Extracted

• • Target

    b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1

  • Size

    2.6MB

  • MD5

    35c34f487155cf7fc72c3146bfa1a016

  • SHA1

    7ee148a4481dcbaba8e63235356f931243f30b37

  • SHA256

    b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfacff1fd5d

  • SHA512

    188daeb03aa63c289649f45ead6f7d66d20d9549ed673c4449bc5b353b992654de78d114f784bf7f582a12daf029084e21123fff57e5318188de650d7099c32b

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Deletes itself

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Drops file in System32 directory

  behavioral1behavioral2