Extracted

• • Target

    64cb280711db0137dc6da7f2cd71745f94ada56d890c6326f07f1b36eee36e07

  • Size

    6.7MB

  • MD5

    185a05aefc21ed3f07716a01871e2c5a

  • SHA1

    2e706b6810c21605fbb4b6c32dbdb1e5c1c28f0a

  • SHA256

    64cb280711db0137dc6da7f2cd71745f94ada56d890c6326f07f1b36eee36e07

  • SHA512

    458307a3b8f9ecd0bcae80582051835f5b263690d28bc85d4b228b1de7a3cb8146af9e7c139201146a1585a0d11531ef8a4534d00e1517406d8b19ecd835a7d9

  • SSDEEP

    98304:Wrbq9XeGw2WuPDwTTOzAElMLmZ7oo8kTApKGaRqc4O1XujlqHRARZ:WrbcZpPDsTTLmxoQT7RRq4ujlzRZ

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2