MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bb3d4d11e9e4c2f50e264e3bf7966d15260cf02403d2a9288709c97e355beab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ServHelper

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	3bb3d4d11e9e4c2f50e264e3bf7966d15260cf02403d2a9288709c97e355beab
SHA3-384 hash:	6685c3a1a5201512fa0aa30d8593f64cec21aba6132458da108bea7b008dfbcb576244b8207f4a7cd79ead71c8f21c6e
SHA1 hash:	b35713b28d994c9c3d8b15231856d7d695d844f9
MD5 hash:	1b41be90a36dcf5128437d5c85a71cfc
humanhash:	jupiter-fillet-edward-friend
File name:	3bb3d4d11e9e4c2f50e264e3bf7966d15260cf02403d2a9288709c97e355beab
Download:	download sample
Signature	ServHelper Create hunting rule
File size:	3'248'128 bytes
First seen:	2020-11-13 15:39:10 UTC
Last seen:	2024-07-24 13:15:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	cf5ce5368c7692222a8b981a80332f43 (4 x ServHelper)
ssdeep	49152:PRHfAccZm3t87AznPxhoclN8bCv4GjVWgaDSVjV8Ssri6i9V60thW8Y950fda:PRl0m3TPxhFLoJuEgnVjVcO6iD282Ea
Threatray	4 similar samples on MalwareBazaar
TLSH	C8E533303AD1DB7BCB94CF32C8919A2A8875BCF553B5B5D3B7911E8E4E502A094BB350
Reporter	seifreed
Tags:	ServHelper

Intelligence

File Origin

# of uploads :

# of downloads :

1'033

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Glupteba-9778594-1

Win.Dropper.Glupteba-9781402-0

Win.Packed.Generickdz-9785340-0

Win.Packed.Emotet-9790742-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Deleting a recently created file

Using the Windows Management Instrumentation requests

Forced system process termination

Creating a file in the Windows subdirectories

Launching the process to interact with network services

Running batch commands

Enabling autorun for a service

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3bb3d4d11e9e4c2f50e264e3bf7966d15260cf02403d2a9288709c97e355beab/

Threat name:

Win32.Trojan.MintTitirez

Status:

Malicious

First seen:

2020-11-13 15:43:09 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hoz5jui6tzgc6uhcmtr366lg2fjgbtycia6sveuiocojpy2vx2vq._file

Verdict:

unknown

ServHelper

668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671

ServHelper

b7571fe26056b7baa31b0935b6be42c8fa1d55a742c26d58b1c2e017394adc14

ServHelper

c75628570312cdb6e8607ad1e46aeb3ae3031d4f450262ccb163245a8c467e3a

ServHelper

Result

Malware family:

n/a

Score:

9/10

Tags:

discovery exploit persistence upx

Link:

https://tria.ge/reports/201113-qc4ajkf7mn/

Behaviour

Modifies registry key

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Drops file in System32 directory

Modifies service

Loads dropped DLL

Modifies file permissions

Modifies RDP port number used by Windows

Possible privilege escalation attempt

Sets DLL path for service in the registry

UPX packed file

Grants admin privileges

Unpacked files

SH256 hash:

3bb3d4d11e9e4c2f50e264e3bf7966d15260cf02403d2a9288709c97e355beab

MD5 hash:

1b41be90a36dcf5128437d5c85a71cfc

SHA1 hash:

b35713b28d994c9c3d8b15231856d7d695d844f9

Link:

https://www.unpac.me/results/022ae0e3-6f1a-42bd-bf0c-7336eb450dc6/

SH256 hash:

9d999780469f17c767f61155ba7e3ba483b490da6ce5436f78551d9c62d5d51b

MD5 hash:

9cb2344a252e1e4922b194f164475c64

SHA1 hash:

8e15f2d2aa9d8874a867a595ca83d79a25645760

Link:

https://www.unpac.me/results/022ae0e3-6f1a-42bd-bf0c-7336eb450dc6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3bb3d4d11e9e4c2f50e264e3bf7966d15260cf02403d2a9288709c97e355beab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	susp_winsvc_upx Create hunting rule
Author:	SBousseaden
Description:	broad hunt for any PE exporting ServiceMain API and upx packed

Rule name:	win_servhelper_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample