Extracted

• • Target

    c2d4bd5b611d2adb39200dc461255d5f

  • Size

    6.9MB

  • MD5

    c2d4bd5b611d2adb39200dc461255d5f

  • SHA1

    d4ee36f705dad290f9beb74da59c9d147d47dc3b

  • SHA256

    aee35491525d86d85dc0f6410525ba82673d7691d4035436154f395430a23594

  • SHA512

    631fe15d69b6591e7538277546f694fe6361ca1d485aab2de4406aa460ffc316f2156e44d08124d24cf43197cf154e983c563efa21078b99e4a2524968514668

  • SSDEEP

    98304:ipb2Sar8+l1PRdU6wjvo8+NcbCOX69G50zPtzKgu0t5tZgPVWp0vHbSxKyxmxFNz:i8SaoIR6xsu/qQm+gp6zvy3xmXRB

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2