Extracted

• • Target

    SecuriteInfo.com.W32.AIDetect.malware1.29246.21787

  • Size

    5.8MB

  • MD5

    7bd36bd38e2d59e7cd840ebb5d753ed7

  • SHA1

    c625e4a67c8ed11da8d2f39151d80ece4a6c1c70

  • SHA256

    3e841431aaa53eb3cfa6f167b3a46bca0eb16d22e6fd1d06944414b78cc512d8

  • SHA512

    9a91148a38030fab0d99ab15e3113fa8f188379b9d6618942e41e1028d6c0dc19be4e8c8f3bc1faa40a7946eb4b38202f74ef6cac59df7739e8c15783bf924ae

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Deletes itself

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2