MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b2c17c6e0deefb9a66c9e165f247e1677f2ee2454735717a3c3de6b51d5a28a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b2c17c6e0deefb9a66c9e165f247e1677f2ee2454735717a3c3de6b51d5a28a
SHA3-384 hash: e7ef7b058065fb72e433e1f6ef50a2fd3950bf9d8c225d913b4ea2b9b86df6f8ac549800e75aa553e2edaee9e4709ef6
SHA1 hash: 825629e8f68dd8df6b8a763d70d4465fd3b25e8f
MD5 hash: 6103f1f51ffda5af29cbd0883351a3d9
humanhash: missouri-fruit-cola-lima
File name:6103f1f51ffda5af29cbd0883351a3d9.exe
Download: download sample
Signature ServHelper
Create hunting rule
File size:4'513'792 bytes
First seen:2021-07-28 18:28:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:okcp0YTxJhxWMD5KjPtHXUCcpOZe20p1EujUB:mSWXxXlKjPtRcpOv0pJjY
Threatray 58 similar samples on MalwareBazaar
TLSH T17B26330D769439DEC866C6B2CF541D78C360787BA35B9213A0172ADCD90DAC7CB496B3
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter abuse_ch
Tags:exe ServHelper

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6103f1f51ffda5af29cbd0883351a3d9.exe
Verdict:
No threats detected
Analysis date:
2021-07-28 18:56:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e8793fa-a33f-4466-b57c-7af1297b2331

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174805/
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc3da90a-8c90-4b4a-b46d-d07b391e24af
Result
Threat name:
SERVHELPER
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823311
Signature
Adds a new user with administrator rights
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates a Windows Service pointing to an executable in C:\Windows
Detected SERVHELPER
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455726 Sample: PW5CXpRhDo.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 82 Antivirus detection for dropped file 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 4 other signatures 2->88 11 PW5CXpRhDo.exe 3 2->11         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 2 other processes 2->19 process3 file4 80 C:\Users\user\AppData\...\PW5CXpRhDo.exe.log, ASCII 11->80 dropped 104 Writes to foreign memory regions 11->104 106 Allocates memory in foreign processes 11->106 108 Modifies the context of a thread in another process (thread injection) 11->108 110 Injects a PE file into a foreign processes 11->110 21 vbc.exe 4 11->21         started        24 net.exe 15->24         started        26 conhost.exe 15->26         started        28 net.exe 17->28         started        30 conhost.exe 17->30         started        32 conhost.exe 19->32         started        signatures5 process6 signatures7 98 Bypasses PowerShell execution policy 21->98 100 Queries memory information (via WMI often done to detect virtual machines) 21->100 34 powershell.exe 47 21->34         started        38 net1.exe 24->38         started        40 net1.exe 28->40         started        process8 file9 74 C:\Windows\Branding\mediasvc.png, PE32+ 34->74 dropped 76 C:\Windows\Branding\mediasrv.png, PE32+ 34->76 dropped 78 C:\Users\user\AppData\...\4ec4noef.cmdline, UTF-8 34->78 dropped 90 Detected SERVHELPER 34->90 92 Uses cmd line tools excessively to alter registry or file data 34->92 94 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 34->94 96 2 other signatures 34->96 42 reg.exe 34->42         started        45 cmd.exe 34->45         started        47 cmd.exe 34->47         started        49 8 other processes 34->49 signatures10 process11 file12 102 Creates a Windows Service pointing to an executable in C:\Windows 42->102 52 cmd.exe 45->52         started        54 cmd.exe 47->54         started        72 C:\Users\user\AppData\Local\...\4ec4noef.dll, PE32 49->72 dropped 56 cvtres.exe 49->56         started        58 conhost.exe 49->58         started        60 conhost.exe 49->60         started        62 2 other processes 49->62 signatures13 process14 process15 64 net.exe 52->64         started        66 net.exe 54->66         started        process16 68 net1.exe 64->68         started        70 net1.exe 66->70         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 15:05:46 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2142824c415eb4f05facc471942840e5065aa41b322f36dac198d30d00e8b6fc
ServHelper
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
ServHelper
b4a92bcb6f677bbf9ede6ad7b290f83bc27592fefae0a8b3c6bf8026ff3327ee
ServHelper
cfdb155368f72aed83e715260f1dd63922a25ce4e6d558941f94cb4a06357994
ServHelper
d9ec3c5cf92b5b3aa1d59949cf1eafb9c695d35ce9872215ba8b189d40c66823
ServHelper
eb02c967fb3feaf5504a78de8a7e0513c2c4e52ddf2243bfbcb10e83954baaad
ServHelper
fe40b63a00a7d737baa87f493751a1b92ac782baaef2304b0ae65c5a1cbec58d
ServHelper
+ 48 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/210728-qzygj4pl9j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Core1 .NET packer
Unpacked files
SH256 hash:
1b2c17c6e0deefb9a66c9e165f247e1677f2ee2454735717a3c3de6b51d5a28a
MD5 hash:
6103f1f51ffda5af29cbd0883351a3d9
SHA1 hash:
825629e8f68dd8df6b8a763d70d4465fd3b25e8f
Link:
https://www.unpac.me/results/94138f23-5e12-47f4-bd48-439cd274b73b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/1b2c17c6e0deefb9a66c9e165f247e1677f2ee2454735717a3c3de6b51d5a28a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ServHelper

Executable exe 1b2c17c6e0deefb9a66c9e165f247e1677f2ee2454735717a3c3de6b51d5a28a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1480064/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174805/

Comments