Extracted

• • Target

    bfe0ac25eeeb759f7c8e06229c7313a2

  • Size

    5.9MB

  • MD5

    bfe0ac25eeeb759f7c8e06229c7313a2

  • SHA1

    199c1fbd29f9ec98b83464763dac63ef80998bb3

  • SHA256

    be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c

  • SHA512

    a0f3b477de1603d7e032608692857a4865059ba61ae1276334f281970a1484a6c81463fba2a2bbc9821c016e06e206d621fdb97e8743fc60e3515fba88997a72

  • SSDEEP

    49152:tvGIuxrb/TkvO90dL3BmAFd4A64nsfJ1XU59mMJETIR1iVhYOxbJBKqKhmYYMNn9:tvGfXdmAQQQQQQQQQQQQQ

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2