MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 6


Intelligence 6 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0
SHA3-384 hash: b817f9502fa36e316d710f22e8fbc1809913faba5a53d8b1f931700eb755d20195a3c61664b69c60b2911c2aa334b249
SHA1 hash: 8592c6e78aa592d9f135dbe9d97cf2f524dbeaed
MD5 hash: 5367615a3d3f95eeab592a53716ed3bb
humanhash: west-sixteen-bravo-fillet
File name:5367615a3d3f95eeab592a53716ed3bb.exe
Download: download sample
Signature ServHelper
Create hunting rule
File size:6'024'192 bytes
First seen:2021-09-24 18:53:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 49152:I2C+Ywrb/T/vO90dL3BmAFd4A64nsfJduxuq5aWcCZBl1mNzAOlLJet7i1K2HzZX:I2i1kujmAQQQQQQQQQQQQQ
Threatray 198 similar samples on MalwareBazaar
TLSH T1FC56F103BCA164B8C9E9C23289B592913771B899473577C32F51A6FA2F777C01E39368
Reporter abuse_ch
Tags:exe ServHelper

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5367615a3d3f95eeab592a53716ed3bb.exe
Verdict:
No threats detected
Analysis date:
2021-09-24 18:55:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/604b5df1-0934-4472-b4fa-d75b7b54c09f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191262/
Detection(s):
Win.Malware.Bulz-9847817-0
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e263368-2e4c-48c8-bcef-ec7e8982f860
Result
Threat name:
SERVHELPER
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857568
Signature
Adds a new user with administrator rights
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Detected SERVHELPER
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious PowerShell Invocations - Specific
Sigma detected: Suspicious Script Execution From Temp Folder
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 490004 Sample: s6NlcWOh8S.exe Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 86 saudjyyvv663.xyz 2->86 88 saudhd7da7cjcu3.xyz 2->88 90 10 other IPs or domains 2->90 92 Antivirus detection for dropped file 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Contains functionality to start a terminal service 2->96 98 6 other signatures 2->98 11 s6NlcWOh8S.exe 4 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 signatures5 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->112 114 Bypasses PowerShell execution policy 11->114 116 Queries memory information (via WMI often done to detect virtual machines) 11->116 20 powershell.exe 51 11->20         started        24 net.exe 14->24         started        26 conhost.exe 14->26         started        28 net.exe 16->28         started        30 conhost.exe 16->30         started        32 net.exe 18->32         started        34 net.exe 18->34         started        36 conhost.exe 18->36         started        38 2 other processes 18->38 process6 file7 78 C:\Windows\Branding\mediasvc.png, PE32+ 20->78 dropped 80 C:\Windows\Branding\mediasrv.png, PE32+ 20->80 dropped 82 C:\Users\user\AppData\...\dyb5rixu.cmdline, UTF-8 20->82 dropped 100 Uses cmd line tools excessively to alter registry or file data 20->100 102 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 20->102 104 Adds a new user with administrator rights 20->104 106 Powershell drops PE file 20->106 40 powershell.exe 20->40         started        43 reg.exe 20->43         started        45 cmd.exe 20->45         started        55 8 other processes 20->55 47 net1.exe 24->47         started        49 net1.exe 28->49         started        51 net1.exe 32->51         started        53 net1.exe 34->53         started        signatures8 process9 file10 108 Detected SERVHELPER 40->108 58 conhost.exe 40->58         started        110 Creates a Windows Service pointing to an executable in C:\Windows 43->110 60 cmd.exe 45->60         started        84 C:\Users\user\AppData\Local\...\dyb5rixu.dll, PE32 55->84 dropped 62 cmd.exe 55->62         started        64 cvtres.exe 55->64         started        66 conhost.exe 55->66         started        68 2 other processes 55->68 signatures11 process12 process13 70 net.exe 60->70         started        72 net.exe 62->72         started        process14 74 net1.exe 70->74         started        76 net1.exe 72->76         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0/
Threat name:
Win64.Trojan.WinGoGoCLR
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 18:54:18 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v57c5s4oqswwdqtwgr7a45toegqeh4qrtwwldgxfhc656xieklya._file
Verdict:
suspicious
Similar samples:
043d74057370b18ec933764ae5c0fa80be90af1d41761c0a2f34f9d8c56542e5
ServHelper
046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211
ServHelper
255141a430ed2bbda653b5ab18acdd8dcca5a39cf8c2d1fa938445e31ecf38e5
ServHelper
5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa
ServHelper
b3748a0976c91a7310d0d38d42c91b1d7ba37364d58c5bed902cc6641d31cadc
ServHelper
be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c
ServHelper
da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605
ServHelper
fd8f5bd06d288207635503abf28da66ec823359d18c6f887750831035d51e9d6
ServHelper
ff257a7b22badf7948f21dd5dfaf008dd72895aa63bc6a1c5838cbe26036bbe7
ServHelper
+ 188 additional samples on MalwareBazaar
Result
Malware family:
servhelper
Create hunting rule
Score:
  10/10
Tags:
family:servhelper backdoor discovery exploit persistence trojan upx
Link:
https://tria.ge/reports/210924-xj8wjahfe8/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Modifies RDP port number used by Windows
Possible privilege escalation attempt
Sets DLL path for service in the registry
UPX packed file
Grants admin privileges
ServHelper
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Unpacked files
SH256 hash:
af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0
MD5 hash:
5367615a3d3f95eeab592a53716ed3bb
SHA1 hash:
8592c6e78aa592d9f135dbe9d97cf2f524dbeaed
Link:
https://www.unpac.me/results/f7218c17-95d1-4c0f-8f3f-72c9e8c8ba28/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/af7e2ecb8e84/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_TOOL_GoCLR
Create hunting rule
Author:ditekSHen
Description:Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory
Rule name:susp_winsvc_upx
Create hunting rule
Author:SBousseaden
Description:broad hunt for any PE exporting ServiceMain API and upx packed
Rule name:win_servhelper_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ServHelper

Executable exe af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1584888/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191262/

Comments