servhelper | eb02c967fb3feaf5504a78de8a7e0513c2c4e52ddf2243bfbcb10e83954baaad | Triage

Submit
Reports

Overview

overview

Static

static

6774f8a7d9...6c.exe

windows7_x64

6774f8a7d9...6c.exe

windows10_x64

Sharing

General

Target

6774f8a7d95a58ddab16d1c792ec846c
Size

4.5MB
Sample

210618-6rvk3g6v8x
MD5

6774f8a7d95a58ddab16d1c792ec846c
SHA1

562b99cee396d3d22dde68d9de09214dc32a0dd4
SHA256

eb02c967fb3feaf5504a78de8a7e0513c2c4e52ddf2243bfbcb10e83954baaad
SHA512

b3c7b9e46f6b5ccc513708729bd79b0ffab4605a9c4bbce0f5209574a83f68b2353c67b4731b0bdb5aa398f33dbe97c9bf46f54f0c0680e3f2b74c83e7657019

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

6774f8a7d95a58ddab16d1c792ec846c.exe

Resource

win7v20210410

servhelper backdoor discovery exploit persistence trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

6774f8a7d95a58ddab16d1c792ec846c.exe

Resource

win10v20210410

persistence upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

- Target
  
  6774f8a7d95a58ddab16d1c792ec846c
- Size
  
  4.5MB
- MD5
  
  6774f8a7d95a58ddab16d1c792ec846c
- SHA1
  
  562b99cee396d3d22dde68d9de09214dc32a0dd4
- SHA256
  
  eb02c967fb3feaf5504a78de8a7e0513c2c4e52ddf2243bfbcb10e83954baaad
- SHA512
  
  b3c7b9e46f6b5ccc513708729bd79b0ffab4605a9c4bbce0f5209574a83f68b2353c67b4731b0bdb5aa398f33dbe97c9bf46f54f0c0680e3f2b74c83e7657019
Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

File Permissions Modification

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

servhelperbackdoordiscoveryexploitpersistencetrojanupx

behavioral2

© 2018-2024

Terms | Privacy