servhelper

Sharing

Copy URL

Twitter E-mail

General

Target

282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8
Size

2.6MB
Sample

240410-l3c3esbf67
MD5

44e86870c9402d8246dc9498e448e890
SHA1

fa3a1b3b5c40927dd43e949783b9f1078122b1f7
SHA256

282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8
SHA512

5e459ef56d59be710e6b2464f7cbc8553f2f932fd499477829a4fe27a42ed1467331e4ea6eaee0dfeddf692ef0763e1035c8f9ab32e419cd9dec950d8f37cd0f
SSDEEP

49152:H/gy5fJnREzdOP+CtcMLq8t8eay0pSJA6Ecrk7Y2DPJ4VbQ/6ZgTQU1gCVrEWx1P:H/gy5hnrt92HRqxI7Y2F/zTyiwW3P

Score

10^/10

Malware Config

Targets

- Target
  
  282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8
- Size
  
  2.6MB
- MD5
  
  44e86870c9402d8246dc9498e448e890
- SHA1
  
  fa3a1b3b5c40927dd43e949783b9f1078122b1f7
- SHA256
  
  282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8
- SHA512
  
  5e459ef56d59be710e6b2464f7cbc8553f2f932fd499477829a4fe27a42ed1467331e4ea6eaee0dfeddf692ef0763e1035c8f9ab32e419cd9dec950d8f37cd0f
- SSDEEP
  
  49152:H/gy5fJnREzdOP+CtcMLq8t8eay0pSJA6Ecrk7Y2DPJ4VbQ/6ZgTQU1gCVrEWx1P:H/gy5hnrt92HRqxI7Y2F/zTyiwW3P
Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fbe295e5a1acfbd0a6271898f885fe6a
- SHA1
  
  d6d205922e61635472efb13c2bb92c9ac6cb96da
- SHA256
  
  a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
- SHA512
  
  2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
- SSDEEP
  
  192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/blowfish.dll
- Size
  
  22KB
- MD5
  
  5afd4a9b7e69e7c6e312b2ce4040394a
- SHA1
  
  fbd07adb3f02f866dc3a327a86b0f319d4a94502
- SHA256
  
  053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
- SHA512
  
  f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
- SSDEEP
  
  384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/nsUnzip.dll
- Size
  
  146KB
- MD5
  
  77a26c23948070dc012bba65e7f390aa
- SHA1
  
  7e112775770f9b3b24e2a238b5f7c66f8802e5d8
- SHA256
  
  4e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43
- SHA512
  
  2e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065
- SSDEEP
  
  3072:3imoHcJg67rm+2X7jiYwJAmcxaw2VvnCNizd9XER4I6CAZJPtAY3:3I8Jlrm7SnjCNizdhER4I3kP3
Score

3^/10
behavioral7 behavioral8