Extracted

• • Target

    08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12

  • Size

    4.5MB

  • MD5

    2519d825ce34edc5881380dfe1a2f9c4

  • SHA1

    642d87e38007682e8c60265ee59e67b09c32eb16

  • SHA256

    08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12

  • SHA512

    e4dfe0e8f3100824bd74942f4b97d39812055a572a1050ce8b18d0485c3f4bc42eb06c220ad4b145c055af7184ea31ca0274fcb029485f3cf90c8e81613c1ddd

  • SSDEEP

    49152:E8CdRhKHG/xe5R7w0XQ5lh6aoBaD8NB+uLqXnVMlONTKFMc8XQDmDzE8k/9U1:E8eKHGJG

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2