MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb
SHA3-384 hash: 727b862bb9aa0547364ab01cb459684e198e299d161889ecfb3d16f2ce642fc119847c9b8396815c8f9e39240570bad2
SHA1 hash: f74ae6d243342099d3fa500cbc630f4a244a8d82
MD5 hash: cb3cc551561883ab8fc4fb6fc837a469
humanhash: jupiter-sixteen-ohio-tango
File name:cb3cc551561883ab8fc4fb6fc837a469.exe
Download: download sample
Signature ServHelper
Create hunting rule
File size:4'224'512 bytes
First seen:2021-10-10 11:57:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0bbcd6443f036d63710b3c873df1ad89 (1 x ServHelper)
ssdeep 49152:MgG+0nnFa5xF1Azk6GehC1Vm6ctA6Ty0pQJb4Qate1YdM1TGHgzBut:M
Threatray 13 similar samples on MalwareBazaar
TLSH T13E1633201FF86EFDCA6CD234707BED0D29A14E84C864E6DF91E1F5830646BC4566BA72
Reporter abuse_ch
Tags:exe ServHelper

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cb3cc551561883ab8fc4fb6fc837a469.exe
Verdict:
Malicious activity
Analysis date:
2021-10-10 11:59:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6e4fbb51-862f-4db4-ac52-54d6a115e919

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196390/
Detection(s):
Win.Downloader.Powershell-9883640-0
Create hunting rule

Win.Downloader.Powershell-9883847-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm monero obfuscated
Link:
https://www.filescan.io/uploads/6162d54c3831960005b2b999/reports/43f3b4b8-45ee-4170-88a8-79f33e1690af/overview
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb/
Threat name:
ByteCode-MSIL.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-10 00:09:46 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zoyftk6mg2rqvzliqkxs7xea7h7duukfyfuhiv25rzdnq3wsxvq._file
Verdict:
malicious
Similar samples:
00f90cda9f514832ed2e3d6c232ad0677b2bad1550719cf2a02f1988980942ff
ServHelper
3228552bf12eac0d0d241b72489b37b6f25e4f3fca6e7867a3dbc2b912f404fe
ServHelper
3c4c4cb0e9a48e8203ebe67da38dcfdc0d888213424ddd335a767f6a04e798ff
ServHelper
3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078
ServHelper
5d45cef43fb4c150c33337fb369a89800f9d235eee1dbdac13a8f6fd13bc1ee4
ServHelper
82285ac0988c68f9b9ecc7649cb9c6a3f3ecb242dd198465dbd4236d7fa6a59c
ServHelper
b41864bcaa9443f1e9cf6457b3f6d7702fd7fa3fbdaae79e3033f2c82bb70a38
ServHelper
be1fe05856af0cb8678fff94ccbbb5ed99a7ebb8e4d2a0725e196d5c38f093b5
ServHelper
d4e00a94b16acd89b61cd46d1fcee4385b0639dcd7d85029f6a6067f7b7437bf
ServHelper
db23d6f5e2123cde47f4e3178bf18063aa3270d13499991200c9074a837eff07
ServHelper
+ 3 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:servhelper family:xmrig backdoor miner persistence trojan
Link:
https://tria.ge/reports/211010-n46ggafgf8/
Behaviour
Modifies registry key
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Modifies RDP port number used by Windows
Sets DLL path for service in the registry
Grants admin privileges
ServHelper
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ServHelper

Executable exe ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1584888/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196390/

Comments