MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ServHelper

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2
SHA3-384 hash:	b2432549cbec488ab1d633b1ba006a4bcc381d73ccfe114b0b2a19831b1b9c3922d45eec0e583ded8146113e948069bd
SHA1 hash:	532a7870f610b86ef3c1eb3f10b60a9da6152bcb
MD5 hash:	af944f00c218cc525ef7e56f5d634cdf
humanhash:	east-five-white-triple
File name:	1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2
Download:	download sample
Signature	ServHelper Create hunting rule
File size:	3'558'912 bytes
First seen:	2020-11-07 17:03:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76a1972a031896a17e29d4c55d0b230 (8 x ServHelper, 5 x Tofsee, 3 x CoinMiner)
ssdeep	98304:1InKRYPy3pi9W5sXgwpbiluMEeIuQl4v:1InKRYKZi9WqXXbiJtil4
Threatray	8 similar samples on MalwareBazaar
TLSH	66F533E0BA83E7B2E9134435466DC465247C4D0A2778D58BA7853A4F3E247F3C193BAE
Reporter	seifreed
Tags:	ServHelper

Intelligence

File Origin

# of uploads :

# of downloads :

935

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Glupteba-9781402-0

Win.Packed.Generickdz-9784859-0

Win.Packed.Generickdz-9785340-0

Win.Packed.Generickdz-9785522-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Deleting a recently created file

Using the Windows Management Instrumentation requests

Creating a file in the Windows subdirectories

Launching the process to interact with network services

Running batch commands

Launching a service

Loading a system driver

Enabling autorun for a service

Downloading the file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2/

Threat name:

Win32.Trojan.MintDreidel

Status:

Malicious

First seen:

2020-11-07 17:06:53 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dle5iksznrkxk62pg7tcsgehcsnga4f75w2oe6ugz46p6tlw6kra._file

Verdict:

malicious

ServHelper

0f12408c06ccf60608a60572d521bbc8012e6ce7e0d701781a0a33e0e1fd1519

ServHelper

32031ca4487b08af41a597da7d22c05a3d4f676c33119c057f3f4a1431217887

ServHelper

4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305

ServHelper

bfd12725c557e1a9992dccff4257290adec43be6315f68471af0d26c9fa662ad

ServHelper

c2d9409c2209201334bd83a2e1257be8adc7506019a721abe359249dbd74eced

ServHelper

f923c5ce0a44f73f86dbb04d02905e0e0068d675f6095680b41d904380800e17

ServHelper

fc1b36e39f87cff2c9076a7e8316af297255a92824338b19b69022b47a47daa6

ServHelper

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery exploit persistence upx

Link:

https://tria.ge/reports/201108-lkl19j57c6/

Behaviour

Modifies data under HKEY_USERS

Modifies registry key

Runs net.exe

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Drops file in Program Files directory

Drops file in System32 directory

Modifies service

Deletes itself

Loads dropped DLL

Modifies file permissions

Blacklisted process makes network request

Modifies RDP port number used by Windows

Possible privilege escalation attempt

Sets DLL path for service in the registry

UPX packed file

Grants admin privileges

Malware Config

Dropper Extraction:

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Unpacked files

SH256 hash:

1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2

MD5 hash:

af944f00c218cc525ef7e56f5d634cdf

SHA1 hash:

532a7870f610b86ef3c1eb3f10b60a9da6152bcb

Link:

https://www.unpac.me/results/7eb6d845-8cd5-468b-9add-f5aa5fae0b20/

SH256 hash:

1de8d3513f98ea96709a81fb21e39e45e716f5193ef6e3f2885f9d89ad9c6e00

MD5 hash:

b7a57cd8c9e571c72721bc60a49ae9d0

SHA1 hash:

6a00d0430f9d614836c51a633d255ba1dd83a4bb

Link:

https://www.unpac.me/results/7eb6d845-8cd5-468b-9add-f5aa5fae0b20/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Embedded_PE Create hunting rule

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	susp_winsvc_upx Create hunting rule
Author:	SBousseaden
Description:	broad hunt for any PE exporting ServiceMain API and upx packed

Rule name:	win_servhelper_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample