Extracted

• • Target

    b03d46139ca23de8da2d233986f00388

  • Size

    4.6MB

  • MD5

    b03d46139ca23de8da2d233986f00388

  • SHA1

    b609bb2d72faa50375e5f0264f5be90156518d05

  • SHA256

    7dc721c6b633d783562f73d629267da7a16a77b4dae9ab280250c116bdfec591

  • SHA512

    acbc9f1f1b0f35bf0e8f7a71baa0320259a76544f52a978a17590ab778d95ea08161a4cf36819d954ca93f09432128ad3174254e550a1f92f7e4df8289a55378

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Drops file in System32 directory

  behavioral1behavioral2