Extracted

• • Target

    d7ef71aa67e1fb5a364c97ff4b89f5f6a28db1c84f91563547a4e44581833486

  • Size

    5.7MB

  • MD5

    83d119a963e7050995f9bf6be8841b95

  • SHA1

    2ba0e479d5c2b7b9b28c7f946bd56489cedaa126

  • SHA256

    d7ef71aa67e1fb5a364c97ff4b89f5f6a28db1c84f91563547a4e44581833486

  • SHA512

    4c740f5e0f4787fc268239882fe9b74ee00944053ac4c45ca1d114dbd22954f00c3f4fd5fb39be932b44e6da9380466d07b324150454357bf7b12a17b77ceffe

  • SSDEEP

    49152:OZxqAErb/T/vO90dL3BmAFd4A64nsfJ49fEM5QcLTmk/2PU3oq5Z/tXGKSXzDBme:OZZ0hEumAQQQQQQQQQQQQQ

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2