Extracted

• • Target

    5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa

  • Size

    5.9MB

  • MD5

    3cb66d271255d59945381fdc6fab9b91

  • SHA1

    cba5bc5d238ffa84cadb81d8ac65c81c289ec74a

  • SHA256

    5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa

  • SHA512

    770a6f375c8ba6c3c4a7da63652b58ccac9a3a0c005cf1cfc8db21447ae247bcc705c8f20da683ca89e1f0102604e23310be76c4c5daf358f81d2b36008c9a75

  • SSDEEP

    49152:ZvAR1erb/TkvO90dL3BmAFd4A64nsfJibC5IaYNPk6bs3xwXmUGzDrQMHLPSZaaH:ZvQpbwmAQQQQQQQQQQQQQ

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2