servhelper | 353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74 | Triage

Submit
Reports

Overview

overview

Static

static

3

353a484824...74.exe

windows7-x64

353a484824...74.exe

windows10-2004-x64

Sharing

General

Target

353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74
Size

6.0MB
Sample

240410-mcbbkscb75
MD5

fa8f47009ea5c07fa239e8f98b4a5de1
SHA1

56813df8292edf1d7f4c9c1f9e90b9c722fa238e
SHA256

353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74
SHA512

7df76c27b96774df7a07963d47281d4cd60cb7eaa2d029537f7aa86553c32510bef2166c5bb92a6402e23f497bd5521e124c161866b9bbd1db01991973958551
SSDEEP

49152:DxtmeOhNIWIM/J5mxhIjdvEdnGmol7W3wmAeT7H6O8MO5GfsLPVgyZ7frOMxY6Fj:DzOhN7/D

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe

Resource

win7-20240221-en

servhelper backdoor discovery exploit persistence trojan upx

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe

Resource

win10v2004-20231215-en

servhelper backdoor discovery exploit persistence trojan upx

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

- Target
  
  353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74
- Size
  
  6.0MB
- MD5
  
  fa8f47009ea5c07fa239e8f98b4a5de1
- SHA1
  
  56813df8292edf1d7f4c9c1f9e90b9c722fa238e
- SHA256
  
  353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74
- SHA512
  
  7df76c27b96774df7a07963d47281d4cd60cb7eaa2d029537f7aa86553c32510bef2166c5bb92a6402e23f497bd5521e124c161866b9bbd1db01991973958551
- SSDEEP
  
  49152:DxtmeOhNIWIM/J5mxhIjdvEdnGmol7W3wmAeT7H6O8MO5GfsLPVgyZ7frOMxY6Fj:DzOhN7/D
Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

File and Directory Permissions Modification

Credential Access

Discovery

System Information Discovery

Lateral Movement

Remote Services

Remote Desktop Protocol

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

servhelperbackdoordiscoveryexploitpersistencetrojanupx

behavioral2

servhelperbackdoordiscoveryexploitpersistencetrojanupx

© 2018-2024

Terms | Privacy