encoding: br
x-amz-request-id: C2175FD47740E975
x-amz-id-2: uOgfL/9Nrnki/jz1GoExwSa1+I0npDSTRp0EzYlo4DsTBRVi3qWurFhsX71g6CaxFfH7nElHF+A=
last-modified: Thu, 14 Nov 2019 17:24:01 GMT
server: cloudflare
etag: W/"a1012cd27290947d9af72c0ea4236beb"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
access-control-allow-methods: GET
content-type: image/svg+xml
access-control-allow-origin: *
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: q2McvAidvV50PdQS5eg2kQ60XsPr41Is
cf-ray: 55c7c45a1cb3c290-FRA
x-amz-cf-id: TQdogitqvhJFXp0eKmHJumwPl81qQ2L8cBWY0MggzjLldnzKU-__ZQ==

GET
H2 200 index.js Show response
www.cybereason.com/hs/hsstatic/HubspotToolsMenu/static-1.56/js/ 9 KB
3 KB 19ms
19ms Script
application/javascript 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hs/hsstatic/HubspotToolsMenu/static-1.56/js/index.js
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 147498d5be9d1aeb765c07a2789d7379a690cbcd52abcc1cacdd0203bd8e009b

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 b4346add631a498bf6cdbf88cbc5ff13.cloudfront.net (CloudFront)
cf-cache-status: HIT
age: 1926618
x-cache: Hit from cloudfront
status: 200
x-amz-replication-status: COMPLETED
content-encoding: br
content-type: application/javascript; charset=utf-8
last-modified: Mon, 06 Jan 2020 18:30:12 GMT
server: cloudflare
etag: W/"162b4f467addf4ea5c010d1097fd9e14"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
x-amz-version-id: St0U51eKUSNLxvhUwOEN3IuM2RIMZRGK
cache-control: s-maxage=31536000, max-age=31536000
access-control-allow-credentials: false
x-amz-cf-pop: IAD89-C1
cf-ray: 55c7c4595bc8c290-FRA
x-amz-cf-id: iOkY5rzP1q351GJ0XGkvHce6OHU5OAj4fYQ3LnoEvr_J2-MBdvKQlA==

GET
H2 200 project.js Show response
www.cybereason.com/hs/hsstatic/cos-i18n/static-1.10/bundles/ 1 KB
769 B 22ms
22ms Script
application/javascript 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hs/hsstatic/cos-i18n/static-1.10/bundles/project.js
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: ab449241b50123673e76dbcd70f869ae11d26920f0ce1670fdfd266308058179

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 b3e6aa6408d9b27acff39fa80612846a.cloudfront.net (CloudFront)
cf-cache-status: HIT
age: 6673369
x-cache: Hit from cloudfront
status: 200
x-amz-replication-status: COMPLETED
content-encoding: br
content-type: application/javascript; charset=utf-8
last-modified: Wed, 13 Sep 2017 02:51:30 GMT
server: cloudflare
etag: W/"0011aaf4067b097bcbfd9dc99a4b94c0"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
x-amz-version-id: p6iak7Gl9Xyg7crK_8XyTwctOBvKD1DL
cache-control: s-maxage=31536000, max-age=31536000
access-control-allow-credentials: false
x-amz-cf-pop: IAD79-C2
cf-ray: 55c7c4598c0bc290-FRA
x-amz-cf-id: lLi1CcBmx-Xi6FkLEYHd3WlIecrpOBbSH03-q6iXq3O7SpgZHkNKEw==

GET
H2 200 3354902.js Show response
www.cybereason.com/hs/scriptloader/ 1 KB
607 B 39ms
38ms Script
application/javascript 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hs/scriptloader/3354902.js
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 0fb004ca41b69a2343b80215a0a1db01baf9f9460d77d6532b8c2f966e57c2d7

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: br
cf-cache-status: HIT
server: cloudflare
age: 65
x-trace: 2BB3725E86703B6CBD1075B25434EEFB6E9405C5EE000000000000000000
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
content-type: application/javascript;charset=utf-8
status: 200
cache-control: public, max-age=60
access-control-allow-credentials: false
cf-ray: 55c7c45a1cb4c290-FRA
expires: Wed, 29 Jan 2020 02:27:21 GMT

GET
H/1.1 200
OK obtp.js Show response
amplify.outbrain.com/cp/ 6 KB
3 KB 23ms
22ms Script
application/x-javascript 2.18.234.190
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://amplify.outbrain.com/cp/obtp.js
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.234.190 , Ascension Island, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a2-18-234-190.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 8bd397636ecd49c36d687ad591807ea5ee621b1e11888657827902a5003fc4bb

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

Date: Wed, 29 Jan 2020 02:27:26 GMT
Content-Encoding: gzip
Last-Modified: Tue, 07 Jan 2020 07:28:40 GMT
Server: AkamaiNetStorage
ETag: "522e4451790939ca385c10f4b474de63:1578382119.826889"
Vary: Accept-Encoding
Content-Type: application/x-javascript
Cache-Control: max-age=1200
Connection: keep-alive
Accept-Ranges: bytes
Content-Length: 2617
Expires: Wed, 29 Jan 2020 02:47:26 GMT

GET
H/1.1 200
OK 58e26bc626b13471520000d9.js Show response
tag.marinsm.com/serve/ 38 KB
10 KB 365ms
312ms Script
text/javascript 151.101.12.65
FASTLY

General

Check archive.org

Show headers Download Go to

Full URL

https://tag.marinsm.com/serve/58e26bc626b13471520000d9.js

Requested by

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

151.101.12.65 Frankfurt am Main, Germany, ASN54113 (FASTLY, US),

Reverse DNS

Software

Cowboy /

Resource Hash

154991194443aaeb774be577ea462c94fb6375d3926af0e00b6896581000a593

Security Headers

Name	Value
X-Content-Type-Options	nosniff

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

Date: Wed, 29 Jan 2020 02:27:26 GMT
Via: 1.1 vegur, 1.1 varnish
X-Content-Type-Options: nosniff
Age: 0
X-Cache: MISS
Connection: keep-alive
Content-Encoding: gzip
Content-Length: 9671
X-Served-By: cache-fra19136-FRA
Server: Cowboy
X-Timer: S1580264846.469944,VS0,VE290
Vary: Accept-Encoding
Content-Type: text/javascript
Cache-Control: max-age=1800
Accept-Ranges: bytes
X-Cache-Hits: 0

GET
H2 200 fbevents.js Show response
connect.facebook.net/en_US/ 126 KB
30 KB 18ms
6ms Script
application/x-javascript 2a03:2880:f01c:8012:face:b00c:0:3
FACEBOOK

General

Check archive.org

Show headers Download Go to

Full URL

https://connect.facebook.net/en_US/fbevents.js

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK, US),

Reverse DNS

Software

Resource Hash

5a91c6d3e635c0bd1551a53cf0769328132151a7732039170280d500dbcb4685

Security Headers

Name	Value
Content-Security-Policy	default-src * data: blob:;script-src .facebook.com .fbcdn.net .facebook.net .google-analytics.com .virtualearth.net .google.com 127.0.0.1:* .spotilocal.com: 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' ;connect-src .facebook.com facebook.com .fbcdn.net .facebook.net .spotilocal.com: wss://.facebook.com: https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
Strict-Transport-Security	max-age=31536000; preload; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	DENY
X-Xss-Protection	0

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload; includeSubDomains
content-encoding: gzip
x-content-type-options: nosniff
status: 200
alt-svc: h3-24=":443"; ma=3600
content-length: 30466
x-xss-protection: 0
pragma: public
x-fb-debug: 9nSgVbie0SZTmZsncBhT+VR7e7wJVJuuuVKC1qFbkRF7MaYVuUzne43WyYHBOfMziA42iRe76PmBTzGGGGXZBA==
x-fb-trip-id: 1850256238
date: Wed, 29 Jan 2020 02:27:26 GMT, Wed, 29 Jan 2020 02:27:26 GMT
x-frame-options: DENY
content-type: application/x-javascript; charset=utf-8
vary: Accept-Encoding
cache-control: public, max-age=1200
content-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
expires: Sat, 01 Jan 2000 00:00:00 GMT

GET
H2 200 sf14g.js Show response
t.sf14g.com/ 37 KB
37 KB 368ms
105ms Script
application/javascript 34.192.123.20
AMAZON-AES

General

Check archive.org

Show headers Download Go to

Full URL

https://t.sf14g.com/sf14g.js

Requested by

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

34.192.123.20 Ashburn, United States, ASN14618 (AMAZON-AES, US),

Reverse DNS

ec2-34-192-123-20.compute-1.amazonaws.com

Software

Kestrel /

Resource Hash

86ecafc33ecb5976760d6b5f13a2874525e3f4bfa8b12a0e14d6c98ae9e727cd

Security Headers

Name	Value
Strict-Transport-Security	max-age=2592000

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
last-modified: Tue, 16 Oct 2018 18:33:02 GMT
server: Kestrel
etag: "1d4657eab9c909b"
strict-transport-security: max-age=2592000
content-type: application/javascript
status: 200
accept-ranges: bytes
content-length: 37787

GET
H2 200 hotjar-704918.js Show response
static.hotjar.com/c/ 10 KB
3 KB 127ms
94ms Script
application/javascript 147.75.32.13
PACKET

General

Check archive.org

Show headers Download Go to

Full URL

https://static.hotjar.com/c/hotjar-704918.js?sv=6

Requested by

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

147.75.32.13 Amsterdam, Netherlands, ASN54825 (PACKET, US),

Reverse DNS

pkt-ams-k2-shared-ingress9

Software

Resource Hash

d9f014cbe9f87cab0d9b88591cf9213592d8c2864c71347fea3f720a3c205d52

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: gzip
x-content-type-options: nosniff
content-type: application/javascript
section-io-tag: hotjar
age: 0
status: 200
access-control-max-age: 600
section-io-cache: Miss
content-length: 2903
x-cache-hit: 1
x-frame-options: SAMEORIGIN
etag: W/ef1e096e3ed04bdb0dd17607edc77be9
vary: Accept-Encoding
section-io-origin-status: 304
access-control-allow-origin: *
cache-control: max-age=60
section-io-origin-time-seconds: 0.078
accept-ranges: bytes
section-io-id: 2b05cde7d5cd10d6710e4aaa2d825808
section-origin-responded: true

GET
H2 200 / Show response
googleads.g.doubleclick.net/pagead/viewthroughconversion/934771702/ 2 KB
1 KB 17ms
16ms Script
text/javascript 2a00:1450:4001:81f::2002
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/934771702/?random=1580264846333&cv=9&fst=1580264846333&num=1&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=60&u_java=false&u_nplug=0&u_nmime=0&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&hn=www.googleadservices.com&rfmt=3&fmt=4

Requested by

Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81f::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

cafe /

Resource Hash

2abcb62d0ad8bf23d79121b6579e6f11bb23858b5278685f6c141272aa392bc0

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

pragma: no-cache
date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: gzip
x-content-type-options: nosniff
content-type: text/javascript; charset=UTF-8
server: cafe
p3p: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status: 200
cache-control: no-cache, must-revalidate
content-disposition: attachment; filename="f.txt"
timing-allow-origin: *
alt-svc: quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q050="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 1061
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 vyv2ljd.css
use.typekit.net/ 6 KB
1 KB 32ms
31ms Stylesheet
text/css 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL

https://use.typekit.net/vyv2ljd.css

Requested by

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),

Reverse DNS

a104-111-215-74.deploy.static.akamaitechnologies.com

Software

nginx /

Resource Hash

c1de9047e79d87bf90dc2f9f9babdce177018246ec94d1085855d0eddbec97c2

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains;

