Extracted

• • Target

    edd23d9fccfb6d00bfe4c572f49e539e1a03a84ab985a84ec0d09ce8d85899fa

  • Size

    2.5MB

  • MD5

    54ea05f72d85e81abc662f81717b3a6e

  • SHA1

    10cc7c97b12808c6d0011d24a5213ce315b6ad0e

  • SHA256

    edd23d9fccfb6d00bfe4c572f49e539e1a03a84ab985a84ec0d09ce8d85899fa

  • SHA512

    2b9fee3fd73c357345d61b3a642031cf38a1f4723ee377e318bb14f1a47954a7c229dc26da793cd3d6ab1ab5f565ed85aab402ca2047a7fd0e1f705944558290

  • SSDEEP

    49152:cd8rheMFBvkc7Ti6PHckz0GepoCUnaw4Xmf7Em9sFqa:s

  Score

  10^/10

  servhelperbackdoordefense_evasiondiscoveryexecutionexploitlateral_movementpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Servhelper family

    servhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Remote Service Session Hijacking: RDP Hijacking

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

    lateral_movement

  • Blocklisted process makes network request

  • Indicator Removal: Network Share Connection Removal

    Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

    defense_evasion

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Server Software Component: Terminal Services DLL

    persistence

  • Deletes itself

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2