MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605
SHA3-384 hash: 9ee2bf10b8cdf3bf7542da9b1048b2a22c3239bdc5c8919c6bebf627d26e23a2de1e80783e1c73d3b0f2426b69c9b448
SHA1 hash: 11c54ce99e87637f58c7bc0bd8134c73df9bf879
MD5 hash: 61d5e32562d1c70daf0a3112f7888258
humanhash: skylark-lithium-robin-massachusetts
File name:61d5e32562d1c70daf0a3112f7888258.exe
Download: download sample
Signature ServHelper
Create hunting rule
File size:6'024'192 bytes
First seen:2021-09-22 06:20:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 49152:wDK8merb/T/vO90dL3BmAFd4A64nsfJdo5GQ5shfTuU92flI7MhhaftEhamnybrN:wD+3eGLmAQQQQQQQQQQQQQ
Threatray 191 similar samples on MalwareBazaar
TLSH T11A56F103BC9164B9C9E9D23189B592513731B8490B3577C33F46A6BA2FB77C41E393A8
Reporter abuse_ch
Tags:exe ServHelper

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
61d5e32562d1c70daf0a3112f7888258.exe
Verdict:
No threats detected
Analysis date:
2021-09-22 06:21:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fa014262-4c2d-4185-b5e8-1403bb4e5b78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190070/
Detection(s):
Win.Malware.Bulz-9847817-0
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38721439-4de1-48de-b3de-37376afda6c2
Result
Threat name:
SERVHELPER
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855378
Signature
Adds a new user with administrator rights
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Detected SERVHELPER
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious PowerShell Invocations - Specific
Sigma detected: Suspicious Script Execution From Temp Folder
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487811 Sample: KemMuDMQWN.exe Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 89 Antivirus detection for dropped file 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 Contains functionality to start a terminal service 2->93 95 5 other signatures 2->95 10 KemMuDMQWN.exe 4 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 4 other processes 2->17 process3 signatures4 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->109 111 Bypasses PowerShell execution policy 10->111 113 Queries memory information (via WMI often done to detect virtual machines) 10->113 19 powershell.exe 47 10->19         started        115 Adds a new user with administrator rights 13->115 23 conhost.exe 13->23         started        25 net.exe 13->25         started        27 net.exe 15->27         started        29 conhost.exe 15->29         started        31 net.exe 17->31         started        33 net.exe 17->33         started        35 conhost.exe 17->35         started        37 conhost.exe 17->37         started        process5 file6 81 C:\Windows\Branding\mediasvc.png, PE32+ 19->81 dropped 83 C:\Windows\Branding\mediasrv.png, PE32+ 19->83 dropped 85 C:\Users\user\AppData\...\exy4qkfl.cmdline, UTF-8 19->85 dropped 97 Detected SERVHELPER 19->97 99 Uses cmd line tools excessively to alter registry or file data 19->99 101 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 19->101 103 2 other signatures 19->103 39 cmd.exe 19->39         started        42 reg.exe 19->42         started        44 powershell.exe 19->44         started        52 8 other processes 19->52 46 net1.exe 27->46         started        48 net1.exe 31->48         started        50 net1.exe 33->50         started        signatures7 process8 file9 105 Adds a new user with administrator rights 39->105 55 cmd.exe 39->55         started        107 Creates a Windows Service pointing to an executable in C:\Windows 42->107 57 net.exe 44->57         started        59 conhost.exe 44->59         started        61 conhost.exe 44->61         started        87 C:\Users\user\AppData\Local\...\exy4qkfl.dll, PE32 52->87 dropped 63 cmd.exe 52->63         started        65 cvtres.exe 52->65         started        67 conhost.exe 52->67         started        69 2 other processes 52->69 signatures10 process11 process12 71 net.exe 55->71         started        73 net1.exe 57->73         started        75 net.exe 63->75         started        process13 77 net1.exe 71->77         started        79 net1.exe 75->79         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 00:09:57 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ias6zuzmhbwggyq3ukh6ogkgr4wyqdjfya3khosa33kln2v4ycq._file
Verdict:
malicious
Similar samples:
043d74057370b18ec933764ae5c0fa80be90af1d41761c0a2f34f9d8c56542e5
ServHelper
255141a430ed2bbda653b5ab18acdd8dcca5a39cf8c2d1fa938445e31ecf38e5
ServHelper
266562d82899806c0eafc3ca72216e78d41403dd24effebd31d7635922ba96ce
ServHelper
5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa
ServHelper
b3748a0976c91a7310d0d38d42c91b1d7ba37364d58c5bed902cc6641d31cadc
ServHelper
be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c
ServHelper
fd8f5bd06d288207635503abf28da66ec823359d18c6f887750831035d51e9d6
ServHelper
ff257a7b22badf7948f21dd5dfaf008dd72895aa63bc6a1c5838cbe26036bbe7
ServHelper
+ 181 additional samples on MalwareBazaar
Result
Malware family:
servhelper
Create hunting rule
Score:
  10/10
Tags:
family:servhelper backdoor discovery exploit persistence suricata trojan upx
Link:
https://tria.ge/reports/210922-g4b5asedej/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Modifies RDP port number used by Windows
Possible privilege escalation attempt
Sets DLL path for service in the registry
UPX packed file
Grants admin privileges
ServHelper
suricata: ET MALWARE ServHelper CnC Inital Checkin
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Unpacked files
SH256 hash:
da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605
MD5 hash:
61d5e32562d1c70daf0a3112f7888258
SHA1 hash:
11c54ce99e87637f58c7bc0bd8134c73df9bf879
Link:
https://www.unpac.me/results/057fc061-1a92-4b5b-9c82-010ccfd5afb8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_TOOL_GoCLR
Create hunting rule
Author:ditekSHen
Description:Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ServHelper

Executable exe da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1635826/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190070/

Comments