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; includeSubDomains;
content-encoding: gzip
server: nginx
access-control-allow-origin: *
date: Wed, 29 Jan 2020 02:27:26 GMT
vary: Accept-Encoding
content-type: text/css;charset=utf-8
status: 200
cache-control: private, max-age=600, stale-while-revalidate=604800
timing-allow-origin: *
content-length: 911

GET
H2 200 xbn0btk.css
use.typekit.net/ 5 KB
1 KB 32ms
32ms Stylesheet
text/css 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL

https://use.typekit.net/xbn0btk.css

Requested by

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),

Reverse DNS

a104-111-215-74.deploy.static.akamaitechnologies.com

Software

nginx /

Resource Hash

dc061591e172e05940848ca0fde2c3163d7acbc1a308afeb71e057676fc6cb2a

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains;

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; includeSubDomains;
content-encoding: gzip
server: nginx
access-control-allow-origin: *
date: Wed, 29 Jan 2020 02:27:26 GMT
vary: Accept-Encoding
content-type: text/css;charset=utf-8
status: 200
cache-control: private, max-age=600, stale-while-revalidate=604800
timing-allow-origin: *
content-length: 862

GET
H2 200 css
fonts.googleapis.com/ 6 KB
699 B 16ms
16ms Stylesheet
text/css 2a00:1450:4001:806::200a
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://fonts.googleapis.com/css?family=IBM+Plex+Mono:400,500,700&display=swap

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:806::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

ESF /

Resource Hash

38989f607265ccad9ce1e0982a0bba5bc667aa7dcc9df9beabf4f3a04cfe03eb

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

strict-transport-security: max-age=31536000
content-encoding: br
last-modified: Wed, 29 Jan 2020 02:27:26 GMT
server: ESF
access-control-allow-origin: *
date: Wed, 29 Jan 2020 02:27:26 GMT
x-frame-options: SAMEORIGIN
content-type: text/css; charset=utf-8
status: 200
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
cache-control: private, max-age=86400, stale-while-revalidate=604800
timing-allow-origin: *
link: <https://fonts.gstatic.com>; rel=preconnect; crossorigin
x-xss-protection: 0
expires: Wed, 29 Jan 2020 02:27:26 GMT

GET
H2 200 p.css
p.typekit.net/ 5 B
168 B 32ms
32ms Stylesheet
text/css 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://p.typekit.net/p.css?s=1&k=vyv2ljd&ht=tk&f=32224.32226.32227.32228.32230.32231.10875.32265&a=657783&app=typekit&e=css
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a104-111-215-74.deploy.static.akamaitechnologies.com
Software: nginx /
Resource Hash: 1c0ff118a4290c99f39c90abb38703a866e47251b23cca20266c69c812ccafeb

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
last-modified: Mon, 21 Oct 2019 19:51:00 GMT
server: nginx
access-control-allow-origin: *
etag: "5dae0c24-5"
content-type: text/css
status: 200
cache-control: max-age=604800
accept-ranges: bytes
content-length: 5
expires: Wed, 30 Oct 2019 04:50:36 GMT

GET
H2 200 p.css
p.typekit.net/ 5 B
168 B 34ms
34ms Stylesheet
text/css 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://p.typekit.net/p.css?s=1&k=xbn0btk&ht=tk&f=32226.32227.32230.32231.36619.36621.36623&a=9270210&app=typekit&e=css
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a104-111-215-74.deploy.static.akamaitechnologies.com
Software: nginx /
Resource Hash: 1c0ff118a4290c99f39c90abb38703a866e47251b23cca20266c69c812ccafeb

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
last-modified: Mon, 21 Oct 2019 19:51:00 GMT
server: nginx
access-control-allow-origin: *
etag: "5dae0c24-5"
content-type: text/css
status: 200
cache-control: max-age=604800
accept-ranges: bytes
content-length: 5
expires: Wed, 30 Oct 2019 04:50:36 GMT

GET
H2 200 l
use.typekit.net/af/343335/00000000000000003b9b0ad0/27/ 16 KB
16 KB 22ms
21ms Font
application/font-woff2 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://use.typekit.net/af/343335/00000000000000003b9b0ad0/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8dd865b3bbc383831fe2ea177f62257a9191&fvd=n3&v=3
Requested by: Host: use.typekit.net
URL: https://use.typekit.net/vyv2ljd.js
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a104-111-215-74.deploy.static.akamaitechnologies.com
Software: nginx /
Resource Hash: 2e96bf761583273e370136ed0b934a38ad1e08b386accb37277252b37b9c9961

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
server: nginx
access-control-allow-origin: *
etag: "eedb93b5a9ba82f97df21a2548066c304a8baad8"
content-type: application/font-woff2
status: 200
cache-control: public, max-age=31536000
timing-allow-origin: *
content-length: 16112

GET
H2 200 l
use.typekit.net/af/4b34d2/00000000000000003b9b0acf/27/ 16 KB
16 KB 23ms
22ms Font
application/font-woff2 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://use.typekit.net/af/4b34d2/00000000000000003b9b0acf/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8dd865b3bbc383831fe2ea177f62257a9191&fvd=i4&v=3
Requested by: Host: use.typekit.net
URL: https://use.typekit.net/vyv2ljd.js
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a104-111-215-74.deploy.static.akamaitechnologies.com
Software: nginx /
Resource Hash: 7219936e6e56b9932b2f1dd06cfff09b655a729bb17d0aa6d757e14184512384

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
server: nginx
access-control-allow-origin: *
etag: "2d91046573f0e4458e7737f18f00bb9c13388e11"
content-type: application/font-woff2
status: 200
cache-control: public, max-age=31536000
timing-allow-origin: *
content-length: 16252

GET
H2 200 l
use.typekit.net/af/cb6232/00000000000000003b9b0ad8/27/ 15 KB
15 KB 33ms
32ms Font
application/font-woff2 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://use.typekit.net/af/cb6232/00000000000000003b9b0ad8/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8dd865b3bbc383831fe2ea177f62257a9191&fvd=n4&v=3
Requested by: Host: use.typekit.net
URL: https://use.typekit.net/vyv2ljd.js
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a104-111-215-74.deploy.static.akamaitechnologies.com
Software: nginx /
Resource Hash: 9607506688417bb09b8d6c29362c2fe29bc1b047b793cccddfce876d927fa57b

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
server: nginx
access-control-allow-origin: *
etag: "865da7d2ecc4da3cb6bd5574f01738cfc5c8bb11"
content-type: application/font-woff2
status: 200
cache-control: public, max-age=31536000
timing-allow-origin: *
content-length: 15448

GET
H2 200 l
use.typekit.net/af/abc1c3/00000000000000003b9b0ac9/27/ 16 KB
16 KB 59ms
58ms Font
application/font-woff2 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://use.typekit.net/af/abc1c3/00000000000000003b9b0ac9/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8dd865b3bbc383831fe2ea177f62257a9191&fvd=n6&v=3
Requested by: Host: use.typekit.net
URL: https://use.typekit.net/vyv2ljd.js
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a104-111-215-74.deploy.static.akamaitechnologies.com
Software: nginx /
Resource Hash: 359197d1e7ab63fe678db88914f31f1f9f6a37bd182e0de565fc7a68302a1f50

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
server: nginx
access-control-allow-origin: *
etag: "8c3ee2b4e977df4e0f73e1b985c24fba9611fc49"
content-type: application/font-woff2
status: 200
cache-control: public, max-age=31536000
timing-allow-origin: *
content-length: 16652

GET
H2 200 l
use.typekit.net/af/62203f/00000000000000003b9b0ac8/27/ 17 KB
17 KB 107ms
106ms Font
application/font-woff2 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://use.typekit.net/af/62203f/00000000000000003b9b0ac8/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8dd865b3bbc383831fe2ea177f62257a9191&fvd=i7&v=3
Requested by: Host: use.typekit.net
URL: https://use.typekit.net/vyv2ljd.js
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a104-111-215-74.deploy.static.akamaitechnologies.com
Software: nginx /
Resource Hash: 66b4fac9494bbeda177f4637fa3e7423fc8ef54b11a6875e68cdf3e472293b2a

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
server: nginx
access-control-allow-origin: *
etag: "7b5be73a29b093f7ae3c099f5a521c9274f6db28"
content-type: application/font-woff2
status: 200
cache-control: public, max-age=31536000
timing-allow-origin: *
content-length: 17148

GET
H2 200 l
use.typekit.net/af/19a2f0/00000000000000003b9b0ac7/27/ 16 KB
16 KB 154ms
153ms Font
application/font-woff2 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://use.typekit.net/af/19a2f0/00000000000000003b9b0ac7/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8dd865b3bbc383831fe2ea177f62257a9191&fvd=n7&v=3
Requested by: Host: use.typekit.net
URL: https://use.typekit.net/vyv2ljd.js
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a104-111-215-74.deploy.static.akamaitechnologies.com
Software: nginx /
Resource Hash: 97829f8a6f2a471117ed06d0b06a81d543b091a262192369c531380779148c5c

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
server: nginx
access-control-allow-origin: *
etag: "b9e1ecdf0fe601a7e9dfc362b400290203e7b31c"
content-type: application/font-woff2
status: 200
cache-control: public, max-age=31536000
timing-allow-origin: *
content-length: 16456

GET
H2 200 l
use.typekit.net/af/cfbead/0000000000000000000146b3/27/ 23 KB
23 KB 202ms
201ms Font
application/font-woff2 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://use.typekit.net/af/cfbead/0000000000000000000146b3/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8dd865b3bbc383831fe2ea177f62257a9191&fvd=n4&v=3
Requested by: Host: use.typekit.net
URL: https://use.typekit.net/vyv2ljd.js
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a104-111-215-74.deploy.static.akamaitechnologies.com
Software: nginx /
Resource Hash: 365a7ca6f52df29efedfdac2e08a9d0f03e4e2122dd9a49803bf8dacd58480fc

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
server: nginx
access-control-allow-origin: *
etag: "122498e3424e674610da39fb441d661549879239"
content-type: application/font-woff2
status: 200
cache-control: public, max-age=31536000
timing-allow-origin: *
content-length: 23248

GET
H2 200 l
use.typekit.net/af/f50d41/00000000000000003b9b2c84/27/ 15 KB
15 KB 249ms
248ms Font
application/font-woff2 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://use.typekit.net/af/f50d41/00000000000000003b9b2c84/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8dd865b3bbc383831fe2ea177f62257a9191&fvd=n3&v=3
Requested by: Host: use.typekit.net
URL: https://use.typekit.net/vyv2ljd.js
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a104-111-215-74.deploy.static.akamaitechnologies.com
Software: nginx /
Resource Hash: 765097740b7490e6ab6a2d8624199ab7b147e8c6cec064b6cce257750fdb1985

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
server: nginx
access-control-allow-origin: *
etag: "13c2813ff67959226aaa4eccfcdd1399bd756b8d"
content-type: application/font-woff2
status: 200
cache-control: public, max-age=31536000
timing-allow-origin: *
content-length: 15336

GET
H2 200 bg-error404-page.jpg
www.cybereason.com/hubfs/Cybereason%20Images/ 200 KB
200 KB 34ms
33ms Image
image/webp 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/Cybereason%20Images/bg-error404-page.jpg
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 395e07ceb90e0b44b76f21cec5d6086767a18065b1c357627e8fb4fa308c0f00

