servhelper | 857ddc8de567afa19f5bc9236f6cf3681e46919530f90acc25ff36112564432c | Triage

Submit
Reports

Overview

overview

Static

static

aa80d5960e...08.exe

windows7_x64

aa80d5960e...08.exe

windows10_x64

1

Sharing

General

Target

aa80d5960e65ac46ad446c09c1a17608.exe
Size

6.0MB
Sample

210603-9n2lmnekgn
MD5

aa80d5960e65ac46ad446c09c1a17608
SHA1

c2468b1792e5ecef461d2d89470e8438c05cce24
SHA256

857ddc8de567afa19f5bc9236f6cf3681e46919530f90acc25ff36112564432c
SHA512

07e15d76dc1940e0b3a926cfa6a5d92760525ae7f9e54bc8c691f1c9ea8af71ffe818aa347857a5c1435316d152a262a1875f03f465bc7be36a10e73bab6022b

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

aa80d5960e65ac46ad446c09c1a17608.exe

Resource

win7v20210408

servhelper backdoor discovery exploit persistence trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

aa80d5960e65ac46ad446c09c1a17608.exe

Resource

win10v20210410

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

- Target
  
  aa80d5960e65ac46ad446c09c1a17608.exe
- Size
  
  6.0MB
- MD5
  
  aa80d5960e65ac46ad446c09c1a17608
- SHA1
  
  c2468b1792e5ecef461d2d89470e8438c05cce24
- SHA256
  
  857ddc8de567afa19f5bc9236f6cf3681e46919530f90acc25ff36112564432c
- SHA512
  
  07e15d76dc1940e0b3a926cfa6a5d92760525ae7f9e54bc8c691f1c9ea8af71ffe818aa347857a5c1435316d152a262a1875f03f465bc7be36a10e73bab6022b
Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

File Permissions Modification

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

servhelperbackdoordiscoveryexploitpersistencetrojanupx

behavioral2

© 2018-2024

Terms | Privacy