Extracted

• • Target

    96d4ecbc8b4e168039901376fc5a8b5a.exe

  • Size

    3.2MB

  • MD5

    96d4ecbc8b4e168039901376fc5a8b5a

  • SHA1

    133d86495e1b248253280bb10a24da1045a75594

  • SHA256

    cfdb155368f72aed83e715260f1dd63922a25ce4e6d558941f94cb4a06357994

  • SHA512

    b6d17596374d88b33e2331687ed70f85add4331d2d7b612a3da44907a79f356e619654378d327889e50e9908e86b96132c3bf395dff1a9f91ea2c3a536bc3c2f

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Core1 .NET packer

    Detects packer/loader used by .NET malware.

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Deletes itself

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Uses the VBS compiler for execution

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2