servhelper | f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625 | Triage

Submit
Reports

Overview

overview

Static

static

2e3b62f4f1...dd.exe

windows7_x64

8

2e3b62f4f1...dd.exe

windows10_x64

Sharing

General

Target

2e3b62f4f1669b3615608ea31e1796dd
Size

6.7MB
Sample

211016-mkzzxabhc4
MD5

2e3b62f4f1669b3615608ea31e1796dd
SHA1

9f9584588e480c0cfc18b770da47b00919e24219
SHA256

f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625
SHA512

2879f87ce2e3c075512408fbdb17a01209663c2f635c3e07cec1d8e9b1f0490c9219eea2229dcd5863467435d35bef874e9d5fd243e46b02850d0157288b95af

Score

10^/10

servhelper xmrig agilenet backdoor miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

2e3b62f4f1669b3615608ea31e1796dd.exe

Resource

win7-en-20211014

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

2e3b62f4f1669b3615608ea31e1796dd.exe

Resource

win10-en-20211014

servhelper xmrig agilenet backdoor miner persistence trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  2e3b62f4f1669b3615608ea31e1796dd
- Size
  
  6.7MB
- MD5
  
  2e3b62f4f1669b3615608ea31e1796dd
- SHA1
  
  9f9584588e480c0cfc18b770da47b00919e24219
- SHA256
  
  f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625
- SHA512
  
  2879f87ce2e3c075512408fbdb17a01209663c2f635c3e07cec1d8e9b1f0490c9219eea2229dcd5863467435d35bef874e9d5fd243e46b02850d0157288b95af
Score

10^/10

agilenet servhelper xmrig backdoor miner persistence trojan
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Executes dropped EXE
- Modifies RDP port number used by Windows
- Sets DLL path for service in the registry
  persistence
- Deletes itself
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Account Manipulation

Discovery

Lateral Movement

Remote Desktop Protocol

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

servhelperxmrigagilenetbackdoorminerpersistencetrojan

© 2018-2024

Terms | Privacy