Extracted

• • Target

    b32f96217e69b983264075a884c789bbb59b04995f5468c2c6a54d9385d13a80

  • Size

    6.7MB

  • MD5

    2b6ad7f446fe56f8bb5438a4784afe78

  • SHA1

    15f5584e569668013548b2f27a417a6482c9317f

  • SHA256

    b32f96217e69b983264075a884c789bbb59b04995f5468c2c6a54d9385d13a80

  • SHA512

    160537e84ecc2694b514482b95dd70c03abc4580de2cd6f2ae38d332bf4446cbbf9a66676be87a8f4ca25b68be5533342af1d6ebde33577a0aff6a3004800bee

  • SSDEEP

    98304:gOOles66ycm4i+stzTTOzAElMLmZ7oo8kTApKGaRqc4O1XujlqEBLMkqzEoe:Ns6cizZTTLmxoQT7RRq4ujlBBTqz3

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2