servhelper | fda3497d316553432df108a4f9d5e71c65577e89a8cb0283914c9eec058af6df | Triage

Submit
Reports

Overview

overview

Static

static

fda3497d31...df.ps1

windows7_x64

1

fda3497d31...df.ps1

windows10-2004_x64

Sharing

General

Target

fda3497d316553432df108a4f9d5e71c65577e89a8cb0283914c9eec058af6df
Size

2.5MB
Sample

220206-yr6xksbfg2
MD5

869fe194f8f03c8286c2eda3ff0f80a1
SHA1

e79eeafe149ddccd7d907035442f8c4072237b68
SHA256

fda3497d316553432df108a4f9d5e71c65577e89a8cb0283914c9eec058af6df
SHA512

41de9b349240fd4c4997c7d9df6b349f43d38c2c74e31384c01861be5b69d643d8825ea1a21f6540036fa714e3d904a6a0089abdce2b42f4764d6388143ec453

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

fda3497d316553432df108a4f9d5e71c65577e89a8cb0283914c9eec058af6df.ps1

Resource

win7-en-20211208

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

fda3497d316553432df108a4f9d5e71c65577e89a8cb0283914c9eec058af6df.ps1

Resource

win10v2004-en-20220112

servhelper backdoor discovery exploit persistence trojan upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  fda3497d316553432df108a4f9d5e71c65577e89a8cb0283914c9eec058af6df
- Size
  
  2.5MB
- MD5
  
  869fe194f8f03c8286c2eda3ff0f80a1
- SHA1
  
  e79eeafe149ddccd7d907035442f8c4072237b68
- SHA256
  
  fda3497d316553432df108a4f9d5e71c65577e89a8cb0283914c9eec058af6df
- SHA512
  
  41de9b349240fd4c4997c7d9df6b349f43d38c2c74e31384c01861be5b69d643d8825ea1a21f6540036fa714e3d904a6a0089abdce2b42f4764d6388143ec453
Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Account Manipulation

Discovery

Query Registry

System Information Discovery

Lateral Movement

Remote Desktop Protocol

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

servhelperbackdoordiscoveryexploitpersistencetrojanupx

© 2018-2025

Terms | Privacy