Request headers

Referer: https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5456085634/1578413166577/Custom/page/web_page_basic/cr-error-page-style.min.css
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 32c8da10203574baccb74b8f771a7ffb.cloudfront.net (CloudFront)
cf-cache-status: HIT
x-amz-meta-cache-tag: F-5457620702,FD-5168280605,P-3354902,FLS-ALL
age: 60886
cf-polished: qual=85, origFmt=jpeg, origSize=517307
edge-cache-tag: F-5457620702,FD-5168280605,P-3354902,FLS-ALL
status: 200
content-length: 204310
content-disposition: inline; filename="bg-error404-page.webp"
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 53
x-amz-request-id: E882CB7445BCED40
x-amz-id-2: ygcbhlSRDV/B08N5arLR8qg4dxGgNWVEAgCIM6KEcORxdHvoRdIQ+CmDeYn03rfG3qwBBlfSZ6o=
x-cache: Miss from cloudfront
last-modified: Thu, 30 Nov 2017 17:56:47 GMT
server: cloudflare
etag: "c0ed9ccf6154ef72e424414558ef3b98"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept, Accept-Encoding
content-type: image/webp
cache-control: s-maxage=1814400, max-age=1209600, stale-while-revalidate=900
x-amz-version-id: 3sZvkA0WN_zLFquoh9UZIjWdA6cfsUJi
x-amz-cf-pop: FRA50-C1
accept-ranges: bytes
cf-ray: 55c7c45a2cc2c290-FRA
x-amz-cf-id: 3ZpYECjJa_uV7RNROoHifzEz1_XXZWRS4Q3CupOcwZLbJWrYjSpmYw==
cf-bgj: imgq:85

GET
H2 200 AndaleMonoMTStd.woff
cdn2.hubspot.net/hubfs/3354902/Cybereason%20Files/fonts/ 17 KB
18 KB 477ms
463ms Font
application/font-woff 2606:4700::6811:f3cc
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Files/fonts/AndaleMonoMTStd.woff
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:f3cc , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 0f469248695d5b0f09feac08e6f219ef58cc81b64c4f0d4869b5b0d578ff1fe1

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5348736541/1580220491334/Custom/page/web_page_basic/cybereason-custom-style.min.css
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 70ee39257364131aeb08a57b30a5dfb4.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-5354893296,P-3354902,FLS-ALL
x-amz-request-id: 4C9F7603DBA23400
edge-cache-tag: F-5354893296,P-3354902,FLS-ALL
status: 200
x-cache: Miss from cloudfront
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 43
content-encoding: gzip
content-type: application/font-woff
x-amz-id-2: VaM7HPDxisyJGM6XhO/jGz7+di+3mLZMZ/QEXxVNjr53TKa5382jygU9RAnUOX332lYeb+ycFOs=
access-control-allow-origin: *
last-modified: Sun, 08 Oct 2017 14:13:02 GMT
server: cloudflare
etag: W/"f7380ca97f617dd2c8430b741b02fbd9"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding
access-control-allow-methods: GET
x-amz-version-id: J9b6f7GJD_pDbFc6Mhjyo1CbL0.9Btnw
x-amz-meta-edge-cache-tag: F-5354893296,FD-5348465397,P-3354902
cache-control: s-maxage=1209600, max-age=1209600
x-amz-cf-pop: BRU50-C1
cf-ray: 55c7c45a3f502760-FRA
x-amz-cf-id: xrQfmHkdqsE2f4kS1U8b6yaW34iKJ3GE9dg66rQAH3ymccL1PyYDHw==

GET
H2 200 fontawesome-webfont.woff2
cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/fonts/ 75 KB
76 KB 27ms
11ms Font
application/octet-stream 2606:4700::6811:4004
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2606:4700::6811:4004 , United States, ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe

Security Headers

Name	Value
Strict-Transport-Security	max-age=15780000; includeSubDomains

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
cf-cache-status: HIT
age: 7759073
cf-ray: 55c7c45a3d63bebf-FRA
status: 200
strict-transport-security: max-age=15780000; includeSubDomains
alt-svc: h3-24=":443"; ma=86400, h3-23=":443"; ma=86400
content-length: 77160
last-modified: Thu, 17 May 2018 09:19:53 GMT
server: cloudflare
etag: "5afd4939-12d68"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
content-type: application/octet-stream
access-control-allow-origin: *
expires: Mon, 18 Jan 2021 02:27:26 GMT
cache-control: public, max-age=30672000
accept-ranges: bytes
timing-allow-origin: *
served-in-seconds: 0.001

GET
H2 200 -F6qfjptAgt5VM-kVkqdyU8n3twJwlBFgsAXHNk.woff2
fonts.gstatic.com/s/ibmplexmono/v5/ 9 KB
9 KB 7ms
6ms Font
font/woff2 2a00:1450:4001:821::2003
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://fonts.gstatic.com/s/ibmplexmono/v5/-F6qfjptAgt5VM-kVkqdyU8n3twJwlBFgsAXHNk.woff2

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

sffe /

Resource Hash

2636433c714d8841c786ad69af6792be0bf2c3adbf9b6c8ad00f00ead91343ee

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://fonts.googleapis.com/css?family=IBM+Plex+Mono:400,500,700&display=swap
Origin: https://www.cybereason.com

Response headers

date: Fri, 10 Jan 2020 02:56:57 GMT
x-content-type-options: nosniff
last-modified: Tue, 16 Jul 2019 02:44:30 GMT
server: sffe
age: 1639829
content-type: font/woff2
status: 200
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
cache-control: public, max-age=31536000
accept-ranges: bytes
timing-allow-origin: *
access-control-allow-origin: *
content-length: 9196
x-xss-protection: 0
expires: Sat, 09 Jan 2021 02:56:57 GMT

GET
H2 200 -F63fjptAgt5VM-kVkqdyU8n1i8q131nj-o.woff2
fonts.gstatic.com/s/ibmplexmono/v5/ 9 KB
9 KB 6ms
6ms Font
font/woff2 2a00:1450:4001:821::2003
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://fonts.gstatic.com/s/ibmplexmono/v5/-F63fjptAgt5VM-kVkqdyU8n1i8q131nj-o.woff2

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

sffe /

Resource Hash

ec9150bbfa679b0584ac28c6a6d58993a3b500794c60d5398ee4ce3680963088

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://fonts.googleapis.com/css?family=IBM+Plex+Mono:400,500,700&display=swap
Origin: https://www.cybereason.com

Response headers

date: Thu, 23 Jan 2020 06:22:34 GMT
x-content-type-options: nosniff
last-modified: Tue, 16 Jul 2019 03:36:14 GMT
server: sffe
age: 504292
content-type: font/woff2
status: 200
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
cache-control: public, max-age=31536000
accept-ranges: bytes
timing-allow-origin: *
access-control-allow-origin: *
content-length: 9216
x-xss-protection: 0
expires: Fri, 22 Jan 2021 06:22:34 GMT

GET
H2 200 bg-recentBlog.jpg
www.cybereason.com/hubfs/Cybereason%20Images/ 34 KB
34 KB 27ms
26ms Image
image/webp 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/Cybereason%20Images/bg-recentBlog.jpg
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 6f6f1e322dd95cc7cda0acad6c83acc225c2fbc839ae1965a8d23e2bad813bec

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 cdb2dba3874dd4d7b53213b8c63a0997.cloudfront.net (CloudFront)
cf-cache-status: HIT
x-amz-meta-cache-tag: F-5456142487,FD-5168280605,P-3354902,FLS-ALL
age: 1017961
cf-polished: qual=85, origFmt=jpeg, origSize=125043
edge-cache-tag: F-5456142487,FD-5168280605,P-3354902,FLS-ALL
status: 200
content-length: 34304
content-disposition: inline; filename="bg-recentBlog.webp"
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
x-amz-request-id: 98D7B96B6B33F5EC
x-amz-id-2: +OaCN7EUvCY1mMgokp3fVSSBreYVz5J2WyqrFBs0SuW8BVIPa/vv8BefwJawnvpsh/TZXevggPs=
x-cache: Miss from cloudfront
last-modified: Thu, 30 Nov 2017 00:36:23 GMT
server: cloudflare
etag: "e6ab33efe3071ee7e0b1c97db6deeb21"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept, Accept-Encoding
content-type: image/webp
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: ho7dHVpJZUHH_q0OULkqpfhQfpeE5J46
x-amz-cf-pop: FRA50-C1
accept-ranges: bytes
cf-ray: 55c7c45a4ceec290-FRA
x-amz-cf-id: h8T11tclt1lSCL1EWQWUbej3b3E6qiDhfu1i5WVDcuNGq6wSxeY4gA==
cf-bgj: imgq:85

GET
H2 200 featured-overlay.png
www.cybereason.com/hubfs/Blog%20Feature%20Images/ 165 KB
166 KB 154ms
153ms Image
image/png 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.cybereason.com/hubfs/Blog%20Feature%20Images/featured-overlay.png
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 6bea2f9a81ff3f3fbbf2ec0a87e55d9f3ac4f0175c2c8be4db3aef9ac3d5a4f4

Request headers

Referer: https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5348736541/1580220491334/Custom/page/web_page_basic/cybereason-custom-style.min.css
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 a7dcca466407f1871feceef50bc84272.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-5462123206,FD-5339435640,P-3354902,FLS-ALL
x-amz-cf-pop: FRA6-C1
cf-polished: status=not_needed
edge-cache-tag: F-5462123206,FD-5339435640,P-3354902,FLS-ALL
status: 200
content-length: 169104
x-cache: Miss from cloudfront
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
x-amz-request-id: 605B1C0E9942A80E
x-amz-id-2: pr3TSyPualirHJoimmIdW54dx3WtuY+MLn9vjo1B19xlvZwCFPncDHpxN+kRh/dNA+lLjEf7JR8=
last-modified: Mon, 04 Dec 2017 21:20:34 GMT
server: cloudflare
etag: "d0df19a6304235f7db891e67ceec2f0e"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
content-type: image/png
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: Hc5Bj7HcwoRhwKWqkaF4P6ee537gYNei
accept-ranges: bytes
cf-ray: 55c7c45a4cefc290-FRA
x-amz-cf-id: FoK8JKOPe0x_pdzZLE1s3hIm4LotGPktvj-mn4F8B4_1UfxY8isY8g==
cf-bgj: imgq:85

GET
H2 200 l
use.typekit.net/af/f2e356/00000000000000003b9b0ef5/27/ 35 KB
35 KB 226ms
225ms Font
application/font-woff2 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://use.typekit.net/af/f2e356/00000000000000003b9b0ef5/27/l?primer=7cdcb44be4a7db8877ffa5c0007b8dd865b3bbc383831fe2ea177f62257a9191&fvd=n5&v=3
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a104-111-215-74.deploy.static.akamaitechnologies.com
Software: nginx /
Resource Hash: 9af256cb88b39b1a3b6e36b50a7d7f3215db54331371bb53ed698450672ddcc8

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://use.typekit.net/xbn0btk.css
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
server: nginx
access-control-allow-origin: *
etag: "a0f0ee5943ccfb765480534c9add4201dba5a006"
content-type: application/font-woff2
status: 200
cache-control: public, max-age=31536000
timing-allow-origin: *
content-length: 35932

GET
H2 200 cybereason-arrow.woff2
www.cybereason.com/hubfs/Fonts/ 2 KB
3 KB 448ms
447ms Font
application/font-woff2 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/hubfs/Fonts/cybereason-arrow.woff2
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: bcaf54bc46707931d5bcfd93e5b1ac50a518dabb1748fb5155353b392f11c2f8

