MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 723fe07654cfbf19c4cbe7b63617f3a5aaf306c11e092841397abaeff80c50c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 723fe07654cfbf19c4cbe7b63617f3a5aaf306c11e092841397abaeff80c50c1
SHA3-384 hash: 97ef4f4a27d9c2bfc777d14f5462e15a716bfd7ccff8580b61e68a34207314b8fd23abc667305b42d9198023361c8701
SHA1 hash: 1eefef95c6ff783712f2d1da26e9cfc7e618c3f7
MD5 hash: e7f692b7d820271b640cf6a2520b7409
humanhash: undress-cold-timing-kitten
File name:rt5.exe
Download: download sample
Signature ServHelper
Create hunting rule
File size:4'805'632 bytes
First seen:2021-12-17 21:15:09 UTC
Last seen:2021-12-17 23:07:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 49152:SmEjyuufFMLO0xrb/TevO90dL3BmAFd4A64nsfJPWBdCuL/kLymdaxBJIDJeLVj0:TEtO0vYAk
Threatray 191 similar samples on MalwareBazaar
TLSH T1CB26D083FC9460B8D9A6D231C9B592913731B8590B32E7C72F5096BB2EB77D01E743A4
Reporter benkow_
Tags:exe ServHelper


Avatar
benkow_
via https://urlhaus.abuse.ch/url/1894304/

Intelligence

File Origin
# of uploads :
2
# of downloads :
990
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214894/
Detection(s):
SecuriteInfo.com.Trojan.Packed.18626.29934.29434.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
DNS request
Launching a process
Creating a file
Creating a process with a hidden window
Forced system process termination
Launching the process to interact with network services
Running batch commands
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2414/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cobalt gravity
Link:
https://www.filescan.io/uploads/61bcfe186daa353fa3b85624/reports/d7ecf81d-a8dd-4c15-b2a8-3245331f55f2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92b8fcdb-e170-4670-bc5b-83dcf915fb57
Result
Threat name:
SERVHELPER
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909350
Signature
.NET source code references suspicious native API functions
Adds a new user with administrator rights
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Detected SERVHELPER
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 541828 Sample: rt5.exe Startdate: 17/12/2021 Architecture: WINDOWS Score: 100 88 kasisausnasaysar.xyz 2->88 90 zd.map.fastly.net 2->90 92 8 other IPs or domains 2->92 94 Antivirus detection for dropped file 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 4 other signatures 2->100 11 rt5.exe 4 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 signatures5 114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->114 116 Bypasses PowerShell execution policy 11->116 118 Queries memory information (via WMI often done to detect virtual machines) 11->118 20 powershell.exe 54 11->20         started        120 Adds a new user with administrator rights 14->120 24 net.exe 14->24         started        26 conhost.exe 14->26         started        28 net.exe 16->28         started        30 conhost.exe 16->30         started        32 net.exe 18->32         started        34 net.exe 18->34         started        36 net.exe 18->36         started        38 3 other processes 18->38 process6 file7 80 C:\Windows\Branding\mediasvc.png, PE32+ 20->80 dropped 82 C:\Windows\Branding\mediasrv.png, PE32+ 20->82 dropped 102 Detected SERVHELPER 20->102 104 Uses cmd line tools excessively to alter registry or file data 20->104 106 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 20->106 108 2 other signatures 20->108 40 cmd.exe 20->40         started        43 reg.exe 20->43         started        45 cmd.exe 20->45         started        57 9 other processes 20->57 47 net1.exe 24->47         started        49 net1.exe 28->49         started        51 net1.exe 32->51         started        53 net1.exe 34->53         started        55 net1.exe 36->55         started        signatures8 process9 file10 110 Adds a new user with administrator rights 40->110 60 cmd.exe 40->60         started        112 Creates a Windows Service pointing to an executable in C:\Windows 43->112 62 cmd.exe 45->62         started        84 C:\Users\user\AppData\Local\...\sinrhb05.dll, PE32 57->84 dropped 86 C:\Users\user\AppData\Local\...\cpwq32dv.dll, PE32 57->86 dropped 64 cvtres.exe 57->64         started        66 cvtres.exe 57->66         started        68 conhost.exe 57->68         started        70 3 other processes 57->70 signatures11 process12 process13 72 net.exe 60->72         started        74 net.exe 62->74         started        process14 76 net1.exe 72->76         started        78 net1.exe 74->78         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/723fe07654cfbf19c4cbe7b63617f3a5aaf306c11e092841397abaeff80c50c1/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-13 23:48:03 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oi76a5suz67rtrgl463dmf7tuwvpgbwbdyesqqjzpk5o76amkdaq._file
Verdict:
malicious
Similar samples:
266562d82899806c0eafc3ca72216e78d41403dd24effebd31d7635922ba96ce
ServHelper
6f7c097945c1602bbae27e4664004cf2139e66226f54b9499df311bdab804ebb
ServHelper
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
ServHelper
7dc721c6b633d783562f73d629267da7a16a77b4dae9ab280250c116bdfec591
ServHelper
857ddc8de567afa19f5bc9236f6cf3681e46919530f90acc25ff36112564432c
ServHelper
870c7c8a33ecded1784c2dab4d8027d3552f670d4138c049ad5b5ce7686b233d
ServHelper
8779c8ac97c45254bc243e2ee79b436d1a96bc56885dcaa72c4837790b2071fc
ServHelper
8962a3b3d7ed877d9642f72ad224101c528f965de1facb3ee87276cb144dfaf6
ServHelper
da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605
ServHelper
+ 181 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata upx
Link:
https://tria.ge/reports/211217-z4gnwsfabq/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Modifies RDP port number used by Windows
Sets DLL path for service in the registry
UPX packed file
Grants admin privileges
suricata: ET MALWARE ServHelper CnC Inital Checkin
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Unpacked files
SH256 hash:
723fe07654cfbf19c4cbe7b63617f3a5aaf306c11e092841397abaeff80c50c1
MD5 hash:
e7f692b7d820271b640cf6a2520b7409
SHA1 hash:
1eefef95c6ff783712f2d1da26e9cfc7e618c3f7
Link:
https://www.unpac.me/results/8b49ef62-535e-41a2-9aa8-e1a5f469b403/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/723fe07654cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/723fe07654cfbf19c4cbe7b63617f3a5aaf306c11e092841397abaeff80c50c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:GoBinTest
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_TOOL_GoCLR
Create hunting rule
Author:ditekSHen
Description:Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ServHelper

Executable exe 723fe07654cfbf19c4cbe7b63617f3a5aaf306c11e092841397abaeff80c50c1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1894304/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/214894/

Comments