servhelper | a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41 | Triage

Submit
Reports

Overview

overview

Static

static

7

a09dcec944...41.exe

windows7-x64

a09dcec944...41.exe

windows10-2004-x64

Sharing

General

Target

a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41
Size

6.8MB
Sample

240410-p896wsbf91
MD5

d088405edcf61c7fb54b260bc6315a31
SHA1

997f482fcca4cc5704bb0bf8b47132dd34aa0a37
SHA256

a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41
SHA512

1bc794a0c84525d67b8a3aecdd4544942cced8996f0b04fa8da1649a14fdd746638ba87b850c3046a3e82c1a455c2168802fe85b45b86436ca2515885e7bb86c
SSDEEP

98304:q7WKfdq7RyQdh/ha7TTOzAElMLmZ7oo8kTApKGaRqc4O1XujlqScYEYrsG3AH:qCUdcRwfTTLmxoQT7RRq4ujltcYN9w

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exe

Resource

win7-20240319-en

servhelper backdoor discovery exploit persistence trojan upx vmprotect

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exe

Resource

win10v2004-20240226-en

servhelper backdoor discovery exploit persistence trojan upx vmprotect

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

- Target
  
  a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41
- Size
  
  6.8MB
- MD5
  
  d088405edcf61c7fb54b260bc6315a31
- SHA1
  
  997f482fcca4cc5704bb0bf8b47132dd34aa0a37
- SHA256
  
  a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41
- SHA512
  
  1bc794a0c84525d67b8a3aecdd4544942cced8996f0b04fa8da1649a14fdd746638ba87b850c3046a3e82c1a455c2168802fe85b45b86436ca2515885e7bb86c
- SSDEEP
  
  98304:q7WKfdq7RyQdh/ha7TTOzAElMLmZ7oo8kTApKGaRqc4O1XujlqScYEYrsG3AH:qCUdcRwfTTLmxoQT7RRq4ujltcYN9w
Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx vmprotect
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

File and Directory Permissions Modification

Credential Access

Discovery

System Information Discovery

Lateral Movement

Remote Services

Remote Desktop Protocol

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

servhelperbackdoordiscoveryexploitpersistencetrojanupxvmprotect

behavioral2

servhelperbackdoordiscoveryexploitpersistencetrojanupxvmprotect

© 2018-2024

Terms | Privacy