servhelper | 9dea50450a6840d3be1898060406c4082c2ae3e808bf26d72baf5560118182c3 | Triage

Submit
Reports

Overview

overview

Static

static

9dea50450a...c3.exe

windows7_x64

1

9dea50450a...c3.exe

windows10-2004_x64

Sharing

General

Target

9dea50450a6840d3be1898060406c4082c2ae3e808bf26d72baf5560118182c3
Size

5.0MB
Sample

220417-sak1wsgegr
MD5

e1a8986ee83e069db5911cf5f97ae45e
SHA1

24aea95b64acd33ab88a7495a3dcca6d3111cb67
SHA256

9dea50450a6840d3be1898060406c4082c2ae3e808bf26d72baf5560118182c3
SHA512

5550bf83089cf36fe174aaa814fc185bd0152d9f813f9a645778f380f97d1b8fb66f0de38c0187fa563edb6cbb7864667dd43a479f4ae59be95c26dfef0507b1

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

9dea50450a6840d3be1898060406c4082c2ae3e808bf26d72baf5560118182c3.exe

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

9dea50450a6840d3be1898060406c4082c2ae3e808bf26d72baf5560118182c3.exe

Resource

win10v2004-20220414-en

servhelper backdoor discovery exploit persistence trojan upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  9dea50450a6840d3be1898060406c4082c2ae3e808bf26d72baf5560118182c3
- Size
  
  5.0MB
- MD5
  
  e1a8986ee83e069db5911cf5f97ae45e
- SHA1
  
  24aea95b64acd33ab88a7495a3dcca6d3111cb67
- SHA256
  
  9dea50450a6840d3be1898060406c4082c2ae3e808bf26d72baf5560118182c3
- SHA512
  
  5550bf83089cf36fe174aaa814fc185bd0152d9f813f9a645778f380f97d1b8fb66f0de38c0187fa563edb6cbb7864667dd43a479f4ae59be95c26dfef0507b1
Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

File Permissions Modification

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

servhelperbackdoordiscoveryexploitpersistencetrojanupx

© 2018-2024

Terms | Privacy