MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eca26fcfabbb12c6a37eb689de222e75b31574dd25e7fd3d8b446d700c40133. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eca26fcfabbb12c6a37eb689de222e75b31574dd25e7fd3d8b446d700c40133
SHA3-384 hash: 89bfbb320ae913c79d71cf0d5327dd4a9fe7463a7259c363225504fe054fc3c7fa904639fcb72d353d5173455fbea18e
SHA1 hash: 4b3ebbfe1cd16ec0a1f0a988d602fedb765307a6
MD5 hash: a33846e1244be6df8f052903ec1a2918
humanhash: ohio-indigo-friend-asparagus
File name:a33846e1244be6df8f052903ec1a2918.exe
Download: download sample
Signature ServHelper
Create hunting rule
File size:6'321'152 bytes
First seen:2021-05-26 06:01:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4035d2883e01d64f3e7a9dccb1d63af5 (47 x ServHelper, 30 x Vidar, 20 x LummaStealer)
ssdeep 49152:6f9apuyesHyb5CVCSSm/dOAGEtNRwqLzuZYvI7AD/9tt/eWg7ZaOd2RNOtOZKMYj:68puyFyc
Threatray 107 similar samples on MalwareBazaar
TLSH C356E012BCE218FAC57AE170885697A27A713CA483317BE72E94756D1E74FD42E3E310
Reporter abuse_ch
Tags:exe ServHelper

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'466
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a33846e1244be6df8f052903ec1a2918.exe
Verdict:
No threats detected
Analysis date:
2021-05-26 06:15:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/85258fe9-b666-4ac1-8f98-0f8e8a3e1d4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162219/
Detection(s):
Win.Malware.Bulz-9847817-0
Create hunting rule

Win.Malware.Bulz-9850387-0
Create hunting rule

Win.Malware.Bulz-9851690-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Forced system process termination
Sending a UDP request
Creating a file in the Windows subdirectories
Launching the process to interact with network services
Running batch commands
Launching a service
Loading a system driver
Creating a process with a hidden window
Creating a file
Deleting a recently created file
DNS request
Sending a custom TCP request
Enabling autorun for a service
Downloading the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792255
Signature
Adds a new user with administrator rights
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Hurricane Panda Activity
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Yara detected Powershell dedcode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 424654 Sample: 8Dr4EJ44ys.exe Startdate: 26/05/2021 Architecture: WINDOWS Score: 100 60 Antivirus detection for URL or domain 2->60 62 Antivirus detection for dropped file 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 6 other signatures 2->66 10 8Dr4EJ44ys.exe 4 2->10         started        13 rdpdr.sys 2->13         started        process3 signatures4 70 Bypasses PowerShell execution policy 10->70 15 powershell.exe 40 10->15         started        process5 file6 48 C:\Windows\Branding\mediasvc.png, PE32+ 15->48 dropped 50 C:\Windows\Branding\mediasrv.png, PE32+ 15->50 dropped 52 Uses cmd line tools excessively to alter registry or file data 15->52 54 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 15->54 56 Adds a new user with administrator rights 15->56 58 Powershell drops PE file 15->58 19 reg.exe 15->19         started        22 cmd.exe 15->22         started        24 cmd.exe 15->24         started        26 7 other processes 15->26 signatures7 process8 signatures9 68 Creates a Windows Service pointing to an executable in C:\Windows 19->68 28 cmd.exe 22->28         started        30 cmd.exe 24->30         started        32 conhost.exe 26->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        38 net1.exe 26->38         started        process10 process11 40 net.exe 28->40         started        42 net.exe 30->42         started        process12 44 net1.exe 40->44         started        46 net1.exe 42->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6eca26fcfabbb12c6a37eb689de222e75b31574dd25e7fd3d8b446d700c40133/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-23 16:18:45 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 47 (40.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3fcn7h2xoysy2rx5nuj3yrc45ntcv2n2jph7u6ywrdnoageaezq._file
Verdict:
malicious
Similar samples:
4411d8a69230284cb6238a2e8cf29878afbbef90935bb94d1a6f8d59af30c6cc
ServHelper
5090fa74f83368086c1d197dcd28e51f8b36cd5d2c18e9a964d925a445ea0066
ServHelper
6890d24b841f053f3fa975836a3f37e25370942c935acc3ffa9965ae55137e25
ServHelper
71599788e1da3359b99ada8c3b84b96a9741c1f68550c09b0345d979cdc4b8a6
ServHelper
78f5967d8bd5d31343632e8558b9315d9d44d009c923b9c41d417943906f2849
ServHelper
8962a3b3d7ed877d9642f72ad224101c528f965de1facb3ee87276cb144dfaf6
ServHelper
a27fa7724da938df040a3e535f2be9cec4d6d93bd4f2e5ec2ba79560f84cb69c
ServHelper
a5ce80281a88db0129bcdadd338ccf21d07b4b960ea92dc3b1861b7276d354ec
ServHelper
a6e43031567484437341b50ea0c165ad416ffa629e2951a0e82844dcfb27e408
ServHelper
c302411319308e836e2eac6893ba39b513226d19d874ce9ff7fbbbd07316aba3
ServHelper
+ 97 additional samples on MalwareBazaar
Result
Malware family:
servhelper
Create hunting rule
Score:
  10/10
Tags:
family:servhelper backdoor discovery exploit persistence trojan upx
Link:
https://tria.ge/reports/210526-kepe6jp4qs/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Modifies RDP port number used by Windows
Possible privilege escalation attempt
Sets DLL path for service in the registry
UPX packed file
Grants admin privileges
ServHelper
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6eca26fcfabbb12c6a37eb689de222e75b31574dd25e7fd3d8b446d700c40133

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_TOOL_GoCLR
Create hunting rule
Author:ditekSHen
Description:Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ServHelper

Executable exe 6eca26fcfabbb12c6a37eb689de222e75b31574dd25e7fd3d8b446d700c40133

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1284033/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/162219/

Comments