Extracted

• • Target

    353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74

  • Size

    6.0MB

  • MD5

    fa8f47009ea5c07fa239e8f98b4a5de1

  • SHA1

    56813df8292edf1d7f4c9c1f9e90b9c722fa238e

  • SHA256

    353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74

  • SHA512

    7df76c27b96774df7a07963d47281d4cd60cb7eaa2d029537f7aa86553c32510bef2166c5bb92a6402e23f497bd5521e124c161866b9bbd1db01991973958551

  • SSDEEP

    49152:DxtmeOhNIWIM/J5mxhIjdvEdnGmol7W3wmAeT7H6O8MO5GfsLPVgyZ7frOMxY6Fj:DzOhN7/D

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2