Extracted

• • Target

    da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605

  • Size

    5.7MB

  • MD5

    61d5e32562d1c70daf0a3112f7888258

  • SHA1

    11c54ce99e87637f58c7bc0bd8134c73df9bf879

  • SHA256

    da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605

  • SHA512

    9cad97c4c71535a2391ad73d13e27748300e3147a3383d4eee85caadb461815f9ee8e9b172e732df16813fa8f5ffdc7115e2740778ebc51c536ab06fc7910cc2

  • SSDEEP

    49152:wDK8merb/T/vO90dL3BmAFd4A64nsfJdo5GQ5shfTuU92flI7MhhaftEhamnybrN:wD+3eGLmAQQQQQQQQQQQQQ

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2