servhelper | 7da69d9b2edd854e2ebd3c5123ae0fa4df058780fdea9236f412daf46ed4997b | Triage

Submit
Reports

Overview

overview

Static

static

1

fe390355d5...5f.exe

windows7-x64

fe390355d5...5f.exe

windows10-2004-x64

Sharing

General

Target

fe390355d5840bf740669121b7032e5f
Size

3.4MB
Sample

231222-vvtjwaeff9
MD5

fe390355d5840bf740669121b7032e5f
SHA1

db7c8fd4c1b2600d98e20e8301018e1a4b952444
SHA256

7da69d9b2edd854e2ebd3c5123ae0fa4df058780fdea9236f412daf46ed4997b
SHA512

fb073cc090ba88805c0b43f639714d393271ea7397c7af1c4c409e680d98c61fa1aa6117307d3c3e967da0cf30c3cf90ea59ed7c99e419b30b76d2c1a817980c
SSDEEP

49152:kkfxaDlOo67fSWzotMT+3vQW4DMyc+7G0wHyiTXvJifxwB77xWRpt/l0Vpz1UHYV:d2qrt7T+v+7G0CJ4xwB7YN/l0VpyRO

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

fe390355d5840bf740669121b7032e5f.exe

Resource

win7-20231215-en

servhelper backdoor discovery exploit persistence trojan upx

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

fe390355d5840bf740669121b7032e5f.exe

Resource

win10v2004-20231215-en

servhelper backdoor discovery exploit persistence trojan upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  fe390355d5840bf740669121b7032e5f
- Size
  
  3.4MB
- MD5
  
  fe390355d5840bf740669121b7032e5f
- SHA1
  
  db7c8fd4c1b2600d98e20e8301018e1a4b952444
- SHA256
  
  7da69d9b2edd854e2ebd3c5123ae0fa4df058780fdea9236f412daf46ed4997b
- SHA512
  
  fb073cc090ba88805c0b43f639714d393271ea7397c7af1c4c409e680d98c61fa1aa6117307d3c3e967da0cf30c3cf90ea59ed7c99e419b30b76d2c1a817980c
- SSDEEP
  
  49152:kkfxaDlOo67fSWzotMT+3vQW4DMyc+7G0wHyiTXvJifxwB77xWRpt/l0Vpz1UHYV:d2qrt7T+v+7G0CJ4xwB7YN/l0VpyRO
Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Account Manipulation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Remote Services

Remote Desktop Protocol

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

servhelperbackdoordiscoveryexploitpersistencetrojanupx

behavioral2

servhelperbackdoordiscoveryexploitpersistencetrojanupx

© 2018-2025

Terms | Privacy