Overview

overview

10

Static

static

3

282e8186ce...c8.exe

windows7-x64

10

282e8186ce...c8.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...sh.dll

windows7-x64

3

$PLUGINSDI...sh.dll

windows10-2004-x64

3

$PLUGINSDI...ip.dll

windows7-x64

3

$PLUGINSDI...ip.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8

  • Size

    2.6MB

  • Sample

    240410-l3c3esbf67

  • MD5

    44e86870c9402d8246dc9498e448e890

  • SHA1

    fa3a1b3b5c40927dd43e949783b9f1078122b1f7

  • SHA256

    282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8

  • SHA512

    5e459ef56d59be710e6b2464f7cbc8553f2f932fd499477829a4fe27a42ed1467331e4ea6eaee0dfeddf692ef0763e1035c8f9ab32e419cd9dec950d8f37cd0f

  • SSDEEP

    49152:H/gy5fJnREzdOP+CtcMLq8t8eay0pSJA6Ecrk7Y2DPJ4VbQ/6ZgTQU1gCVrEWx1P:H/gy5hnrt92HRqxI7Y2F/zTyiwW3P

Score
10/10
servhelperbackdoordiscoveryexploitpersistencetrojanupx

Malware Config

Targets

    • Target

      282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8

    • Size

      2.6MB

    • MD5

      44e86870c9402d8246dc9498e448e890

    • SHA1

      fa3a1b3b5c40927dd43e949783b9f1078122b1f7

    • SHA256

      282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8

    • SHA512

      5e459ef56d59be710e6b2464f7cbc8553f2f932fd499477829a4fe27a42ed1467331e4ea6eaee0dfeddf692ef0763e1035c8f9ab32e419cd9dec950d8f37cd0f

    • SSDEEP

      49152:H/gy5fJnREzdOP+CtcMLq8t8eay0pSJA6Ecrk7Y2DPJ4VbQ/6ZgTQU1gCVrEWx1P:H/gy5hnrt92HRqxI7Y2F/zTyiwW3P

    Score
    10/10
    servhelperbackdoordiscoveryexploitpersistencetrojanupx

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

      trojanbackdoorservhelper

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

      exploit

    • Sets DLL path for service in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fbe295e5a1acfbd0a6271898f885fe6a

    • SHA1

      d6d205922e61635472efb13c2bb92c9ac6cb96da

    • SHA256

      a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

    • SHA512

      2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

    • SSDEEP

      192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/blowfish.dll

    • Size

      22KB

    • MD5

      5afd4a9b7e69e7c6e312b2ce4040394a

    • SHA1

      fbd07adb3f02f866dc3a327a86b0f319d4a94502

    • SHA256

      053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

    • SHA512

      f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

    • SSDEEP

      384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub

    Score
    3/10
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/nsUnzip.dll

    • Size

      146KB

    • MD5

      77a26c23948070dc012bba65e7f390aa

    • SHA1

      7e112775770f9b3b24e2a238b5f7c66f8802e5d8

    • SHA256

      4e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43

    • SHA512

      2e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065

    • SSDEEP

      3072:3imoHcJg67rm+2X7jiYwJAmcxaw2VvnCNizd9XER4I6CAZJPtAY3:3I8Jlrm7SnjCNizdhER4I3kP3

    Score
    3/10
    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks