Extracted

• • Target

    c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90

  • Size

    7.0MB

  • MD5

    f19b9d6b74f65125623613a334baba76

  • SHA1

    8b1428daa9a7d2231663784c2e0457034dbdd468

  • SHA256

    c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90

  • SHA512

    f993b7002c952cc754d86726031052fde8dcdda6ce29b35aca9f8318e390c86b370f2519cb4ec2374e24645772ef6dfbbb4bcf25c49587e4b5d678588c5a3fd4

  • SSDEEP

    196608:9gwCUo86gyVJHh22fiIUrKqJGZdwInqqwgrSPn:9pv6g+JHhu1WVZdwIqqdr

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2