Extracted

• • Target

    d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8

  • Size

    6.0MB

  • MD5

    86178014e457120d9dc6f6e27453338c

  • SHA1

    16ab38c0e9c4516532f9d111523e948a6311bfc0

  • SHA256

    d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8

  • SHA512

    746417e600a1a0cb157f6a74422140b1ed75767a7f47f208c46feadac1dcf845637ce986a11cd7ed3f07e9782ff736b8da448057b0eb65cc50df30baa500bf75

  • SSDEEP

    49152:+G6we2P/3W01/65p9CepD70BIme1AWwYg015Y5vl5zytq9oB5JSZZSYu5q01ka2i:+32P/d/s

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2