General
-
Target
clr.exe
-
Size
6.0MB
-
Sample
210524-96m9gh9rhx
-
MD5
1e9f45329ffece31382bb884367f58df
-
SHA1
52d3d55364d8c4d350231d38bfe6eb156cf8473f
-
SHA256
8779c8ac97c45254bc243e2ee79b436d1a96bc56885dcaa72c4837790b2071fc
-
SHA512
12272d5f20c42764992420aa1a178b16d7ef1873f2c9619bd8ac16e0eb9a0067a08a9d70863c1d3e95dd4a2aa19c081ae0baabaf3431f5068ea7191c8f4d6c62
Static task
static1
Behavioral task
behavioral1
Sample
clr.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
clr.exe
Resource
win10v20210408
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Targets
-
-
Target
clr.exe
-
Size
6.0MB
-
MD5
1e9f45329ffece31382bb884367f58df
-
SHA1
52d3d55364d8c4d350231d38bfe6eb156cf8473f
-
SHA256
8779c8ac97c45254bc243e2ee79b436d1a96bc56885dcaa72c4837790b2071fc
-
SHA512
12272d5f20c42764992420aa1a178b16d7ef1873f2c9619bd8ac16e0eb9a0067a08a9d70863c1d3e95dd4a2aa19c081ae0baabaf3431f5068ea7191c8f4d6c62
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request
-
Modifies RDP port number used by Windows
-
Possible privilege escalation attempt
-
Sets DLL path for service in the registry
-
Loads dropped DLL
-
Modifies file permissions
-
Drops file in System32 directory
-