Overview

overview

10

Static

static

1

3db7b97aa0...7b.exe

windows7-x64

10

3db7b97aa0...7b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b

  • Size

    7.6MB

  • Sample

    240410-mh3m1sfe2x

  • MD5

    88e8fd31d8e8a76cd57c9051ed96ee66

  • SHA1

    86712df63cf56ae014d91f1f276ea4491c115a8e

  • SHA256

    3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b

  • SHA512

    af5c924b3c3181b4720ec9d1d0e757ceb9a4d0371cfb9c0a22da08fd77d2324dc0e716cc0fa5ea3d7981256ce772c4327d04a9e2954de654cd07851514a610f9

  • SSDEEP

    98304:OsgijX8uqOeLajSKF6ZKHiT431RArwISOskLPJaGiZak2mzhLS:RjsuxeLQr6KiT4PArwPOsGJaG6ak1ZS

Score
10/10
servhelperbackdoordiscoveryexploitpersistencetrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b

    • Size

      7.6MB

    • MD5

      88e8fd31d8e8a76cd57c9051ed96ee66

    • SHA1

      86712df63cf56ae014d91f1f276ea4491c115a8e

    • SHA256

      3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b

    • SHA512

      af5c924b3c3181b4720ec9d1d0e757ceb9a4d0371cfb9c0a22da08fd77d2324dc0e716cc0fa5ea3d7981256ce772c4327d04a9e2954de654cd07851514a610f9

    • SSDEEP

      98304:OsgijX8uqOeLajSKF6ZKHiT431RArwISOskLPJaGiZak2mzhLS:RjsuxeLQr6KiT4PArwPOsGJaG6ak1ZS

    Score
    10/10
    servhelperbackdoordiscoveryexploitpersistencetrojanupx

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

      trojanbackdoorservhelper

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

      exploit

    • Sets DLL path for service in the registry

      persistence

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks