MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 255141a430ed2bbda653b5ab18acdd8dcca5a39cf8c2d1fa938445e31ecf38e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 255141a430ed2bbda653b5ab18acdd8dcca5a39cf8c2d1fa938445e31ecf38e5
SHA3-384 hash: ebf5cadb1277b7327a881cceec3feffb9f698ee3abb7ac73f0462d29e119c6374765f1f7a0a31c3c5fab5481cdba2a50
SHA1 hash: 57fa1ba882a2b1941cf27a8fbdceb7b369004cba
MD5 hash: aa60c9b3f5a92c74504875fbcf1bd773
humanhash: ten-avocado-five-rugby
File name:aa60c9b3f5a92c74504875fbcf1bd773
Download: download sample
Signature ServHelper
Create hunting rule
File size:6'203'392 bytes
First seen:2021-08-25 09:08:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 49152:AwptF+Srb/TkvO90dL3BmAFd4A64nsfJ9KB5ehpylOePliwQkCkGDIyKSh2KHl5+:AwNxKUmAQQQQQQQQQQQQQ
Threatray 143 similar samples on MalwareBazaar
TLSH T16E56F117BC9464B9C9E9C232897592A23731B489073977C32F55A6BE2F777C40E393A0
Reporter zbetcheckin
Tags:exe ServHelper

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa60c9b3f5a92c74504875fbcf1bd773
Verdict:
No threats detected
Analysis date:
2021-08-25 09:11:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0592024a-2afa-4056-ad32-c662890d4352

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182235/
Detection(s):
Win.Malware.Bulz-9847817-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Forced system process termination
Creating a file in the Windows subdirectories
Launching the process to interact with network services
Running batch commands
Launching a service
Loading a system driver
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Enabling autorun for a service
Downloading the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f78a796-eb4b-4e58-88b3-58e4d4eef9d2
Result
Threat name:
SERVHELPER
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838897
Signature
Adds a new user with administrator rights
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Detected SERVHELPER
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious PowerShell Invocations - Specific
Sigma detected: Suspicious Script Execution From Temp Folder
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 471324 Sample: 5umOzwSpQa Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 71 Antivirus detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Contains functionality to start a terminal service 2->75 77 5 other signatures 2->77 10 5umOzwSpQa.exe 4 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 rdpdr.sys 2->17         started        process3 signatures4 87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->87 89 Bypasses PowerShell execution policy 10->89 91 Queries memory information (via WMI often done to detect virtual machines) 10->91 19 powershell.exe 47 10->19         started        23 net.exe 13->23         started        25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        29 net.exe 15->29         started        process5 file6 63 C:\Windows\Branding\mediasvc.png, PE32+ 19->63 dropped 65 C:\Windows\Branding\mediasrv.png, PE32+ 19->65 dropped 67 C:\Users\user\AppData\...\0444h4c1.cmdline, UTF-8 19->67 dropped 79 Uses cmd line tools excessively to alter registry or file data 19->79 81 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 19->81 83 Adds a new user with administrator rights 19->83 85 Powershell drops PE file 19->85 31 powershell.exe 19->31         started        34 reg.exe 19->34         started        36 cmd.exe 19->36         started        40 8 other processes 19->40 38 net1.exe 23->38         started        signatures7 process8 file9 93 Detected SERVHELPER 31->93 43 conhost.exe 31->43         started        95 Creates a Windows Service pointing to an executable in C:\Windows 34->95 45 cmd.exe 36->45         started        69 C:\Users\user\AppData\Local\...\0444h4c1.dll, PE32 40->69 dropped 47 cmd.exe 40->47         started        49 cvtres.exe 40->49         started        51 conhost.exe 40->51         started        53 2 other processes 40->53 signatures10 process11 process12 55 net.exe 45->55         started        57 net.exe 47->57         started        process13 59 net1.exe 55->59         started        61 net1.exe 57->61         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/255141a430ed2bbda653b5ab18acdd8dcca5a39cf8c2d1fa938445e31ecf38e5/
Threat name:
Win64.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 02:08:17 UTC
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
266562d82899806c0eafc3ca72216e78d41403dd24effebd31d7635922ba96ce
ServHelper
5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa
ServHelper
5c7e8b5ecf30c04a3a6e3726328c37eccfc8f0656797894d71e2ac7c27c20c9d
ServHelper
80271a13696df77f092c3b6abce154f98e83f5840c64b610af7ae83cfe711482
ServHelper
857ddc8de567afa19f5bc9236f6cf3681e46919530f90acc25ff36112564432c
ServHelper
b591e73c3ebfe7ba44eb161c3cc1ee7b9a794d4e9b9b9aa4e3936f518e814ceb
ServHelper
f4adc9d5df2c5543d17faa940efced9980a87b98a8858ccc3547fb51e154ecaa
ServHelper
fe40b63a00a7d737baa87f493751a1b92ac782baaef2304b0ae65c5a1cbec58d
ServHelper
+ 133 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210825-7bjvtbg6hj/
Unpacked files
SH256 hash:
255141a430ed2bbda653b5ab18acdd8dcca5a39cf8c2d1fa938445e31ecf38e5
MD5 hash:
aa60c9b3f5a92c74504875fbcf1bd773
SHA1 hash:
57fa1ba882a2b1941cf27a8fbdceb7b369004cba
Link:
https://www.unpac.me/results/396750c5-8e68-46cd-9949-0e26f07fcf59/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/255141a430ed2bbda653b5ab18acdd8dcca5a39cf8c2d1fa938445e31ecf38e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:GoBinTest
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_TOOL_GoCLR
Create hunting rule
Author:ditekSHen
Description:Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ServHelper

Executable exe 255141a430ed2bbda653b5ab18acdd8dcca5a39cf8c2d1fa938445e31ecf38e5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182235/
  
URLhaus
https://urlhaus.abuse.ch/url/1562943/

Comments


Avatar
zbet commented on 2021-08-25 09:08:39 UTC

url : hxxp://223.252.173.93/wedfg754/d3455dxtewsws/8h69896538853d.exe