Extracted

• • Target

    b80e44d9eedd5fff1cd3ff0cfc1258af

  • Size

    2.5MB

  • MD5

    b80e44d9eedd5fff1cd3ff0cfc1258af

  • SHA1

    492003201b7f1a0a12230f2e245718de81bbad78

  • SHA256

    f00f8b0d2602fc2e8bcf5899377f6a23beae9ea9df2c0a3c4e9aad4cae2ef522

  • SHA512

    326c4b9296cc401c43fa9f138cb9eebf416baa0418084a1fc22b88e0cbfa1bfaaee4052c313b242b50cbd69663e2a943f9bd80beb84c735cca7b952fd881f47a

  • SSDEEP

    24576:faToNdX2E3YlwTgGbjj9PNwQ16RQx3WE+ygGBwf7Lx7Nhq39M//qRiQlrUUDKKbu:CgdBx6QAE+kqhjqAqQQvmEloj4IXfBh

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Deletes itself

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2