MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac5df971e605c439d1851391f51ae799b24823c47aea5c0ac177f00e5d4cc1f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac5df971e605c439d1851391f51ae799b24823c47aea5c0ac177f00e5d4cc1f2
SHA3-384 hash: c1411dea1172feb1fc262350dab91e20604e3f89283ea11152a321e6627615f032665435fbd950d96dbd8fec9d3b43ac
SHA1 hash: 3d48649f085710bc3a086e53e2e9fb9b435e34cc
MD5 hash: c8284ad28e4f8bd853604543884a9438
humanhash: island-five-tennessee-jig
File name:c8284ad28e4f8bd853604543884a9438.exe
Download: download sample
Signature ServHelper
Create hunting rule
File size:7'435'556 bytes
First seen:2021-07-19 06:27:58 UTC
Last seen:2021-07-19 07:41:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a011f8d93026fd9f5e9442faeeff606d (8 x RedLineStealer, 2 x ModiLoader, 1 x ServHelper)
ssdeep 98304:xxz/xkgybMmnx/ixxdp4cDicJqs6ale2d9yp6jkLZe6POma31Q63pYdLNTiSScDh:xxBe/VKicBeZKK433yLNT5VvtDG6Ff
Threatray 338 similar samples on MalwareBazaar
TLSH T1FE7633517A406D23C458F7328AD6E97C17BEAFDB680B594EF398EE0D91202A5131F3C6
Reporter abuse_ch
Tags:exe ServHelper

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'347
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c8284ad28e4f8bd853604543884a9438.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-19 06:29:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3376edd4-ed1f-44ab-8585-46d33bfc6c2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172482/
Detection(s):
SecuriteInfo.com.Variant.Zusy.391902.3079.8809.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6273517f-a7df-459a-bc4b-fc253046a6eb
Result
Threat name:
SERVHELPER
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818073
Signature
Bypasses PowerShell execution policy
Contains functionality to register a low level keyboard hook
Contains functionality to start a terminal service
Detected SERVHELPER
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Sigma detected: Suspicious Script Execution From Temp Folder
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Costura Assembly Loader
Yara detected Powershell dedcode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450486 Sample: Zk34itvXv2.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 48 potuybze.xyz 2->48 50 raw.githubusercontent.com 2->50 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected Powershell dedcode and execute 2->70 72 Contains functionality to start a terminal service 2->72 74 3 other signatures 2->74 13 Zk34itvXv2.exe 7 2->13         started        signatures3 process4 signatures5 84 Contains functionality to register a low level keyboard hook 13->84 16 cmd.exe 1 13->16         started        process6 signatures7 56 Submitted sample is a known malware sample 16->56 58 Obfuscated command line found 16->58 60 Uses ping.exe to sleep 16->60 62 Uses ping.exe to check the status of other devices and networks 16->62 19 cmd.exe 3 16->19         started        22 conhost.exe 16->22         started        process8 signatures9 76 Obfuscated command line found 19->76 78 Uses ping.exe to sleep 19->78 24 Pel.exe.com 19->24         started        27 PING.EXE 1 19->27         started        30 findstr.exe 1 19->30         started        process10 dnsIp11 82 Bypasses PowerShell execution policy 24->82 33 Pel.exe.com 24->33         started        52 127.0.0.1 unknown unknown 27->52 54 192.168.2.1 unknown unknown 27->54 44 C:\Users\user\AppData\Local\...\Pel.exe.com, Targa 30->44 dropped file12 signatures13 process14 dnsIp15 46 wVoLLIgGqdFuOCdSam.wVoLLIgGqdFuOCdSam 33->46 64 Modifies the context of a thread in another process (thread injection) 33->64 66 Injects a PE file into a foreign processes 33->66 37 Pel.exe.com 4 33->37         started        signatures16 process17 process18 39 powershell.exe 13 37->39         started        signatures19 80 Detected SERVHELPER 39->80 42 conhost.exe 39->42         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac5df971e605c439d1851391f51ae799b24823c47aea5c0ac177f00e5d4cc1f2/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 01:03:38 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vro7s4pgaxcdtumfcoi7kgxhtgzeqi6eplvfycwbo7ya4xkmyhza._file
Verdict:
malicious
Similar samples:
3e841431aaa53eb3cfa6f167b3a46bca0eb16d22e6fd1d06944414b78cc512d8
ServHelper
57bd1d7a3ce9a10797575f75af56a675b3739ab5901e383a7870b17fa328ecb4
ServHelper
7672dfbaa089b5f55f22e1bf1f9f985e65cc9166455c83637d3219c2c9eb4dff
ServHelper
80271a13696df77f092c3b6abce154f98e83f5840c64b610af7ae83cfe711482
ServHelper
b3f483f00e80c0777858e6795f9f13bce726ff8265ef3e8cd3602cf1711247a2
ServHelper
c2748f872784ed3b7b9b2c51993d861a5283d3ca17579d367149031b2e479d82
ServHelper
d4989171b0fe1cc05ae35c3ce1f779f1ed190cb194c68595586cad6694aa8e64
ServHelper
e479976218616ff4a1303a5e783d6034d06ee0e2c6e0fb9c7f4e42c0b794541f
ServHelper
f18e085889d9d7324c57ecb800563ba2e808c0ef8ad52b7b1f1f3afa169bf836
ServHelper
+ 328 additional samples on MalwareBazaar
Result
Malware family:
servhelper
Create hunting rule
Score:
  10/10
Tags:
family:servhelper backdoor discovery exploit persistence trojan upx
Link:
https://tria.ge/reports/210719-5bmejkx72s/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Executes dropped EXE
Modifies RDP port number used by Windows
Possible privilege escalation attempt
Sets DLL path for service in the registry
UPX packed file
Grants admin privileges
ServHelper
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Unpacked files
SH256 hash:
ac5df971e605c439d1851391f51ae799b24823c47aea5c0ac177f00e5d4cc1f2
MD5 hash:
c8284ad28e4f8bd853604543884a9438
SHA1 hash:
3d48649f085710bc3a086e53e2e9fb9b435e34cc
Link:
https://www.unpac.me/results/9b7ace6f-e961-4025-987f-ee983f2e5b45/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac5df971e605c439d1851391f51ae799b24823c47aea5c0ac177f00e5d4cc1f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172482/

Comments