Extracted

• • Target

    508167b2c34732f05f11f2531b2498a2

  • Size

    5.9MB

  • MD5

    508167b2c34732f05f11f2531b2498a2

  • SHA1

    88f5a4f580243a098662a8c1dd3ea86a60407c81

  • SHA256

    f7abcbdb4896f995674c927c3e3b46fbf40125c26cc8ebb09d88ee0d71d4a25f

  • SHA512

    3b6dd1409a15da49609ce4779c66a08768fa635cb7a8ce3fd6e9a0f56f5055de9c7b09eb9dfad3f542ff6478fd661c8c46e42e1580d4e5311dd465d79fea8c5c

  • SSDEEP

    49152:P8L4dlrb/TkvO90dL3BmAFd4A64nsfJ9uB5q9FbvbhZdGDSj0uBTfA6VzHv3+6kP:P80Du3mAQQQQQQQQQQQQQ

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2