Extracted

• • Target

    3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b

  • Size

    7.6MB

  • MD5

    88e8fd31d8e8a76cd57c9051ed96ee66

  • SHA1

    86712df63cf56ae014d91f1f276ea4491c115a8e

  • SHA256

    3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b

  • SHA512

    af5c924b3c3181b4720ec9d1d0e757ceb9a4d0371cfb9c0a22da08fd77d2324dc0e716cc0fa5ea3d7981256ce772c4327d04a9e2954de654cd07851514a610f9

  • SSDEEP

    98304:OsgijX8uqOeLajSKF6ZKHiT431RArwISOskLPJaGiZak2mzhLS:RjsuxeLQr6KiT4PArwPOsGJaG6ak1ZS

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2