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5348736541/1580220491334/Custom/page/web_page_basic/cybereason-custom-style.min.css
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 8e04f5d6c745b231c10fce7c2aa9c70f.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-20974772751,FD-5167100825,P-3354902,FLS-ALL
x-amz-cf-pop: FRA6-C1
edge-cache-tag: F-20974772751,FD-5167100825,P-3354902,FLS-ALL
status: 200
content-length: 2200
x-cache: Miss from cloudfront
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 52
x-amz-request-id: 7AA65B772FFDB9FB
x-amz-id-2: oRrsvZtc+qntzAnupOeXWbSyaEJBo0wWMORVoXqoLNRceNlaTWSicQJISIA6hWpRZ1hMuniiTzI=
last-modified: Tue, 12 Nov 2019 18:05:03 GMT
server: cloudflare
etag: "28fb154fbabe25f37ef8bd98ec057a51"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding
access-control-allow-methods: GET
content-type: application/font-woff2
access-control-allow-origin: *
cache-control: s-maxage=1209600, max-age=1209600
x-amz-version-id: nxxFbRZiJ0l5.6jBTiMaZGgmevb8x6Rg
accept-ranges: bytes
cf-ray: 55c7c45a4cf0c290-FRA
x-amz-cf-id: ejYCVDdKCsgWR6scMPzU5-_k31LolU8cLNc9YVoHTmy6D8w_UWILUg==

GET
H2

200

DINNextLTPro-Condensed.woff
cdn2.hubspot.net/hubfs/3354902/Cybereason%20Files/fonts/
Redirect Chain

https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Files/Fonts/DINNextLTPro-Condensed.woff
https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Files/fonts/DINNextLTPro-Condensed.woff

50 KB
50 KB

256ms
255ms

Font
application/font-woff

2606:4700::6811:f3cc
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Files/fonts/DINNextLTPro-Condensed.woff
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:f3cc , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 23f1642566a05cb03e274dc86697ad111e2eebd281460d7baf012969cbd6dd48

Request headers

Referer: https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/5348736541/1580220491334/Custom/page/web_page_basic/cybereason-custom-style.min.css
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:27 GMT
via: 1.1 14ab6568bfe30e99a79da2a071b3e971.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-meta-cache-tag: F-5348741226,P-3354902,FLS-ALL
x-amz-request-id: 8DF6537ABA9017C6
edge-cache-tag: F-5348741226,P-3354902,FLS-ALL
status: 200
x-cache: Miss from cloudfront
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 43
content-encoding: gzip
content-type: application/font-woff
x-amz-id-2: 0woTNhBBZ6wNFl03Rj7q192g22oCfDN9+/MXlaKLeCyo99K4nvEqxc2z/wrijFN5tZkQxPR2JJE=
last-modified: Sun, 08 Oct 2017 14:12:39 GMT
server: cloudflare
etag: W/"f3bc90874b45af93dab5767ed612b532"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding
access-control-allow-methods: GET
x-amz-version-id: N0t6eOhSd.ZlNx0Dpg9P2c87WimFjoU1
access-control-allow-origin: *
cache-control: s-maxage=1209600, max-age=1209600
x-amz-cf-pop: AMS1
cf-ray: 55c7c45d3fff2760-FRA
x-amz-cf-id: YPeI36yK9xsTcbVXdAfyK5RBiqFAmRYoCYX7LtGfpFY4CS1SFEzqCg==

Redirect headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 96ab38d99b79d57e5c7e9b8a07c0fad3.cloudfront.net (CloudFront)
cf-cache-status: EXPIRED
x-amz-cf-pop: FRA2-C1
x-cache: Miss from cloudfront
status: 301
x-hs-cf-lambda: us-east-1.setCacheTagHeaders 53
x-amz-request-id: C0783819A5DF45B3
x-amz-id-2: ypjAooRq4/M1FPsU2Vuzs3Ej/lSI6wExf5jnAGtQU46zFu1Lx8E0IoDKdXRMW95pj5MgRRtjxkc=
access-control-allow-origin: *
server: cloudflare
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding
access-control-allow-methods: GET
location: https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Files/fonts/DINNextLTPro-Condensed.woff
cache-control: s-maxage=7200, max-age=7200
content-length: 0
cf-ray: 55c7c45a4f522760-FRA
x-amz-cf-id: SFiJw2vcVbrJJsiv76BqxRX4PTf6zPeP6CIcIrJ0k0PgyHokIXg92A==

GET
H2 200 /
www.google.com/pagead/1p-user-list/934771702/ 42 B
119 B 19ms
19ms Image
image/gif 2a00:1450:4001:81b::2004
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.com/pagead/1p-user-list/934771702/?random=1580264846333&cv=9&fst=1580263200000&num=1&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=60&u_java=false&u_nplug=0&u_nmime=0&sendb=1&frm=0&url=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&fmt=3&is_vtc=1&random=2350621676&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81b::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

pragma: no-cache
date: Wed, 29 Jan 2020 02:27:26 GMT
x-content-type-options: nosniff
content-type: image/gif
server: cafe
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
timing-allow-origin: *
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 /
www.google.de/pagead/1p-user-list/934771702/ 42 B
110 B 21ms
21ms Image
image/gif 2a00:1450:4001:824::2003
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.de/pagead/1p-user-list/934771702/?random=1580264846333&cv=9&fst=1580263200000&num=1&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=60&u_java=false&u_nplug=0&u_nmime=0&sendb=1&frm=0&url=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&fmt=3&is_vtc=1&random=2350621676&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:824::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

pragma: no-cache
date: Wed, 29 Jan 2020 02:27:26 GMT
x-content-type-options: nosniff
content-type: image/gif
server: cafe
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
timing-allow-origin: *
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H/1.1 200
OK pixel
tr.outbrain.com/ 43 B
333 B 347ms
87ms Image
image/gif 70.42.32.31
AS-OUTBRAIN

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://tr.outbrain.com/pixel?marketerId=0027b8e5e3241bf8cc1be75fc37da5a0b4&obApiVersion=1.1&obtpVersion=1.1.8&name=PAGE_VIEW&dl=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&optOut=false&bust=011889197209179714

Requested by

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

70.42.32.31 , United States, ASN22075 (AS-OUTBRAIN, US),

Reverse DNS

ny.outbrain.com

Software

Resource Hash

33ca751ed175a163bef530ebdcdbd0a2d15997ccbcbf8d50a6f504e8ffac5a5c

Security Headers

Name	Value
Strict-Transport-Security	max-age=0; includeSubDomains;

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

Date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: gzip
Strict-Transport-Security: max-age=0; includeSubDomains;
Content-Type: image/gif;
Cache-Control: no-cache
Connection: close
X-TraceId: 2282b22a4a714d6b7a94cb555ac92a50
Content-Length: 60

GET
H/1.1 200
OK pixel
amplifypixel.outbrain.com/ 43 B
313 B 349ms
87ms Image
image/gif 64.202.112.95
AS-OUTBRAIN

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://amplifypixel.outbrain.com/pixel?mid=0027b8e5e3241bf8cc1be75fc37da5a0b4&dl=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&bust=06223090529626489

Requested by

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

64.202.112.95 , United States, ASN22075 (AS-OUTBRAIN, US),

Reverse DNS

ny.outbrain.com

Software

Resource Hash

33ca751ed175a163bef530ebdcdbd0a2d15997ccbcbf8d50a6f504e8ffac5a5c

Security Headers

Name	Value
Strict-Transport-Security	max-age=0; includeSubDomains;

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

Date: Wed, 29 Jan 2020 02:27:26 GMT
Cache-Control: no-cache
X-TraceId: 33fe0d90996b66a8eb2ae6cd098ab47
content-encoding: gzip
Content-Length: 60
Strict-Transport-Security: max-age=0; includeSubDomains;
Content-Type: image/gif;

GET
H2 200 116645602292181 Show response
connect.facebook.net/signals/config/ 447 KB
114 KB 67ms
66ms Script
application/x-javascript 2a03:2880:f01c:8012:face:b00c:0:3
FACEBOOK

General

Check archive.org

Show headers Download Go to

Full URL

https://connect.facebook.net/signals/config/116645602292181?v=2.9.15&r=stable

Requested by

Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK, US),

Reverse DNS

Software

Resource Hash

2d0b8b695591b12e644193cb057434de9bf6671ccaadd3626a2052dc967cb558

Security Headers

Name	Value
Content-Security-Policy	default-src * data: blob:;script-src .facebook.com .fbcdn.net .facebook.net .google-analytics.com .virtualearth.net .google.com 127.0.0.1:* .spotilocal.com: 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' ;connect-src .facebook.com facebook.com .fbcdn.net .facebook.net .spotilocal.com: wss://.facebook.com: https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;
Strict-Transport-Security	max-age=31536000; preload; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	DENY
X-Xss-Protection	0

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload; includeSubDomains
content-encoding: gzip
x-content-type-options: nosniff
status: 200
alt-svc: h3-24=":443"; ma=3600
x-xss-protection: 0
pragma: public
x-fb-debug: BtVXECMhsNyuoYgLEQCd89EQfNP13Bygkt0sgs999u3NWOSttECZeArburDV3CiGBD8IynrCyXfHPLsO1VARJw==
x-fb-trip-id: 1850256238
date: Wed, 29 Jan 2020 02:27:26 GMT, Wed, 29 Jan 2020 02:27:26 GMT
x-frame-options: DENY
content-type: application/x-javascript; charset=utf-8
vary: Accept-Encoding
cache-control: public, max-age=1200
content-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;
expires: Sat, 01 Jan 2000 00:00:00 GMT

GET
H2 200 leadflows.js Show response
js.hsleadflows.net/ 377 KB
61 KB 195ms
175ms Script
application/javascript 2606:4700::6811:e7cc
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://js.hsleadflows.net/leadflows.js
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/hs/scriptloader/3354902.js
Protocol: H2
Security: TLS 1.2, ECDHE_ECDSA, AES_128_GCM
Server: 2606:4700::6811:e7cc , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: b89b93e101854f7b0372d77035f9c2d6053298f27c02f83e5b107cc756ddf62c

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 429a03d32042afcc39a25586a483feb8.cloudfront.net (CloudFront)
cf-cache-status: REVALIDATED
x-amz-cf-pop: IAD89-C2
x-cache: Hit from cloudfront
status: 200
access-control-max-age: 3000
x-amz-replication-status: COMPLETED
content-encoding: br
content-type: application/javascript; charset=utf-8
last-modified: Thu, 23 Jan 2020 11:52:53 GMT
server: cloudflare
etag: W/"bd6209d758e3216b8a1194c86b5600ff"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding,Origin,Access-Control-Request-Headers,Access-Control-Request-Method
access-control-allow-methods: GET
x-amz-version-id: iLG7GM.AEUF7.PrqBQXdNiO0wv3O9AYh
access-control-allow-origin: *
cache-control: max-age=600
cf-ray: 55c7c45af9d4d70d-FRA
x-amz-cf-id: jZX5vjOUUrAPJn-lZER6v5hWMgVeB3sAREESXOBiG4ReVKaGD0124A==

GET
H2 200 fb.js Show response
js.hsadspixel.net/ 4 KB
2 KB 28ms
12ms Script
application/javascript 2606:4700::6811:73b0
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://js.hsadspixel.net/fb.js
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/hs/scriptloader/3354902.js
Protocol: H2
Security: TLS 1.2, ECDHE_ECDSA, AES_128_GCM
Server: 2606:4700::6811:73b0 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: cbc6e6e201648a797a1a70459fb94149e8245fcac93a066963cbb08cb7f08ae3

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
via: 1.1 6c2e384f59feb64a0c739aee7f890066.cloudfront.net (CloudFront)
cf-cache-status: HIT
age: 314
x-cache: Hit from cloudfront
status: 200
x-amz-replication-status: COMPLETED
content-encoding: gzip
x-amz-version-id: wLHxFQo4.UHGjY7LpiTI8YXD7oOxmPVx
last-modified: Tue, 28 Jan 2020 02:00:46 GMT
server: cloudflare
etag: W/"a3c820f15fc2d32ccf32bcded41dc23b"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
content-type: application/javascript; charset=utf-8
cache-control: max-age=600
x-amz-cf-pop: IAD89-C2
cf-ray: 55c7c45af9efc2ae-FRA
x-amz-cf-id: 9nvnk-YsYyQTtfVZG1A5voAEc2k1IzKzfGRgcRCYQpoXdREvG-5peQ==

GET
H2 200 3354902.js Show response
js.hs-analytics.net/analytics/1580264700000/ 76 KB
26 KB 150ms
126ms Script
text/javascript 2606:4700::6811:44b0
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://js.hs-analytics.net/analytics/1580264700000/3354902.js
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/hs/scriptloader/3354902.js
Protocol: H2
Security: TLS 1.2, ECDHE_ECDSA, AES_128_GCM
Server: 2606:4700::6811:44b0 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: bb89b9243e1a24adb734a4863b878f581594972d6e920261683844fb3fc8c12c

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: gzip
cf-cache-status: MISS
x-amz-request-id: E7FD165E544FC24A
status: 200
content-type: text/javascript
x-amz-id-2: 9cZOJTVWobmpmbfiV7/QPE5929VpZQBd0VAXQFFP4GD2RzqabY9jCaPsrI7bEYfKh6r+ll5wpXA=
last-modified: Tue, 21 Jan 2020 15:45:12 GMT
server: cloudflare
etag: W/"b2c0d0695f5b6b12170758de1bc10726"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
x-amz-version-id: null
cache-control: max-age=300, public
access-control-allow-credentials: false
cf-ray: 55c7c45b0987d72d-FRA
expires: Wed, 29 Jan 2020 02:32:26 GMT

GET
H2 200 modules.9ad849c74ae56ab50f63.js Show response
script.hotjar.com/ 401 KB
70 KB 49ms
15ms Script
application/javascript 147.75.84.91
PACKET

General

Check archive.org

Show headers Download Go to

Full URL: https://script.hotjar.com/modules.9ad849c74ae56ab50f63.js
Requested by: Host: static.hotjar.com
URL: https://static.hotjar.com/c/hotjar-704918.js?sv=6
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 147.75.84.91 Parsippany, United States, ASN54825 (PACKET, US),
Reverse DNS
Software: /
Resource Hash: 5bab148520bb9b4b911f4da5ab8fd2c4a32333142fa835aaa645d6094396aab4

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
content-encoding: br
content-type: application/javascript
age: 42476
status: 200
section-io-cache: Hit
content-length: 71256
last-modified: Tue, 28 Jan 2020 14:35:53 GMT
etag: "1d20895803c0fbc2ae7dc220b20b6a79"
vary: Accept-Encoding
section-io-origin-status: 200
access-control-allow-origin: *
cache-control: max-age=31536000
section-io-origin-time-seconds: 0.081
accept-ranges: bytes
section-io-id: 8b2afe25c628052fedc0b2ce25c42416
section-origin-responded: true

GET
H2 200 box-b736908ce6b0e933fad3a2e45df61b38.html
vars.hotjar.com/ Frame EA48 0
0 44ms
14ms Document
text/html 147.75.84.39
PACKET

General

Check archive.org

Show headers Download Go to

Full URL: https://vars.hotjar.com/box-b736908ce6b0e933fad3a2e45df61b38.html
Requested by: Host: static.hotjar.com
URL: https://static.hotjar.com/c/hotjar-704918.js?sv=6
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 147.75.84.39 Parsippany, United States, ASN54825 (PACKET, US),
Reverse DNS
Software: /
Resource Hash

Request headers

:method: GET
:authority: vars.hotjar.com
:scheme: https
:path: /box-b736908ce6b0e933fad3a2e45df61b38.html
pragma: no-cache
cache-control: no-cache
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: cross-site
sec-fetch-mode: nested-navigate
referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
accept-encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor

Response headers

status: 200
date: Wed, 29 Jan 2020 02:27:26 GMT
content-type: text/html
content-length: 808
last-modified: Fri, 24 Jan 2020 09:28:03 GMT
etag: "ed7551919779fd07dbfe6d776c643379"
cache-control: max-age=31536000
content-encoding: br
section-io-origin-status: 200
section-io-origin-time-seconds: 0.134
section-origin-responded: true
age: 200234
vary: Accept-Encoding
section-io-cache: Hit
accept-ranges: bytes
section-io-id: b5d5d195492e6938203b8eaaed7441d2

GET
H2 200 /
www.facebook.com/tr/ 44 B
360 B 17ms
6ms Image
image/gif 2a03:2880:f11c:8183:face:b00c:0:25de
FACEBOOK

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.facebook.com/tr/?id=116645602292181&ev=PageView&dl=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&rl=&if=false&ts=1580264846641&sw=1600&sh=1200&v=2.9.15&r=stable&ec=0&o=30&fbp=fb.1.1580264846640.471943334&it=1580264846485&coo=false&rqm=GET

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK, US),

Reverse DNS

Software

proxygen-bolt /

Resource Hash

10d8d42d73a02ddb877101e72fbfa15a0ec820224d97cedee4cf92d571be5caa

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT, Wed, 29 Jan 2020 02:27:26 GMT
last-modified: Fri, 21 Dec 2012 00:00:01 GMT
server: proxygen-bolt
strict-transport-security: max-age=31536000; includeSubDomains
content-type: image/gif
status: 200
cache-control: no-cache, must-revalidate, max-age=0
alt-svc: h3-24=":443"; ma=3600
content-length: 44
expires: Wed, 29 Jan 2020 02:27:26 GMT

GET
H2 200 p.gif
p.typekit.net/ 35 B
201 B 27ms
27ms Image
image/gif 104.111.215.74
AKAMAI-AS

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://p.typekit.net/p.gif?s=1&k=vyv2ljd&ht=tk&h=www.cybereason.com&f=32224.32226.32227.32228.32230.32231.10875.32265&a=657783&js=1.19.2&app=typekit&e=js&_=1580264846871
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.111.215.74 , Netherlands, ASN16625 (AKAMAI-AS, US),
Reverse DNS: a104-111-215-74.deploy.static.akamaitechnologies.com
Software: nginx /
Resource Hash: 9b9265c69a5cc295d1ab0d04e0273b3677db1a6216ce2ccf4efc8c277ed84b39

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:26 GMT
last-modified: Fri, 18 Oct 2019 21:34:09 GMT
server: nginx
access-control-allow-origin: *
etag: "5daa2fd1-23"
content-type: image/gif
status: 200
cache-control: max-age=604800
accept-ranges: bytes
content-length: 35
expires: Wed, 30 Oct 2019 03:12:45 GMT

GET
H/1.1

200
OK

tagjs Show response
pixel-geo.prfct.co/
Redirect Chain

https://pixel-geo.prfct.co/tagjs?a_id=71641&source=js_tag
https://pixel-geo.prfct.co/tagjs?check_cookie=1&a_id=71641&source=js_tag

107 B
436 B

29ms
29ms

Script
text/javascript

34.252.172.232
AMAZON-02

General

Check archive.org

Show headers Download Go to

Full URL: https://pixel-geo.prfct.co/tagjs?check_cookie=1&a_id=71641&source=js_tag
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 34.252.172.232 Dublin, Ireland, ASN16509 (AMAZON-02, US),
Reverse DNS: ec2-34-252-172-232.eu-west-1.compute.amazonaws.com
Software: /
Resource Hash: 793fc397fef7e49522e43e020655cf3647b690848c0a2da1669912083a7f1680

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

Cache-Control: no-store, no-cache, private
Connection: keep-alive
Content-Type: text/javascript
Content-Length: 107
P3P: CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"

Redirect headers

Location: https://pixel-geo.prfct.co/tagjs?check_cookie=1&a_id=71641&source=js_tag
Cache-Control: no-store, no-cache, private
Connection: keep-alive
Content-Length: 0
P3P: CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"

GET
H/1.1

200
OK

tracking.png
tracking.leadlander.com/
Redirect Chain

https://tracking.leadlander.com/api/tracking?accountId=27717&page=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware...
https://tracking.leadlander.com/tracking.png

68 B
347 B

103ms
103ms

Image
image/png

52.21.56.60
AMAZON-AES

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://tracking.leadlander.com/tracking.png

Requested by

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

52.21.56.60 Ashburn, United States, ASN14618 (AMAZON-AES, US),

Reverse DNS

ec2-52-21-56-60.compute-1.amazonaws.com

Software

Kestrel /

Resource Hash

69539b5b3777cffda28a66d7f2aa9b17c91ee1ec8fd50c00c442af91753a60f7

Security Headers

Name	Value
Strict-Transport-Security	max-age=2592000

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

Date: Wed, 29 Jan 2020 02:27:26 GMT
Last-Modified: Wed, 26 Sep 2018 16:48:51 GMT
Server: Kestrel
ETag: "1d455b8cd761bc4"
Strict-Transport-Security: max-age=2592000
Content-Type: image/png
Connection: keep-alive
Accept-Ranges: bytes
Content-Length: 68

Redirect headers

Location: /tracking.png
Date: Wed, 29 Jan 2020 02:27:26 GMT
Server: Kestrel
Connection: keep-alive
Content-Length: 0
Strict-Transport-Security: max-age=2592000

GET
H2

200

adsct
analytics.twitter.com/i/
Redirect Chain

https://pixel-geo.prfct.co/cs/?partnerId=twtr
https://analytics.twitter.com/i/adsct?p_id=48571&p_user_id=pa_RBXx9dGQdRmB9V4io

43 B
557 B

226ms
132ms

Image
image/gif

104.244.42.195
TWITTER

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://analytics.twitter.com/i/adsct?p_id=48571&p_user_id=pa_RBXx9dGQdRmB9V4io

Requested by

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.195 , United States, ASN13414 (TWITTER, US),

Reverse DNS

Software

tsa_o /

Resource Hash

ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957

Security Headers

Name	Value
Strict-Transport-Security	max-age=631138519
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:27 GMT
content-encoding: gzip
x-content-type-options: nosniff
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
strict-transport-security: max-age=631138519
content-length: 65
x-xss-protection: 0
x-response-time: 111
pragma: no-cache
last-modified: Wed, 29 Jan 2020 02:27:27 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
content-type: image/gif;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: 9acf76c477d197b8d374811f21acfd06
x-transaction: 002227bd0079617e
expires: Tue, 31 Mar 1981 05:00:00 GMT

Redirect headers

Location: https://analytics.twitter.com/i/adsct?p_id=48571&p_user_id=pa_RBXx9dGQdRmB9V4io
Cache-Control: no-store, no-cache, private
Connection: keep-alive
Content-Length: 0
P3P: CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"

GET
H/1.1

200
OK

cb
pixel.prfct.co/
Redirect Chain

https://pixel-geo.prfct.co/cs/?partnerId=yah
https://ads.yahoo.com/cms/v1?nwid=10001073209&eid=pa_RBXx9dGQdRmB9V4io&sigv=1&esig=2~3a7eb07647aa89322a772d2d5457ecca4c0c4fa1
https://pixel.prfct.co/cb?partnerId=yah&xid=E0&eid=pa_RBXx9dGQdRmB9V4io

43 B
460 B

467ms
107ms

Image
image/gif

34.206.200.99
AMAZON-AES

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://pixel.prfct.co/cb?partnerId=yah&xid=E0&eid=pa_RBXx9dGQdRmB9V4io
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 34.206.200.99 Ashburn, United States, ASN14618 (AMAZON-AES, US),
Reverse DNS: ec2-34-206-200-99.compute-1.amazonaws.com
Software: /
Resource Hash: a065920df8cc4016d67c3a464be90099c9d28ffe7c9e6ee3a18f257efc58cbd7

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

Cache-Control: no-store, no-cache, private
Connection: keep-alive
Content-Type: image/gif
Content-Length: 43
P3P: CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"

Redirect headers

Date: Wed, 29 Jan 2020 02:27:27 GMT
X-Content-Type-Options: nosniff
Server: ATS
Age: 0
Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only"
Strict-Transport-Security: max-age=31536000
P3P: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Location: https://pixel.prfct.co/cb?partnerId=yah&xid=E0&eid=pa_RBXx9dGQdRmB9V4io
Connection: keep-alive
Content-Length: 0
X-XSS-Protection: 1; mode=block

