Extracted

• • Target

    4c1063d9a1324655008a22a6d558b2dc.exe

  • Size

    3.1MB

  • MD5

    4c1063d9a1324655008a22a6d558b2dc

  • SHA1

    ddecd8b6ddf3a60d841663ab58fdcfea02299d09

  • SHA256

    91d8870ce872fc1d99181a961e4b3735152e7aa77b714b015efd594fd923eea2

  • SHA512

    c7cd30fd24347d4a1f86a4bcef2472d2d6286970d5712d158333519a8fe69d87e6ef0df1f688f5372eead87b167f6f1f86b80510dfc35b2b01cc160feffe26cf

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Core1 .NET packer

    Detects packer/loader used by .NET malware.

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Deletes itself

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Uses the VBS compiler for execution

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2