Extracted

• • Target

    c1e0df4f2321e9375baee3a0a26fba64

  • Size

    5.7MB

  • MD5

    c1e0df4f2321e9375baee3a0a26fba64

  • SHA1

    dcf4d90d2f3fd11f14b5413be5b7dde70ff33f7c

  • SHA256

    65a112982cc0d4e56c078c5333ed3553905bf4f3a639f2ff6e056ab518b6290e

  • SHA512

    4bc74603d8a7a28a0c965cb78d7762c01312cdb6ee7d8be8f822ebb6bf3dbd273ac76c3ad5d0c70f9fa9439981c19a9bed4525f445d7faddb93e9db5a66a0ad7

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Drops file in System32 directory

  behavioral1behavioral2