MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bef2bb96ec31839165995390f078e8758fd11ab3a646c62b1c346d99d04e7f31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ServHelper

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	bef2bb96ec31839165995390f078e8758fd11ab3a646c62b1c346d99d04e7f31
SHA3-384 hash:	57c8c41834d0155cf437a6ae9e3aee0d4f78dbd0b2fa4a2d20e7063ad9839a79ad01cd7c237020606782911b0ca5179e
SHA1 hash:	34a5d532f2f217ba233ed54d2830028236f9e6e6
MD5 hash:	38be9b97dd8633c82abf170d7b45020e
humanhash:	pennsylvania-colorado-wyoming-aspen
File name:	get-content.ps1
Download:	download sample
Signature	ServHelper Create hunting rule
File size:	2'638'107 bytes
First seen:	2021-05-17 17:29:03 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	49152:OPTf8a2CZve7zuBfqSvHT378Kp2S+Lm6lZnqLic:+
Threatray	393 similar samples on MalwareBazaar
TLSH	8BC533206EAF3DE5495C913C647F1A1FB7A39FF0D0AAEE23CB46AC9A1205AC15017C5D
Reporter	JAMESWT_WT
Tags:	ServHelper

Intelligence

File Origin

# of uploads :

1

# of downloads :

1'611

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

UNKNOWN

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bef2bb96ec31839165995390f078e8758fd11ab3a646c62b1c346d99d04e7f31/

Threat name:

Script-PowerShell.Trojan.Heuristic

Status:

Malicious

First seen:

2021-05-15 05:40:13 UTC

File Type:

Text (PowerShell)

AV detection:

2 of 47 (4.26%)

Threat level:

2/5

Verdict:

unknown

Similar samples:

18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055

20faac5510ba588710ea8c02723f8efee1971f1f741c4965eb375f131ef86280

22f52343a08d9df34006583847ac1d7fe29ed8c351fa8a3be9a57f11af747ea6

417c9fa1bbc670233243b3fbbf9d10c5a5e60a900b5e861b969ce7705ad317bf

5c346f9336dd9981eb26d6e4aa8a702edadbaf677fad6d6d220970de4f2bcbfc

7ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99

bf7213ff0789b35b0aeed7146b132b83b26ec850cc8d39a2da15d1516d5a7b75

c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586

d77ad6187d7862303d1fba3b73797fea0b4b4821ac7fbc6c006db3b27b9fefaa

e637c86ae20a7f36a0ad43618b00c48f47b5591a03af3fb689a16c45afa43733

+ 383 additional samples on MalwareBazaar

Result

Malware family:

servhelper

Score:

10/10

Tags:

family:servhelper backdoor discovery exploit persistence trojan upx

Link:

https://tria.ge/reports/210517-5qjhlrmr8a/

Behaviour

Modifies data under HKEY_USERS

Modifies registry key

Runs net.exe

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Deletes itself

Loads dropped DLL

Modifies file permissions

Blocklisted process makes network request

Modifies RDP port number used by Windows

Possible privilege escalation attempt

Sets DLL path for service in the registry

UPX packed file

Grants admin privileges

ServHelper

Malware Config

Dropper Extraction:

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample