servhelper | 97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef | Triage

Submit
Reports

Overview

overview

Static

static

1

97e2e89259...ef.exe

windows7_x64

97e2e89259...ef.exe

windows10-2004_x64

7

Sharing

General

Target

97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef
Size

4.3MB
Sample

220520-gvxpmsddc6
MD5

8786f856af7d279d72cf6cac110e3e69
SHA1

52cfb091bbcd1ac44a5bee5dd25707b646a126dc
SHA256

97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef
SHA512

1fd4401394aed60ea4ebc81275d9e33c73e4f79a2ddb34777779d6ce2456c121a5d7a3bff17f744c248a003b1d93cb22552d5e5fbfde3dc740fa67fe8afc123b

Score

10^/10

servhelper backdoor discovery exploit persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe

Resource

win7-20220414-en

servhelper backdoor discovery exploit persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef
- Size
  
  4.3MB
- MD5
  
  8786f856af7d279d72cf6cac110e3e69
- SHA1
  
  52cfb091bbcd1ac44a5bee5dd25707b646a126dc
- SHA256
  
  97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef
- SHA512
  
  1fd4401394aed60ea4ebc81275d9e33c73e4f79a2ddb34777779d6ce2456c121a5d7a3bff17f744c248a003b1d93cb22552d5e5fbfde3dc740fa67fe8afc123b
Score

10^/10

servhelper backdoor discovery exploit persistence trojan
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Remote Desktop Protocol

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

servhelperbackdoordiscoveryexploitpersistencetrojan

behavioral2

© 2018-2024

Terms | Privacy