MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aff11c13a07e92bd0a9c1fe8f4ed76c84b2f2034d8182d929c919c17c0119c23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 10


Intelligence 10 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aff11c13a07e92bd0a9c1fe8f4ed76c84b2f2034d8182d929c919c17c0119c23
SHA3-384 hash: 8c2e6c738bb61e74084354a3f8acab9436e07ab4ad6053997012dd9b652c4222f474b1cee0dbf569b4cc1e273594217a
SHA1 hash: 3cd4b3add5c602301dd0502f18d43d8c4917669f
MD5 hash: 09190dabf909f469a8be46f83365e91e
humanhash: nuts-single-avocado-uranus
File name:09190dabf909f469a8be46f83365e91e.exe
Download: download sample
Signature ServHelper
Create hunting rule
File size:4'805'632 bytes
First seen:2021-12-20 08:43:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 49152:6s/zy3XvVkXDKRrb/TevO90dL3BmAFd4A64nsfJ/PKaCruufNGjzZdm41ubNCw9P:h/vDK/yqk
Threatray 234 similar samples on MalwareBazaar
TLSH T1B426D083FCA460B8C9E6D271897992913731B4590B32E7C72F51A6BB2FA37D05E38354
Reporter abuse_ch
Tags:exe ServHelper

Intelligence

File Origin
# of uploads :
1
# of downloads :
942
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215377/
Detection(s):
Win.Ransomware.Hive-9916034-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Creating a file
Creating a process with a hidden window
Forced system process termination
Launching the process to interact with network services
Running batch commands
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2707/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61c04258ec6c6c14a9e49a9e/reports/7094f2f4-856c-4021-80cd-81b8073792de/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b56f7877-b7a7-4936-be93-adf0d12346ba
Result
Threat name:
SERVHELPER
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/910128
Signature
.NET source code references suspicious native API functions
Adds a new user with administrator rights
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Detected SERVHELPER
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious PowerShell Invocations - Specific
Sigma detected: Suspicious Script Execution From Temp Folder
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 542605 Sample: 5ujtY6poYF.exe Startdate: 20/12/2021 Architecture: WINDOWS Score: 100 60 xncuzxucyv7sad3isduds37.xyz 2->60 62 raw.githubusercontent.com 2->62 64 8 other IPs or domains 2->64 74 Antivirus detection for dropped file 2->74 76 .NET source code references suspicious native API functions 2->76 78 Contains functionality to start a terminal service 2->78 80 6 other signatures 2->80 11 5ujtY6poYF.exe 4 2->11         started        14 rdpdr.sys 2->14         started        signatures3 process4 signatures5 86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->86 88 Bypasses PowerShell execution policy 11->88 90 Queries memory information (via WMI often done to detect virtual machines) 11->90 16 powershell.exe 54 11->16         started        process6 file7 50 C:\Windows\Branding\mediasvc.png, PE32+ 16->50 dropped 52 C:\Windows\Branding\mediasrv.png, PE32+ 16->52 dropped 54 C:\Users\user\AppData\...\sghm1n30.cmdline, UTF-8 16->54 dropped 66 Uses cmd line tools excessively to alter registry or file data 16->66 68 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 16->68 70 Adds a new user with administrator rights 16->70 72 Powershell drops PE file 16->72 20 powershell.exe 16->20         started        23 reg.exe 16->23         started        25 cmd.exe 16->25         started        27 10 other processes 16->27 signatures8 process9 file10 82 Detected SERVHELPER 20->82 30 conhost.exe 20->30         started        84 Creates a Windows Service pointing to an executable in C:\Windows 23->84 32 cmd.exe 25->32         started        56 C:\Users\user\AppData\Local\...\sghm1n30.dll, PE32 27->56 dropped 58 C:\Users\user\AppData\Local\...\4ianpvrc.dll, PE32 27->58 dropped 34 cmd.exe 27->34         started        36 cvtres.exe 27->36         started        38 cvtres.exe 27->38         started        40 3 other processes 27->40 signatures11 process12 process13 42 net.exe 32->42         started        44 net.exe 34->44         started        process14 46 net1.exe 42->46         started        48 net1.exe 44->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aff11c13a07e92bd0a9c1fe8f4ed76c84b2f2034d8182d929c919c17c0119c23/
Threat name:
ByteCode-MSIL.Trojan.WinGoGoCLR
Create hunting rule
Status:
Malicious
First seen:
2021-12-19 08:16:29 UTC
File Type:
PE+ (Exe)
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v7yrye5ap2jl2cu4d7upj3lwzbfs6ibu3amc3eu4sgobpqartqrq._file
Verdict:
malicious
Similar samples:
043d74057370b18ec933764ae5c0fa80be90af1d41761c0a2f34f9d8c56542e5
ServHelper
5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa
ServHelper
723fe07654cfbf19c4cbe7b63617f3a5aaf306c11e092841397abaeff80c50c1
ServHelper
9d2a3042c4e2d68df7a39cd7efae7c64f2b7ed5ae507bac9282e154591757724
ServHelper
be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c
ServHelper
da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605
ServHelper
eb02c967fb3feaf5504a78de8a7e0513c2c4e52ddf2243bfbcb10e83954baaad
ServHelper
efa22ab0015899c95aa6582cc90314de8d4cf2f52d3267eba50482b75d060ac5
ServHelper
+ 224 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata upx
Link:
https://tria.ge/reports/211220-km58laahdr/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Modifies RDP port number used by Windows
Sets DLL path for service in the registry
UPX packed file
Grants admin privileges
suricata: ET MALWARE ServHelper CnC Inital Checkin
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Unpacked files
SH256 hash:
aff11c13a07e92bd0a9c1fe8f4ed76c84b2f2034d8182d929c919c17c0119c23
MD5 hash:
09190dabf909f469a8be46f83365e91e
SHA1 hash:
3cd4b3add5c602301dd0502f18d43d8c4917669f
Link:
https://www.unpac.me/results/27815673-d15b-4d58-90fe-b6b136cf8047/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/aff11c13a07e92bd0a9c1fe8f4ed76c84b2f2034d8182d929c919c17c0119c23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:GoBinTest
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_TOOL_GoCLR
Create hunting rule
Author:ditekSHen
Description:Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID
Rule name:susp_winsvc_upx
Create hunting rule
Author:SBousseaden
Description:broad hunt for any PE exporting ServiceMain API and upx packed
Rule name:win_servhelper_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ServHelper

Executable exe aff11c13a07e92bd0a9c1fe8f4ed76c84b2f2034d8182d929c919c17c0119c23

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1894304/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/215377/

Comments