GET
H2

200

sd
us-u.openx.net/w/1.0/
Redirect Chain

https://pixel-geo.prfct.co/cs/?partnerId=opx
https://us-u.openx.net/w/1.0/sd?id=537114372&val=pa_RBXx9dGQdRmB9V4io
https://us-u.openx.net/w/1.0/sd?cc=1&id=537114372&val=pa_RBXx9dGQdRmB9V4io

43 B
183 B

30ms
30ms

Image
image/gif

34.95.120.147
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://us-u.openx.net/w/1.0/sd?cc=1&id=537114372&val=pa_RBXx9dGQdRmB9V4io
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 34.95.120.147 , United States, ASN15169 (GOOGLE, US),
Reverse DNS: 147.120.95.34.bc.googleusercontent.com
Software: OXGW/16.174.0 /
Resource Hash: 4e0705327480ad2323cb03d9c450ffcae4a98bf3a5382fa0c7882145ed620e49

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

pragma: no-cache
date: Wed, 29 Jan 2020 02:27:27 GMT
via: 1.1 google
server: OXGW/16.174.0
vary: Accept
p3p: CP="CUR ADM OUR NOR STA NID"
status: 200
cache-control: private, max-age=0, no-cache
content-type: image/gif
alt-svc: clear
content-length: 43
expires: Mon, 26 Jul 1997 05:00:00 GMT

Redirect headers

date: Wed, 29 Jan 2020 02:27:27 GMT
via: 1.1 google
server: OXGW/16.174.0
location: https://us-u.openx.net/w/1.0/sd?cc=1&id=537114372&val=pa_RBXx9dGQdRmB9V4io
p3p: CP="CUR ADM OUR NOR STA NID"
status: 302
alt-svc: clear
content-length: 0

GET
H/1.1

204
No Content

tap.php
pixel.rubiconproject.com/
Redirect Chain

https://pixel-geo.prfct.co/cs/?partnerId=rbcn
https://pixel.rubiconproject.com/tap.php?v=189868&nid=4106&expires=30&put=pa_RBXx9dGQdRmB9V4io

0
239 B

109ms
26ms

Image
image/gif

69.173.144.136
RUBICONPROJECT

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://pixel.rubiconproject.com/tap.php?v=189868&nid=4106&expires=30&put=pa_RBXx9dGQdRmB9V4io
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: HTTP/1.1
Security: TLS 1.2, RSA, AES_256_GCM
Server: 69.173.144.136 Frankfurt am Main, Germany, ASN26667 (RUBICONPROJECT, US),
Reverse DNS
Software: /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

Pragma: no-cache
Cache-Control: no-cache,no-store,must-revalidate
Content-Type: image/gif
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-RPHost: 3bafef7aa4e37890defcd73f0a080481
Expires: 0

Redirect headers

Location: https://pixel.rubiconproject.com/tap.php?v=189868&nid=4106&expires=30&put=pa_RBXx9dGQdRmB9V4io
Cache-Control: no-store, no-cache, private
Connection: keep-alive
Content-Length: 0
P3P: CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"

GET
H/1.1

200
OK

cb
pixel-geo.prfct.co/
Redirect Chain

https://pixel-geo.prfct.co/cs/?partnerId=goo
https://cm.g.doubleclick.net/pixel?google_nid=nowspots_bidder&google_hm=cGFfUkJYeDlkR1FkUm1COVY0aW8
https://pixel-geo.prfct.co/cb?partnerId=goo

43 B
365 B

30ms
30ms

Image
image/gif

34.252.172.232
AMAZON-02

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://pixel-geo.prfct.co/cb?partnerId=goo
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 34.252.172.232 Dublin, Ireland, ASN16509 (AMAZON-02, US),
Reverse DNS: ec2-34-252-172-232.eu-west-1.compute.amazonaws.com
Software: /
Resource Hash: a065920df8cc4016d67c3a464be90099c9d28ffe7c9e6ee3a18f257efc58cbd7

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

Cache-Control: no-store, no-cache, private
Connection: keep-alive
Content-Type: image/gif
Content-Length: 43
P3P: CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"

Redirect headers

pragma: no-cache
date: Wed, 29 Jan 2020 02:27:27 GMT
server: HTTP server (unknown)
location: https://pixel-geo.prfct.co/cb?partnerId=goo
p3p: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status: 302
cache-control: no-cache, must-revalidate
content-type: text/html; charset=UTF-8
alt-svc: quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q050="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 240
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H/1.1 200
OK /
pixel-geo.prfct.co/seg/ 43 B
365 B 178ms
115ms Image
image/gif 34.252.172.232
AMAZON-02

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://pixel-geo.prfct.co/seg/?add=8257847&source=js_tag&a_id=71641
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 34.252.172.232 Dublin, Ireland, ASN16509 (AMAZON-02, US),
Reverse DNS: ec2-34-252-172-232.eu-west-1.compute.amazonaws.com
Software: /
Resource Hash: a065920df8cc4016d67c3a464be90099c9d28ffe7c9e6ee3a18f257efc58cbd7

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

Cache-Control: no-store, no-cache, private
Connection: keep-alive
Content-Type: image/gif
Content-Length: 43
P3P: CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"

GET
H/1.1

200
OK

bounce
secure.adnxs.com/
Redirect Chain

https://secure.adnxs.com/seg?t=2&add=8257847
https://secure.adnxs.com/bounce?%2Fseg%3Ft%3D2%26add%3D8257847

43 B
1023 B

15ms
14ms

Image
image/gif

185.33.223.203
ASN-APPNEX

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://secure.adnxs.com/bounce?%2Fseg%3Ft%3D2%26add%3D8257847

Requested by

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_ECDSA, AES_128_GCM

Server

185.33.223.203 , Netherlands, ASN29990 (ASN-APPNEX, US),

Reverse DNS

317.bm-nginx-loadbalancer.mgmt.ams1.adnexus.net

Software

nginx/1.13.4 /

Resource Hash

4b5b6b15c6255109e06720cce42a06d3aead8b7874423d9c52cb0303212c25ef

Security Headers

Name	Value
X-Xss-Protection	0

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

Pragma: no-cache
Date: Wed, 29 Jan 2020 02:27:29 GMT
AN-X-Request-Uuid: 2f4efbb6-6eb1-4a29-8efe-7f8660d193cb
Content-Type: image/gif
Server: nginx/1.13.4
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Access-Control-Allow-Origin: *
Cache-Control: no-store, no-cache, private
Access-Control-Allow-Credentials: true
Connection: keep-alive
X-Proxy-Origin: 85.159.237.66; 85.159.237.66; 317.bm-nginx-loadbalancer.mgmt.ams1; *.adnxs.com; 185.33.223.87:80
Content-Length: 43
X-XSS-Protection: 0
Expires: Sat, 15 Nov 2008 16:00:00 GMT

Redirect headers

Pragma: no-cache
Date: Wed, 29 Jan 2020 02:27:29 GMT
AN-X-Request-Uuid: 0dae0fc5-c07f-4aa6-b971-e5fec62a18f6
Content-Type: text/html; charset=utf-8
Server: nginx/1.13.4
Location: https://secure.adnxs.com/bounce?%2Fseg%3Ft%3D2%26add%3D8257847
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Access-Control-Allow-Origin: *
Cache-Control: no-store, no-cache, private
Access-Control-Allow-Credentials: true
Connection: keep-alive
X-Proxy-Origin: 85.159.237.66; 85.159.237.66; 317.bm-nginx-loadbalancer.mgmt.ams1; *.adnxs.com; 185.33.220.27:80
Content-Length: 0
X-XSS-Protection: 0
Expires: Sat, 15 Nov 2008 16:00:00 GMT

GET
H2 200 /
www.facebook.com/tr/ 44 B
147 B 7ms
6ms Image
image/gif 2a03:2880:f11c:8183:face:b00c:0:25de
FACEBOOK

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.facebook.com/tr/?id=116645602292181&ev=Microdata&dl=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&rl=&if=false&ts=1580264847150&cd[DataLayer]=%5B%5D&cd[Meta]=%7B%22title%22%3A%22%22%2C%22meta%3Adescription%22%3A%22%22%7D&cd[OpenGraph]=%7B%22og%3Adescription%22%3A%22%22%2C%22og%3Atitle%22%3A%22%22%2C%22og%3Aurl%22%3A%22https%3A%2F%2Fwww.cybereason.com%2F404%22%7D&cd[Schema.org]=%5B%5D&cd[JSON-LD]=%5B%5D&sw=1600&sh=1200&v=2.9.15&r=stable&ec=1&o=30&fbp=fb.1.1580264846640.471943334&it=1580264846485&coo=false&es=automatic&tm=3&rqm=GET

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK, US),

Reverse DNS

Software

proxygen-bolt /

Resource Hash

10d8d42d73a02ddb877101e72fbfa15a0ec820224d97cedee4cf92d571be5caa

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:27 GMT, Wed, 29 Jan 2020 02:27:27 GMT
last-modified: Fri, 21 Dec 2012 00:00:01 GMT
server: proxygen-bolt
strict-transport-security: max-age=31536000; includeSubDomains
content-type: image/gif
status: 200
cache-control: no-cache, must-revalidate, max-age=0
alt-svc: h3-24=":443"; ma=3600
content-length: 44
expires: Wed, 29 Jan 2020 02:27:27 GMT

GET
H2 200 analytics.js Show response
www.google-analytics.com/ 43 KB
17 KB 6ms
5ms Script
text/javascript 2a00:1450:4001:816::200e
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://www.google-analytics.com/analytics.js

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:816::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

Golfe2 /

Resource Hash

dbb67c620eaabf6679a314db18d3ae43037aef71ab27422e6feec08ee987cc0a

Security Headers

Name	Value
Strict-Transport-Security	max-age=10886400; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

strict-transport-security: max-age=10886400; includeSubDomains; preload
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Mon, 19 Aug 2019 17:22:41 GMT
server: Golfe2
age: 2952
date: Wed, 29 Jan 2020 01:38:15 GMT
vary: Accept-Encoding
content-type: text/javascript
status: 200
cache-control: public, max-age=7200
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 17803
expires: Wed, 29 Jan 2020 03:38:15 GMT

GET
H2 200 json Show response
api.hubapi.com/hs-script-loader-public/v1/config/ 23 B
590 B 662ms
640ms XHR
application/json 2606:4700::6811:c8cc
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://api.hubapi.com/hs-script-loader-public/v1/config/json?portalId=3354902

Requested by

Host: js.hsadspixel.net
URL: https://js.hsadspixel.net/fb.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2606:4700::6811:c8cc , United States, ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

f621a831fe6b7b75cd96e10eb4c80311fff6a3948e4905d12a22032d5ec59b48

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:28 GMT
vary: Accept-Encoding
cf-cache-status: DYNAMIC
status: 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-length: 23
server: cloudflare
x-trace: 2BCCD3A8181503481E5AC4C7E3A45ADBF6C8751DA1000000000000000000
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
access-control-max-age: 180
access-control-allow-methods: GET, OPTIONS, PUT, POST, DELETE, PATCH, HEAD
content-type: application/json;charset=utf-8
access-control-allow-origin: https://www.cybereason.com
access-control-allow-credentials: false
cf-ray: 55c7c462ac2297fc-FRA
access-control-allow-headers: *

