Extracted

• • Target

    Filmora-Wondershare-Installer.exe

  • Size

    9.2MB

  • MD5

    5e12e56a643c71b913ea60f48f28726d

  • SHA1

    8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd

  • SHA256

    79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d

  • SHA512

    807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3

  Score

  10^/10

  servhelperbackdoorbootkitdiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  behavioral1behavioral2