MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b436fbb05650df4facc948f49ee619c4825e747c373f2d461d5a1c26b0c7aa15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 8


Intelligence 8 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b436fbb05650df4facc948f49ee619c4825e747c373f2d461d5a1c26b0c7aa15
SHA3-384 hash: bf2de40df03624a44d6ed32fade607b0c136b3f1a2b8d0f37d115dd775298b21fb350336c81d5bbe751f4772f9fce40f
SHA1 hash: ad5d7788f6c447759422648f55a2d12e4a4a19ab
MD5 hash: ea2e527c2a141b9ea8052b506ca4fbd9
humanhash: hotel-london-quiet-quebec
File name:b436fbb05650df4facc948f49ee619c4825e747c373f2d461d5a1c26b0c7aa15
Download: download sample
Signature ServHelper
Create hunting rule
File size:6'413'272 bytes
First seen:2021-05-17 17:15:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4035d2883e01d64f3e7a9dccb1d63af5 (47 x ServHelper, 20 x LummaStealer, 17 x Rhadamanthys)
ssdeep 49152:4rrNkLWwNUPA5HhxJB826l4aZ2KTN4C22Bqqinho2OQ6/H9F6iPbp+wOEHCh296M:kr2LWwNUP6y
Threatray 103 similar samples on MalwareBazaar
TLSH 4C56E056BCD244BAC539E230855293917A713CA407327BD31FA4B9AA2E75FD82F3E314
Reporter Anonymous
Tags:Alpeks LLC ServHelper signed

Code Signing Certificate

Organisation:Alpeks LLC
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-05-04T00:00:00Z
Valid to:2022-05-04T23:59:59Z
Serial number: 44fe73f320aa8b7b4f5ca910aa22333a
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: b7a5037ee2c0992387e0546a89864c75aaca613b0bc85b3bdefa16ff422d6fb0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Anonymous
Alpeks LLC

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'623
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b436fbb05650df4facc948f49ee619c4825e747c373f2d461d5a1c26b0c7aa15
Verdict:
No threats detected
Analysis date:
2021-05-17 17:20:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/923c8014-2911-434a-90a8-5cea15be4349

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/157933/
Detection(s):
Win.Malware.Bulz-9847817-0
Create hunting rule

Win.Trojan.Goclr-9849713-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Forced system process termination
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
75 / 100
Link:
https://www.joesandbox.com/analysis/783674
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 416070 Sample: 0Zj54fMLLn Startdate: 17/05/2021 Architecture: WINDOWS Score: 75 58 Antivirus detection for dropped file 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 3 other signatures 2->64 10 0Zj54fMLLn.exe 5 2->10         started        13 rdpdr.sys 2->13         started        process3 signatures4 68 Bypasses PowerShell execution policy 10->68 15 powershell.exe 40 10->15         started        process5 file6 48 C:\Windows\Branding\mediasvc.png, PE32+ 15->48 dropped 50 C:\Windows\Branding\mediasrv.png, PE32+ 15->50 dropped 52 Uses cmd line tools excessively to alter registry or file data 15->52 54 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 15->54 56 Powershell drops PE file 15->56 19 reg.exe 15->19         started        22 cmd.exe 15->22         started        24 cmd.exe 15->24         started        26 7 other processes 15->26 signatures7 process8 signatures9 66 Creates a Windows Service pointing to an executable in C:\Windows 19->66 28 cmd.exe 22->28         started        30 cmd.exe 24->30         started        32 conhost.exe 26->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        38 net1.exe 26->38         started        process10 process11 40 net.exe 28->40         started        42 net.exe 30->42         started        process12 44 net1.exe 40->44         started        46 net1.exe 42->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b436fbb05650df4facc948f49ee619c4825e747c373f2d461d5a1c26b0c7aa15/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2021-05-13 06:23:00 UTC
File Type:
PE+ (Exe)
AV detection:
21 of 47 (44.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wq3pxmcwkdpu7lgjjd2j5zqzysbf45d4g47s2rq5liocnmghvikq._file
Verdict:
malicious
Similar samples:
58514fa7288607858aae17799ded4bb96d5f9b78733ad1ca2cece597d5516d44
ServHelper
58e1370fdd747d652f4c8e0dc59188f3dfabb6dfcd3491c6fe4b81c3305d5a46
ServHelper
6890d24b841f053f3fa975836a3f37e25370942c935acc3ffa9965ae55137e25
ServHelper
9d1ca3a1dad26b6c0195ac41fe5fa6e5e03706496944383ca9156fa99e57dc8a
ServHelper
a27fa7724da938df040a3e535f2be9cec4d6d93bd4f2e5ec2ba79560f84cb69c
ServHelper
a5ce80281a88db0129bcdadd338ccf21d07b4b960ea92dc3b1861b7276d354ec
ServHelper
b591e73c3ebfe7ba44eb161c3cc1ee7b9a794d4e9b9b9aa4e3936f518e814ceb
ServHelper
bac78c78e97c8458437ffcbb31b4a54a141200a8cb656eac2dcab06691bc4a91
ServHelper
d6372afdd18503ab17f18ebec05254727c7a0377d425bc74e4ae12ffe6243c4c
ServHelper
eed912423954b56dc4ea01f9d3fb1c46ea175be378889fd886e37c09954cfaba
ServHelper
+ 93 additional samples on MalwareBazaar
Result
Malware family:
servhelper
Create hunting rule
Score:
  10/10
Tags:
family:servhelper backdoor discovery exploit persistence trojan upx
Link:
https://tria.ge/reports/210517-e319slvrz2/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Modifies RDP port number used by Windows
Possible privilege escalation attempt
Sets DLL path for service in the registry
UPX packed file
Grants admin privileges
ServHelper
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_TOOL_GoCLR
Create hunting rule
Author:ditekSHen
Description:Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/157933/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-17 18:05:54 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [C0002.014] Communication Micro-objective::Read Header::HTTP Communication
2) [C0027.001] Cryptography Micro-objective::AES::Encrypt Data
3) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
4) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
5) [C0019] Data Micro-objective::Check String
6) [C0032.001] Data Micro-objective::CRC32::Checksum
7) [C0026.001] Data Micro-objective::Base64::Encode Data
8) [C0026.002] Data Micro-objective::XOR::Encode Data
9) [C0030.005] Data Micro-objective::FNV::Non-Cryptographic Hash
10) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
13) [C0052] File System Micro-objective::Writes File