GET
H2 200 __ptq.gif
track.hubspot.com/ 45 B
493 B 50ms
30ms Image
image/gif 2606:4700::6810:fb05
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://track.hubspot.com/__ptq.gif?k=1&sd=1600x1200&cd=24-bit&cs=UTF-8&ln=en-us&bfp=643011938&v=1.1&a=3354902&ct=standard-page&ccu=https%3A%2F%2Fwww.cybereason.com%2F404&lvc=en&pu=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&cts=1580264847766&vi=9973c9cbd05cccf2ec89d79cad823281&nc=true&u=85683782.9973c9cbd05cccf2ec89d79cad823281.1580264847757.1580264847757.1580264847757.1&b=85683782.1.1580264847758&pt=0

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2606:4700::6810:fb05 , United States, ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

dc111a70984a9eda00752b06277113029ef288f1125c31eff2477413e15e8aa4

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:27 GMT
cf-cache-status: DYNAMIC
server: cloudflare
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
p3p: CP="NOI CUR ADM OUR NOR STA NID"
status: 200
cache-control: no-cache, no-store, no-transform
access-control-allow-credentials: false
strict-transport-security: max-age=31536000; includeSubDomains; preload
cf-ray: 55c7c462bd1adffb-FRA
content-type: image/gif
content-length: 45
x-robots-tag: none

GET
H2

200

ga-audiences
www.google.de/ads/
Redirect Chain

https://www.google-analytics.com/r/collect?v=1&_v=j79&a=600435042&t=pageview&_s=1&dl=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-n...
https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-56367941-1&cid=1090695643.1580264848&jid=1924893207&_gid=1401977510.1580264848&gjid=1094317344&_v=j79&z=1977197227
https://www.google.com/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-56367941-1&cid=1090695643.1580264848&jid=1924893207&_v=j79&z=1977197227
https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-56367941-1&cid=1090695643.1580264848&jid=1924893207&_v=j79&z=1977197227&slf_rd=1&random=2678009514

42 B
109 B

17ms
17ms

Image
image/gif

2a00:1450:4001:824::2003
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-56367941-1&cid=1090695643.1580264848&jid=1924893207&_v=j79&z=1977197227&slf_rd=1&random=2678009514

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:824::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

pragma: no-cache
date: Wed, 29 Jan 2020 02:27:27 GMT
x-content-type-options: nosniff
content-type: image/gif
server: cafe
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
timing-allow-origin: *
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

Redirect headers

pragma: no-cache
date: Wed, 29 Jan 2020 02:27:27 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
location: https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-56367941-1&cid=1090695643.1580264848&jid=1924893207&_v=j79&z=1977197227&slf_rd=1&random=2678009514
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 302
cache-control: no-cache, no-store, must-revalidate
content-type: text/html; charset=UTF-8
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 0
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 json Show response
forms.hubspot.com/lead-flows-config/v1/config/ 2 KB
1 KB 675ms
658ms XHR
application/json 2606:4700::6810:f905
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://forms.hubspot.com/lead-flows-config/v1/config/json?portalId=3354902&utk=9973c9cbd05cccf2ec89d79cad823281&__hstc=85683782.9973c9cbd05cccf2ec89d79cad823281.1580264847757.1580264847757.1580264847757.1&__hssc=85683782.1.1580264847758&currentUrl=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor

Requested by

Host: js.hsleadflows.net
URL: https://js.hsleadflows.net/leadflows.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2606:4700::6810:f905 , United States, ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

8a1450f1c08822406d80ecfcac0ec1ce4c21fba0f774b76b48ea9492683590b6

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Origin: https://www.cybereason.com

Response headers

date: Wed, 29 Jan 2020 02:27:28 GMT
content-encoding: br
vary: Accept-Encoding
cf-cache-status: DYNAMIC
cf-ray: 55c7c462d91bd729-FRA
status: 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
server: cloudflare
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
access-control-max-age: 180
access-control-allow-methods: GET, OPTIONS, PUT, POST, DELETE, PATCH, HEAD
content-type: application/json;charset=utf-8
access-control-allow-origin: https://www.cybereason.com
cache-control: max-age=0, no-cache, no-store
access-control-allow-credentials: false
x-robots-tag: none
access-control-allow-headers: Accept, Accept-Charset, Accept-Encoding, Accept-Language, Content-Type, Host, Origin, Referer, User-Agent

GET
H/1.1 200
OK insight.min.js Show response
snap.licdn.com/li.lms-analytics/ 3 KB
2 KB 21ms
6ms Script
application/x-javascript 2a02:26f0:6c00:28c::25ea
AKAMAI-ASN1

General

Check archive.org

Show headers Download Go to

Full URL: https://snap.licdn.com/li.lms-analytics/insight.min.js
Requested by: Host: js.hsadspixel.net
URL: https://js.hsadspixel.net/fb.js
Protocol: HTTP/1.1
Security: TLS 1.3, , AES_256_GCM
Server: 2a02:26f0:6c00:28c::25ea , Ascension Island, ASN20940 (AKAMAI-ASN1, US),
Reverse DNS
Software: /
Resource Hash: 41dd5e421fe221a7d2921d6fa2b36e8b01a9f2c054aaef5fad866fe896c1d1e0

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

Date: Wed, 29 Jan 2020 02:27:28 GMT
Content-Encoding: gzip
Last-Modified: Mon, 07 Oct 2019 16:41:31 GMT
X-CDN: AKAM
Vary: Accept-Encoding
Content-Type: application/x-javascript;charset=utf-8
Cache-Control: max-age=55497
Connection: keep-alive
Accept-Ranges: bytes
Content-Length: 1576

GET
H2

200

collect
px.ads.linkedin.com/
Redirect Chain

https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=994281&url=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Cc...
https://www.linkedin.com/px/li_sync?redirect=https%3A%2F%2Fpx.ads.linkedin.com%2Fcollect%3Fv%3D2%26fmt%3Djs%26pid%3D994281%26url%3Dhttps%253A%252F%252Fwww.cybereason.com%252Fblog%252Fthreat-actor-t...
https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=994281&url=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Cc...

0
58 B

108ms
107ms

Image
application/javascript

2a05:f500:10:101::b93f:9105
LINKEDIN

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=994281&url=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&time=1580264848449&liSync=true
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 2a05:f500:10:101::b93f:9105 , Ireland, ASN14413 (LINKEDIN, US),
Reverse DNS
Software: Play /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:28 GMT
server: Play
linkedin-action: 1
x-li-fabric: prod-lva1
status: 200
x-li-proto: http/2
x-li-pop: prod-efr5
content-type: application/javascript
content-length: 0
x-li-uuid: gqkd4IE67hWQgV4kvyoAAA==

Redirect headers

date: Wed, 29 Jan 2020 02:27:28 GMT
x-content-type-options: nosniff
linkedin-action: 1
status: 302
strict-transport-security: max-age=2592000
content-length: 0
x-li-uuid: uSlX2oE67hXg/76UbCsAAA==
server: Play
pragma: no-cache
x-li-pop: prod-tln1
expect-ct: max-age=86400, report-uri="https://www.linkedin.com/platform-telemetry/ct"
x-frame-options: sameorigin
x-li-fabric: prod-lva1
location: https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=994281&url=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&time=1580264848449&liSync=true
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store
content-security-policy: default-src *; connect-src 'self' https://media-src.linkedin.com/media/ www.linkedin.com s.c.lnkd.licdn.com m.c.lnkd.licdn.com s.c.exp1.licdn.com s.c.exp2.licdn.com m.c.exp1.licdn.com m.c.exp2.licdn.com wss://*.linkedin.com dms.licdn.com https://dpm.demdex.net/id https://lnkd.demdex.net/event blob: static.licdn.com static-exp1.licdn.com static-exp2.licdn.com static-exp3.licdn.com media.licdn.com media-exp1.licdn.com media-exp2.licdn.com media-exp3.licdn.com; img-src data: blob: *; font-src data: *; style-src 'unsafe-inline' 'self' static-src.linkedin.com *.licdn.com; script-src 'report-sample' 'unsafe-inline' 'unsafe-eval' 'self' spdy.linkedin.com static-src.linkedin.com *.ads.linkedin.com *.licdn.com static.chartbeat.com www.google-analytics.com ssl.google-analytics.com bcvipva02.rightnowtech.com www.bizographics.com sjs.bizographics.com js.bizographics.com d.la4-c1-was.salesforceliveagent.com slideshare.www.linkedin.com https://snap.licdn.com/li.lms-analytics/insight.min.js platform.linkedin.com platform-akam.linkedin.com platform-ecst.linkedin.com platform-azur.linkedin.com; object-src 'none'; media-src blob: *; child-src blob: lnkd-communities: voyager: *; frame-ancestors 'self'
x-li-proto: http/2
expires: Thu, 01 Jan 1970 00:00:00 GMT

GET
H2 200 __ptq.gif
track.hubspot.com/ 45 B
232 B 38ms
38ms Image
image/gif 2606:4700::6810:fb05
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://track.hubspot.com/__ptq.gif?k=16&fi=a325ca4c-77be-436f-b080-20ec8bd3654a&lfi=152417&ft=1&sd=1600x1200&cd=24-bit&cs=UTF-8&ln=en-us&bfp=643011938&v=1.1&a=3354902&ct=standard-page&ccu=https%3A%2F%2Fwww.cybereason.com%2F404&lvc=en&pu=https%3A%2F%2Fwww.cybereason.com%2Fblog%2Fthreat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware%2Ccommunity-threat-briefing%2CTA505%2CServHelper%2Cbackdoor&cts=1580264848470&vi=9973c9cbd05cccf2ec89d79cad823281&nc=true&u=85683782.9973c9cbd05cccf2ec89d79cad823281.1580264847757.1580264847757.1580264847757.1&b=85683782.1.1580264847758&pt=0

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2606:4700::6810:fb05 , United States, ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

dc111a70984a9eda00752b06277113029ef288f1125c31eff2477413e15e8aa4

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Response headers

date: Wed, 29 Jan 2020 02:27:28 GMT
cf-cache-status: DYNAMIC
server: cloudflare
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
p3p: CP="NOI CUR ADM OUR NOR STA NID"
status: 200
cache-control: no-cache, no-store, no-transform
access-control-allow-credentials: false
strict-transport-security: max-age=31536000; includeSubDomains; preload
cf-ray: 55c7c4670b59dffb-FRA
content-type: image/gif
content-length: 45
x-robots-tag: none

POST
H2 200 perf Show response
www.cybereason.com/_hcms/ 2 B
424 B 136ms
136ms XHR
text/plain 2606:4700::6811:86b4
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://www.cybereason.com/_hcms/perf
Requested by: Host: www.cybereason.com
URL: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700::6811:86b4 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 565339bc4d33d72817b583024112eb7f5cdf3e5eef0252d6ec1b9c9a94e12bb3

Request headers

Referer: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware,community-threat-briefing,TA505,ServHelper,backdoor
Origin: https://www.cybereason.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Content-type: application/json

Response headers

cf-ray: 55c7c4751b07c290-FRA
date: Wed, 29 Jan 2020 02:27:30 GMT
cf-cache-status: DYNAMIC
server: cloudflare
x-trace: 2BEB710544BF682E374B197B3941575982C9FB0EE3000000000000000000
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
vary: Accept-Encoding
content-type: text/plain; charset=utf-8
status: 200
access-control-allow-credentials: false
accept-ranges: bytes
x-robots-tag: none
content-length: 2

