MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99
SHA3-384 hash: 9bca3b8288ee6fe8e72c5150c23b26c404f1157986a9e5b062b710347063f0dc2c4fe7454de8f2ed559408634f0caf4f
SHA1 hash: 982bae56ad251639d34412d40bd7c0f2c2f4ff7a
MD5 hash: aa6bf98c9120b0539c0270a3e453ddf6
humanhash: johnny-bacon-uranus-snake
File name:otiiahj64_mediasvc.png
Download: download sample
Signature ServHelper
Create hunting rule
File size:761'344 bytes
First seen:2021-03-18 02:19:23 UTC
Last seen:2021-03-18 02:20:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb7697ac38be5e4fdd7bfeafa886a0ad (6 x ServHelper)
ssdeep 12288:v6V/j5YFjRUR7xcWV1q8tp2iQUZy4KiHW2Z1P6JPp7STC6A4e5HTo0u0Ds7Ips/U:8lY1RaxVdtVhuAEt5HThuvcfJ
Threatray 34 similar samples on MalwareBazaar
TLSH DAF4234013C9C3E3F479A572AA101F6415677289C7EB8F07977E68BA2A310DD2D9E0D7
Reporter demonsec666
Tags:ServHelper

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
otiiahj64_mediasvc.png
Verdict:
No threats detected
Analysis date:
2021-03-18 02:29:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/40324099-ac92-4401-ad5d-82c4b75793cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125342/
Detection(s):
Win.Malware.ServHelper-9835385-1
Create hunting rule

Win.Malware.ServHelper-9835387-1
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/643501
Signature
Adds a new user with administrator rights
Hides user accounts
Modifies security policies related information
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 370720 Sample: otiiahj64_mediasvc.png Startdate: 18/03/2021 Architecture: WINDOWS Score: 76 65 jfuag3.cn 2->65 67 raw.githubusercontent.com 2->67 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected Powershell download and execute 2->79 10 loaddll64.exe 4 2 2->10         started        signatures3 process4 dnsIp5 69 jfuag3.cn 5.181.156.3, 443, 49726, 49728 MIVOCLOUDMD Moldova Republic of 10->69 81 Hides user accounts 10->81 83 Modifies security policies related information 10->83 14 rundll32.exe 10->14         started        18 rundll32.exe 10->18         started        20 cmd.exe 1 10->20         started        22 8 other processes 10->22 signatures6 process7 dnsIp8 73 jfuag3.cn 14->73 85 System process connects to network (likely due to code injection or exploit) 14->85 24 cmd.exe 1 18->24         started        26 cmd.exe 18->26         started        28 WerFault.exe 20 9 18->28         started        87 Adds a new user with administrator rights 20->87 31 net.exe 1 20->31         started        75 jfuag3.cn 22->75 33 cmd.exe 1 22->33         started        35 net.exe 1 22->35         started        37 net.exe 1 22->37         started        39 3 other processes 22->39 signatures9 process10 dnsIp11 41 net.exe 1 24->41         started        43 conhost.exe 24->43         started        55 2 other processes 26->55 71 192.168.2.1 unknown unknown 28->71 45 net1.exe 1 31->45         started        47 net.exe 33->47         started        49 conhost.exe 33->49         started        51 net1.exe 1 35->51         started        53 net1.exe 1 37->53         started        57 2 other processes 39->57 process12 process13 59 net1.exe 1 41->59         started        61 net1.exe 47->61         started        63 net1.exe 55->63         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99/
Threat name:
Win64.Backdoor.ServHelper
Create hunting rule
Status:
Malicious
First seen:
2021-02-03 17:19:00 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
106c0169d2464a9efe9ee45c1e7c5863764e6d9fca3809bb249bbb97d3cf3086
ServHelper
1c1cac311f126dd8a0a2b969af40fccbe62c6569fc9c1aea7ee7054f48f1d033
ServHelper
499e3672259c28f6bd35d790c2ec4f52835cfcd46c8ddf279df4b02d4d07d7e5
ServHelper
58e1370fdd747d652f4c8e0dc59188f3dfabb6dfcd3491c6fe4b81c3305d5a46
ServHelper
6f7c097945c1602bbae27e4664004cf2139e66226f54b9499df311bdab804ebb
ServHelper
71599788e1da3359b99ada8c3b84b96a9741c1f68550c09b0345d979cdc4b8a6
ServHelper
78f5967d8bd5d31343632e8558b9315d9d44d009c923b9c41d417943906f2849
ServHelper
a2a7e43ce1a853842ecb2bdb665b180119d539d56ce2c2eab1a54d098cc92edd
ServHelper
c394b83a255961adb3ec0c8e35b21e05ee432b3c758b25ceac7e3dc3a10486a7
ServHelper
d926fe443c0ceb65e70cd64ac3d18a77d75d039486f1698dbd103c3cda2dff52
ServHelper
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210318-lmh4krkzdn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
7ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99
MD5 hash:
aa6bf98c9120b0539c0270a3e453ddf6
SHA1 hash:
982bae56ad251639d34412d40bd7c0f2c2f4ff7a
Link:
https://www.unpac.me/results/dc44e6d4-9143-4951-8e52-20c0999e3eec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/7ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/125342/

Comments