Extracted

• • Target

    878c2cdccd93c49e71955beae55dd32f5398594c95112878cd4f63d04fa47cdb

  • Size

    4.5MB

  • MD5

    9ff7912602cfde4249eeffb1b8c1c10a

  • SHA1

    89326801da83ca97b684f39a92885042c038c0fc

  • SHA256

    878c2cdccd93c49e71955beae55dd32f5398594c95112878cd4f63d04fa47cdb

  • SHA512

    bf2e70dbdd9c7bcba67a38ec7cb765b2269ad868fad0ad2cd26e59dafb7c1c33738d466e7a30dbcd583f2746ca60ef32263d1b2543abe634aeb023bec6cd3617

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Drops file in System32 directory

  behavioral1behavioral2