MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44815a42eb3317c7e567f8e20388bd9e28cf71096f45f4ee6094f26888dcfb0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44815a42eb3317c7e567f8e20388bd9e28cf71096f45f4ee6094f26888dcfb0c
SHA3-384 hash: 236b453ed345d50e1b950ae595a965f3a2a4ab1c40aa0df2dd3a08ab474c9f080ce8b5e153f8989eab14b7bc9ef994dc
SHA1 hash: 82defd568a645681adbff05fea64cf4a0a5659e0
MD5 hash: 4c9bb1adf101943c077c224a224ed490
humanhash: stream-december-pip-sodium
File name:SecuriteInfo.com.WinGo.GoCLR.A.24820.17540
Download: download sample
Signature ServHelper
Create hunting rule
File size:4'917'248 bytes
First seen:2021-05-26 23:38:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (224 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 98304:xmIzxLU6ER4UQ7pekquI94vc1VSYtVQi+r848:xmaLU6Ei5pNI94vcLftVQiQe
TLSH D83633BD795270E9C3051AF18E4D1F59A249943DDC4B2D8FDA24B64C7E0AB36BC3C286
Reporter SecuriteInfoCom
Tags:ServHelper

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'498
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.WinGo.GoCLR.A.24820.17540
Verdict:
No threats detected
Analysis date:
2021-05-26 23:44:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6b314999-21f3-4036-b4d5-fa5441e54f68

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162604/
Detection(s):
SecuriteInfo.com.WinGo.GoCLR.A.24820.17540.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Forced system process termination
Creating a file in the Windows subdirectories
Launching the process to interact with network services
Running batch commands
Launching a service
Loading a system driver
Creating a process with a hidden window
Creating a file
Enabling autorun for a service
Downloading the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792976
Signature
Adds a new user with administrator rights
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates a Windows Service pointing to an executable in C:\Windows
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Hurricane Panda Activity
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 425372 Sample: SecuriteInfo.com.WinGo.GoCL... Startdate: 27/05/2021 Architecture: WINDOWS Score: 100 61 Antivirus detection for URL or domain 2->61 63 Antivirus detection for dropped file 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 4 other signatures 2->67 10 SecuriteInfo.com.WinGo.GoCLR.A.24820.exe 4 2->10         started        13 cmd.exe 2->13         started        15 rdpdr.sys 2->15         started        process3 signatures4 77 Bypasses PowerShell execution policy 10->77 17 powershell.exe 54 10->17         started        22 conhost.exe 13->22         started        24 net.exe 13->24         started        process5 dnsIp6 59 45.61.136.223, 49806, 80 AS40676US United States 17->59 55 C:\Windows\Branding\mediasvc.png, PE32+ 17->55 dropped 57 C:\Windows\Branding\mediasrv.png, PE32+ 17->57 dropped 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->69 71 Uses cmd line tools excessively to alter registry or file data 17->71 73 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 17->73 75 2 other signatures 17->75 26 reg.exe 17->26         started        29 cmd.exe 17->29         started        31 cmd.exe 17->31         started        33 7 other processes 17->33 file7 signatures8 process9 signatures10 79 Creates a Windows Service pointing to an executable in C:\Windows 26->79 35 cmd.exe 29->35         started        37 cmd.exe 31->37         started        39 conhost.exe 33->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 net1.exe 33->45         started        process11 process12 47 net.exe 35->47         started        49 net.exe 37->49         started        process13 51 net1.exe 47->51         started        53 net1.exe 49->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44815a42eb3317c7e567f8e20388bd9e28cf71096f45f4ee6094f26888dcfb0c/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-26 23:23:02 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=isavuqxlgml4pzlh7drahcf5tyum64ijn5c7j3tastzgrcg47mga._file
Result
Malware family:
servhelper
Create hunting rule
Score:
  10/10
Tags:
family:servhelper backdoor discovery exploit persistence trojan upx
Link:
https://tria.ge/reports/210526-bacvn24t16/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Modifies RDP port number used by Windows
Possible privilege escalation attempt
Sets DLL path for service in the registry
UPX packed file
Grants admin privileges
ServHelper
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44815a42eb3317c7e567f8e20388bd9e28cf71096f45f4ee6094f26888dcfb0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_TOOL_GoCLR
Create hunting rule
Author:ditekSHen
Description:Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ServHelper

Executable exe 44815a42eb3317c7e567f8e20388bd9e28cf71096f45f4ee6094f26888dcfb0c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1288381/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/162604/

Comments