servhelper | 7c961f8e57636ca32887de923cda6c6a733ec4a2f549ebe10e94b5b75029bd5c | Triage

Submit
Reports

Overview

overview

Static

static

1

7c961f8e57...5c.exe

windows7_x64

7c961f8e57...5c.exe

windows10-2004_x64

9

Sharing

General

Target

7c961f8e57636ca32887de923cda6c6a733ec4a2f549ebe10e94b5b75029bd5c
Size

3.4MB
Sample

220523-z4zjpsgge9
MD5

c53305cbf3645ab5c84469b892058413
SHA1

0a08890c0e5c082ff135fc5df493c346335bdba5
SHA256

7c961f8e57636ca32887de923cda6c6a733ec4a2f549ebe10e94b5b75029bd5c
SHA512

b9b35d0f26e456c826623de80c084f3fbd523f9c3cd9e5230150e45508c1a128d1f19a7786b1ebf4008705a7843a36ec0c0c084b870c2258d8238cdb4bb30f88

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

7c961f8e57636ca32887de923cda6c6a733ec4a2f549ebe10e94b5b75029bd5c.exe

Resource

win7-20220414-en

servhelper backdoor discovery exploit persistence trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

7c961f8e57636ca32887de923cda6c6a733ec4a2f549ebe10e94b5b75029bd5c.exe

Resource

win10v2004-20220414-en

discovery exploit upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  7c961f8e57636ca32887de923cda6c6a733ec4a2f549ebe10e94b5b75029bd5c
- Size
  
  3.4MB
- MD5
  
  c53305cbf3645ab5c84469b892058413
- SHA1
  
  0a08890c0e5c082ff135fc5df493c346335bdba5
- SHA256
  
  7c961f8e57636ca32887de923cda6c6a733ec4a2f549ebe10e94b5b75029bd5c
- SHA512
  
  b9b35d0f26e456c826623de80c084f3fbd523f9c3cd9e5230150e45508c1a128d1f19a7786b1ebf4008705a7843a36ec0c0c084b870c2258d8238cdb4bb30f88
Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Account Manipulation

Discovery

Query Registry

System Information Discovery

Lateral Movement

Remote Desktop Protocol

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

servhelperbackdoordiscoveryexploitpersistencetrojanupx

behavioral2

discoveryexploitupx

© 2018-2024

Terms | Privacy