MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dc721c6b633d783562f73d629267da7a16a77b4dae9ab280250c116bdfec591. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 8


Intelligence 8 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dc721c6b633d783562f73d629267da7a16a77b4dae9ab280250c116bdfec591
SHA3-384 hash: 63d6b097a2525c2891dde48939b6e5642664d98bbac51adfc14afa961e544484bb239480ade9752253903b06d4b021e9
SHA1 hash: b609bb2d72faa50375e5f0264f5be90156518d05
MD5 hash: b03d46139ca23de8da2d233986f00388
humanhash: mirror-arkansas-red-montana
File name:b03d46139ca23de8da2d233986f00388
Download: download sample
Signature ServHelper
Create hunting rule
File size:4'779'016 bytes
First seen:2021-06-24 00:50:50 UTC
Last seen:2021-07-12 08:07:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4035d2883e01d64f3e7a9dccb1d63af5 (47 x ServHelper, 29 x Vidar, 20 x LummaStealer)
ssdeep 49152:D8eO7hBFI25L5STjaclnb0s2kWUurtF69axyTCEjA2D25I4lmLm5mHrvm+z0k8iM:D8fBFI2sK
Threatray 153 similar samples on MalwareBazaar
TLSH F926D002BCE204FAC67AE138859293617A727C6643327BD72E94B5A91E75FD02F3D314
Reporter zbetcheckin
Tags:exe OOO Diamartis ServHelper

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'367
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b03d46139ca23de8da2d233986f00388
Verdict:
No threats detected
Analysis date:
2021-06-24 00:54:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c5e27de5-0f11-40f2-8bdf-b12fcf4faab1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Bulz-9847817-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
go-clr
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b014f99-077b-4554-987f-6057cfc9c0cc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
93 / 100
Link:
https://www.joesandbox.com/analysis/807020
Signature
Adds a new user with administrator rights
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Csc.exe Source File Folder
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439426 Sample: 4tvOtltfFn Startdate: 24/06/2021 Architecture: WINDOWS Score: 93 94 Antivirus detection for URL or domain 2->94 96 Antivirus detection for dropped file 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 6 other signatures 2->100 10 4tvOtltfFn.exe 4 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 5 other processes 2->17 process3 signatures4 114 Bypasses PowerShell execution policy 10->114 19 powershell.exe 67 10->19         started        116 Adds a new user with administrator rights 13->116 24 net.exe 13->24         started        26 conhost.exe 13->26         started        28 net.exe 15->28         started        30 conhost.exe 15->30         started        32 net.exe 17->32         started        34 net.exe 17->34         started        36 conhost.exe 17->36         started        38 3 other processes 17->38 process5 dnsIp6 92 45.61.136.223, 49772, 80 AS40676US United States 19->92 84 C:\Windows\Branding\mediasvc.png, PE32+ 19->84 dropped 86 C:\Windows\Branding\mediasrv.png, PE32+ 19->86 dropped 88 C:\Users\user\AppData\...\ci3gjsmw.cmdline, UTF-8 19->88 dropped 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->102 104 Uses cmd line tools excessively to alter registry or file data 19->104 106 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 19->106 108 2 other signatures 19->108 40 cmd.exe 19->40         started        43 reg.exe 19->43         started        45 powershell.exe 19->45         started        55 8 other processes 19->55 47 net1.exe 24->47         started        49 net1.exe 28->49         started        51 net1.exe 32->51         started        53 net1.exe 34->53         started        file7 signatures8 process9 file10 110 Adds a new user with administrator rights 40->110 58 cmd.exe 40->58         started        112 Creates a Windows Service pointing to an executable in C:\Windows 43->112 60 conhost.exe 45->60         started        90 C:\Users\user\AppData\Local\...\ci3gjsmw.dll, PE32 55->90 dropped 62 cmd.exe 55->62         started        64 cvtres.exe 55->64         started        66 conhost.exe 55->66         started        68 2 other processes 55->68 signatures11 process12 process13 70 net.exe 58->70         started        72 net.exe 60->72         started        74 conhost.exe 60->74         started        76 net.exe 62->76         started        process14 78 net1.exe 70->78         started        80 net1.exe 72->80         started        82 net1.exe 76->82         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7dc721c6b633d783562f73d629267da7a16a77b4dae9ab280250c116bdfec591/
Threat name:
ByteCode-MSIL.Trojan.WinGoGoCLR
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 19:35:02 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxdsdrvwgplygvrpoplcsjt5u6qwu55u3lu2wkackdarnpp6ywiq._file
Verdict:
malicious
Similar samples:
143cf1724057f9b6a6630656e8735857d6146ff6dd0c2afc736545b46194437c
ServHelper
15e71d5e4b29bbf6f1e97bb6ff2cfdb199fb040746d57443163a5c8fecd745aa
ServHelper
2c5105d428486ab9bd43df850f2b74e9250769976662bc9937128ce0ff6257b0
ServHelper
385b465f4265a093e38d831e885221c99ca8a1313d3ca30c4d32f6379d7b5428
ServHelper
4d7bb45f219aaebc5c2745b60879b954a56b58a3f16c5e5c3252143c9b7a3a47
ServHelper
7672dfbaa089b5f55f22e1bf1f9f985e65cc9166455c83637d3219c2c9eb4dff
ServHelper
9d2a3042c4e2d68df7a39cd7efae7c64f2b7ed5ae507bac9282e154591757724
ServHelper
c8259fbe6995239c22a918f08e6cde30c181a725e9a1c379adbef5ecfbd35d63
ServHelper
d8d3c3800a157b2b6efa4fd9f0e07901a404f8d19d3e7163f4ae31776ff7a3a2
ServHelper
eb02c967fb3feaf5504a78de8a7e0513c2c4e52ddf2243bfbcb10e83954baaad
ServHelper
+ 143 additional samples on MalwareBazaar
Result
Malware family:
servhelper
Create hunting rule
Score:
  10/10
Tags:
family:servhelper backdoor discovery exploit persistence trojan upx
Link:
https://tria.ge/reports/210624-pjnad62cna/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Modifies RDP port number used by Windows
Possible privilege escalation attempt
Sets DLL path for service in the registry
UPX packed file
Grants admin privileges
ServHelper
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Unpacked files
SH256 hash:
7dc721c6b633d783562f73d629267da7a16a77b4dae9ab280250c116bdfec591
MD5 hash:
b03d46139ca23de8da2d233986f00388
SHA1 hash:
b609bb2d72faa50375e5f0264f5be90156518d05
Link:
https://www.unpac.me/results/7dce4fef-4fea-4bee-912c-bf2e8c47c773/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7dc721c6b633d783562f73d629267da7a16a77b4dae9ab280250c116bdfec591

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_TOOL_GoCLR
Create hunting rule
Author:ditekSHen
Description:Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:susp_winsvc_upx
Create hunting rule
Author:SBousseaden
Description:broad hunt for any PE exporting ServiceMain API and upx packed
Rule name:win_servhelper_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ServHelper

Executable exe 7dc721c6b633d783562f73d629267da7a16a77b4dae9ab280250c116bdfec591

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393095/

Comments