Verdicts & Comments Add Verdict or Comment

108 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

8 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Domain/Path	Expires	Name / Value
.cybereason.com/	1970-01-19 06:57:46	Name: __hssc Value: 85683782.1.1580264847758
.cybereason.com/	1969-12-31 23:59:59	Name: __hssrc Value: 1
.cybereason.com/	1970-01-19 16:19:20	Name: hubspotutk Value: 9973c9cbd05cccf2ec89d79cad823281
.cybereason.com/	1970-01-19 15:30:23	Name: _hjid Value: c728cec5-5ab9-4102-bf7f-ec9a53080e4d
.cybereason.com/	1970-01-19 09:07:20	Name: _fbp Value: fb.1.1580264846640.471943334
.cybereason.com/	1970-01-19 16:19:20	Name: __hstc Value: 85683782.9973c9cbd05cccf2ec89d79cad823281.1580264847757.1580264847757.1580264847757.1
.www.cybereason.com/	1969-12-31 23:59:59	Name: __cfruid Value: f624d47d1c414b79bfcf5dc96a12fb1859c0c18a-1580264846
.www.cybereason.com/	1970-01-19 07:40:56	Name: __cfduid Value: d6ba6d33f7618fb7c874616d0863116161580264845

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header	Value
Strict-Transport-Security	max-age=0

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

ads.yahoo.com
amplify.outbrain.com
amplifypixel.outbrain.com
analytics.twitter.com
api.hubapi.com
cdn2.hubspot.net
cdnjs.cloudflare.com
cm.g.doubleclick.net
connect.facebook.net
fonts.googleapis.com
fonts.gstatic.com
forms.hubspot.com
googleads.g.doubleclick.net
js.hs-analytics.net
js.hsadspixel.net
js.hsleadflows.net
p.typekit.net
pixel-geo.prfct.co
pixel.prfct.co
pixel.rubiconproject.com
px.ads.linkedin.com
script.hotjar.com
secure.adnxs.com
snap.licdn.com
static.hotjar.com
stats.g.doubleclick.net
t.sf14g.com
tag.marinsm.com
tr.outbrain.com
track.hubspot.com
tracking.leadlander.com
us-u.openx.net
use.typekit.net
vars.hotjar.com
www.cybereason.com
www.facebook.com
www.google-analytics.com
www.google.com
www.google.de
www.googleadservices.com
www.linkedin.com
104.111.215.74
104.244.42.195
147.75.32.13
147.75.84.39
147.75.84.91
151.101.12.65
172.217.16.130
185.33.223.203
2.18.234.190
2606:4700::6810:f905
2606:4700::6810:fb05
2606:4700::6811:4004
2606:4700::6811:44b0
2606:4700::6811:73b0
2606:4700::6811:86b4
2606:4700::6811:c8cc
2606:4700::6811:e7cc
2606:4700::6811:f3cc
2a00:1288:110:c305::a000
2a00:1450:4001:806::200a
2a00:1450:4001:816::200e
2a00:1450:4001:81b::2004
2a00:1450:4001:81f::2002
2a00:1450:4001:821::2003
2a00:1450:4001:824::2003
2a00:1450:400c:c06::9c
2a02:26f0:6c00:28c::25ea
2a03:2880:f01c:8012:face:b00c:0:3
2a03:2880:f11c:8183:face:b00c:0:25de
2a05:f500:10:101::b93f:9105
2a05:f500:11:101::b93f:9001
34.192.123.20
34.206.200.99
34.252.172.232
34.95.120.147
52.21.56.60
64.202.112.95
69.173.144.136
70.42.32.31
0005cf2627e9e54179f90c78bbf355fccafb3907c4ae9e699bc09c4a57d75bf6
008a6b447b38fe87dac9127b3e47c83f89df61e8ac7285a7e86051ee89e99af9
0b95fde1d439e2f692fed3050704dd9c215db5e5633cbf58e533e69e4a7a4201
0d111c83d2520fd8d1ec059493162072af6e97b725aa4b56eb846f09a01f8e9c
0f469248695d5b0f09feac08e6f219ef58cc81b64c4f0d4869b5b0d578ff1fe1
0fb004ca41b69a2343b80215a0a1db01baf9f9460d77d6532b8c2f966e57c2d7
10d8d42d73a02ddb877101e72fbfa15a0ec820224d97cedee4cf92d571be5caa
147498d5be9d1aeb765c07a2789d7379a690cbcd52abcc1cacdd0203bd8e009b
154991194443aaeb774be577ea462c94fb6375d3926af0e00b6896581000a593
173db45379b49d9271f8638f9f80936b5e74671a2bbb8376e394090ae9db931e
1a6e3510af52bd4c550e719eef6ae49cfd1ff4be530c8240b4c8233a2860747d
1c0ff118a4290c99f39c90abb38703a866e47251b23cca20266c69c812ccafeb
23f1642566a05cb03e274dc86697ad111e2eebd281460d7baf012969cbd6dd48
2636433c714d8841c786ad69af6792be0bf2c3adbf9b6c8ad00f00ead91343ee
2abcb62d0ad8bf23d79121b6579e6f11bb23858b5278685f6c141272aa392bc0
2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe
2d0b8b695591b12e644193cb057434de9bf6671ccaadd3626a2052dc967cb558
2e96bf761583273e370136ed0b934a38ad1e08b386accb37277252b37b9c9961
2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0
312c7a4e3e547301e162c0bf3a7788cf8d52caf2668fbafc01351c9185b97ce4
33ca751ed175a163bef530ebdcdbd0a2d15997ccbcbf8d50a6f504e8ffac5a5c
341a4d40ad1b2560db940f906716d0e9539d4c0785399d7e0348fd0d3af00170
359197d1e7ab63fe678db88914f31f1f9f6a37bd182e0de565fc7a68302a1f50
365a7ca6f52df29efedfdac2e08a9d0f03e4e2122dd9a49803bf8dacd58480fc
38989f607265ccad9ce1e0982a0bba5bc667aa7dcc9df9beabf4f3a04cfe03eb
395e07ceb90e0b44b76f21cec5d6086767a18065b1c357627e8fb4fa308c0f00
3ebb579939eedb322901bf540c8e40df8176e375120b6638547bb8f270c3e33f
3fc1bd4c0666cad8d8af42cf8f26c59bc5535b3d907b4db560c7db627e1e5253
40951851856bfd237871f8f651d606c91ca562229e7bb5b56e0e1fe7c44c120d
41dd5e421fe221a7d2921d6fa2b36e8b01a9f2c054aaef5fad866fe896c1d1e0
45462bf2bd5ec8a2557b0b5c8ceffe241c458f3336db3fc3cc16ab51cf7094f3
4b5b6b15c6255109e06720cce42a06d3aead8b7874423d9c52cb0303212c25ef
4e0705327480ad2323cb03d9c450ffcae4a98bf3a5382fa0c7882145ed620e49
565339bc4d33d72817b583024112eb7f5cdf3e5eef0252d6ec1b9c9a94e12bb3
5a91c6d3e635c0bd1551a53cf0769328132151a7732039170280d500dbcb4685
5bab148520bb9b4b911f4da5ab8fd2c4a32333142fa835aaa645d6094396aab4
6561b2dd1e1b0f9b2f678dfd01a29e1174ec8ac628405a546e42b717a2d3388b
66b4fac9494bbeda177f4637fa3e7423fc8ef54b11a6875e68cdf3e472293b2a
69539b5b3777cffda28a66d7f2aa9b17c91ee1ec8fd50c00c442af91753a60f7
6bea2f9a81ff3f3fbbf2ec0a87e55d9f3ac4f0175c2c8be4db3aef9ac3d5a4f4
6f6f1e322dd95cc7cda0acad6c83acc225c2fbc839ae1965a8d23e2bad813bec
7219936e6e56b9932b2f1dd06cfff09b655a729bb17d0aa6d757e14184512384
765097740b7490e6ab6a2d8624199ab7b147e8c6cec064b6cce257750fdb1985
793fc397fef7e49522e43e020655cf3647b690848c0a2da1669912083a7f1680
799aeb25cc0373fdee0e1b1db7ad6c2f6a0e058dfadaa3379689f583213190bd
81df013a0d95c9d2f07390ea55bac2fb08ad4a78641630b67cbe0e673ebab173
86ecafc33ecb5976760d6b5f13a2874525e3f4bfa8b12a0e14d6c98ae9e727cd
8a1450f1c08822406d80ecfcac0ec1ce4c21fba0f774b76b48ea9492683590b6
8bd397636ecd49c36d687ad591807ea5ee621b1e11888657827902a5003fc4bb
9607506688417bb09b8d6c29362c2fe29bc1b047b793cccddfce876d927fa57b
97829f8a6f2a471117ed06d0b06a81d543b091a262192369c531380779148c5c
9af256cb88b39b1a3b6e36b50a7d7f3215db54331371bb53ed698450672ddcc8
9b9265c69a5cc295d1ab0d04e0273b3677db1a6216ce2ccf4efc8c277ed84b39
9c0603ffab91caf9bd61d6572282a99b3a1dd8c139745f6e9d8f2577ca6ee9cd
a065920df8cc4016d67c3a464be90099c9d28ffe7c9e6ee3a18f257efc58cbd7
a4aeba3c62a91ed236d5acdc5ea52f5e051801379d306817ad8f4c850e550d2a
ab449241b50123673e76dbcd70f869ae11d26920f0ce1670fdfd266308058179
ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957
afae720ab42e55b7d00fab2ded53702ebbd40d1cc64d353103ec07a2fc2b4219
b329852f8f537591d001152e26a1b598ef4e4466fa10d859135843c307d5344e
b89b93e101854f7b0372d77035f9c2d6053298f27c02f83e5b107cc756ddf62c
bb89b9243e1a24adb734a4863b878f581594972d6e920261683844fb3fc8c12c
bcaf54bc46707931d5bcfd93e5b1ac50a518dabb1748fb5155353b392f11c2f8
bd2e9cca4744aba9195b6307d2afc4657d0070e8d973f3082ac77fb42c88008b
c1de9047e79d87bf90dc2f9f9babdce177018246ec94d1085855d0eddbec97c2
caa333db2175837df41125b50f0c0169c55f919427ee2c6992e2566948e9e518
cbc6e6e201648a797a1a70459fb94149e8245fcac93a066963cbb08cb7f08ae3
cd7908a80313043ae934d5f599a062460c50f94370cee5dc092e0cb9b8d123ef
cff3976cac7138e8f00fcc062246391c24320fbbb27de20e73f444dfb0175dea
d34c3af0d3b74cbb878ca4472668ebae02410ed1bfe8e85b244bb582d1dcb2ea
d9f014cbe9f87cab0d9b88591cf9213592d8c2864c71347fea3f720a3c205d52
dbb67c620eaabf6679a314db18d3ae43037aef71ab27422e6feec08ee987cc0a
dc061591e172e05940848ca0fde2c3163d7acbc1a308afeb71e057676fc6cb2a
dc111a70984a9eda00752b06277113029ef288f1125c31eff2477413e15e8aa4
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
ec9150bbfa679b0584ac28c6a6d58993a3b500794c60d5398ee4ce3680963088
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
f621a831fe6b7b75cd96e10eb4c80311fff6a3948e4905d12a22032d5ec59b48
f9d2c69dd090f9e7939e843b439d1fcec1969f8f3a03eee39bc15e5aae11a7d2
fbdacf704d25985f21e496696895dc3006cdaf8ad5ff0fbc2b9b2b82a720ec45

www.cybereason.com Open in urlscan Pro 2606:4700::6811:86b4 Public Scan

Summary

urlscan.io Verdict: No classification

Domain & IP information

Screenshot Live screenshot Full Image

Detected technologies

Page Statistics

90 Requests

100 %HTTPS

56 %IPv6

31 Domains

41 Subdomains

36 IPs

7 Countries

4097 kBTransfer

5698 kBSize

8 Cookies

5 Outgoing links

Redirected requests

90 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

www.cybereason.com Open in urlscan Pro
2606:4700::6811:86b4 Public Scan

Screenshot
Live screenshot

Full Image

90
Requests

100 %
HTTPS

56 %
IPv6

31
Domains

41
Subdomains

36
IPs

7
Countries

4097 kB
Transfer

5698 kB
Size

8
Cookies

90 HTTP transactions
0 data transactions