MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4adc9d5df2c5543d17faa940efced9980a87b98a8858ccc3547fb51e154ecaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4adc9d5df2c5543d17faa940efced9980a87b98a8858ccc3547fb51e154ecaa
SHA3-384 hash: 719d1ffdbdbbd769d5aa2a947807888dc550c5788726a2300bca32012d2dce0e1ad92d0110d1d40df4f737ccd2e075af
SHA1 hash: 911b9cd7fcc9a16751dcd4fd7558857c0bafdbb4
MD5 hash: 9d3aca5a645ffb272565181da7aa12b4
humanhash: nuts-black-oranges-comet
File name:9d3aca5a645ffb272565181da7aa12b4
Download: download sample
Signature ServHelper
Create hunting rule
File size:6'329'344 bytes
First seen:2021-07-24 18:16:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4035d2883e01d64f3e7a9dccb1d63af5 (47 x ServHelper, 29 x Vidar, 20 x LummaStealer)
ssdeep 49152:ayEYeB3ACWUC/b55JnHn+CCtA45Poi77rB1d1o4tRoA+ZlCH7+mZEW6SjuUorfgH:a5B3Az/1
Threatray 151 similar samples on MalwareBazaar
TLSH T17556E012BCE214BAC57AD130845697617B323CA483317BD72E98B5AA2E75FD42F3E314
Reporter zbetcheckin
Tags:exe ServHelper

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'355
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9d3aca5a645ffb272565181da7aa12b4
Verdict:
No threats detected
Analysis date:
2021-07-24 18:19:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/01b35fe2-4116-495d-ab8e-4d0c4bfaeba1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173934/
Detection(s):
Win.Malware.Bulz-9847817-0
Create hunting rule

Win.Malware.ServHelper-9874966-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3aa4374f-ffd2-4e40-aabe-5ea0cd1d227f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821291
Signature
Adds a new user with administrator rights
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453698 Sample: m2VHoC1ggg Startdate: 24/07/2021 Architecture: WINDOWS Score: 100 85 sasf6asf683jfsd.xyz 2->85 87 sadufasggvyaysd.xyz 2->87 89 2 other IPs or domains 2->89 95 Antivirus detection for dropped file 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 Yara detected Powershell download and execute 2->99 101 6 other signatures 2->101 11 m2VHoC1ggg.exe 4 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 signatures5 115 Bypasses PowerShell execution policy 11->115 117 Queries memory information (via WMI often done to detect virtual machines) 11->117 20 powershell.exe 68 11->20         started        25 net.exe 14->25         started        27 conhost.exe 14->27         started        29 net.exe 16->29         started        31 conhost.exe 16->31         started        33 net.exe 18->33         started        35 conhost.exe 18->35         started        37 conhost.exe 18->37         started        39 net.exe 18->39         started        process6 dnsIp7 91 asbza.cn 20->91 93 asbza.cn 206.188.197.227, 49735, 80 DEFENSE-NETUS United States 20->93 77 C:\Windows\Branding\mediasvc.png, PE32+ 20->77 dropped 79 C:\Windows\Branding\mediasrv.png, PE32+ 20->79 dropped 81 C:\Users\user\AppData\...\ruqjycxh.cmdline, UTF-8 20->81 dropped 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->103 105 Uses cmd line tools excessively to alter registry or file data 20->105 107 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 20->107 111 2 other signatures 20->111 41 reg.exe 20->41         started        44 cmd.exe 20->44         started        46 cmd.exe 20->46         started        54 8 other processes 20->54 48 net1.exe 25->48         started        50 net1.exe 29->50         started        52 net1.exe 33->52         started        file8 109 Performs DNS queries to domains with low reputation 91->109 signatures9 process10 file11 113 Creates a Windows Service pointing to an executable in C:\Windows 41->113 57 cmd.exe 44->57         started        59 cmd.exe 46->59         started        83 C:\Users\user\AppData\Local\...\ruqjycxh.dll, PE32 54->83 dropped 61 cvtres.exe 54->61         started        63 conhost.exe 54->63         started        65 conhost.exe 54->65         started        67 2 other processes 54->67 signatures12 process13 process14 69 net.exe 57->69         started        71 net.exe 59->71         started        process15 73 net1.exe 69->73         started        75 net1.exe 71->75         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4adc9d5df2c5543d17faa940efced9980a87b98a8858ccc3547fb51e154ecaa/
Threat name:
Win64.Trojan.WinGoGoCLR
Create hunting rule
Status:
Malicious
First seen:
2021-07-24 18:17:06 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6sw4tvo7frkuhul7vkka57hntgakq64yvccyztbvi75vdyku5sva._file
Verdict:
malicious
Similar samples:
10d971c860d4f8ad93b86f47fbc0cd285897769dd60bb68dea4377bb6e7d6f1f
ServHelper
385b465f4265a093e38d831e885221c99ca8a1313d3ca30c4d32f6379d7b5428
ServHelper
5c7e8b5ecf30c04a3a6e3726328c37eccfc8f0656797894d71e2ac7c27c20c9d
ServHelper
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
ServHelper
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
ServHelper
7ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99
ServHelper
7dc721c6b633d783562f73d629267da7a16a77b4dae9ab280250c116bdfec591
ServHelper
8779c8ac97c45254bc243e2ee79b436d1a96bc56885dcaa72c4837790b2071fc
ServHelper
9d2a3042c4e2d68df7a39cd7efae7c64f2b7ed5ae507bac9282e154591757724
ServHelper
b591e73c3ebfe7ba44eb161c3cc1ee7b9a794d4e9b9b9aa4e3936f518e814ceb
ServHelper
+ 141 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210724-x62nmvf62x/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
f4adc9d5df2c5543d17faa940efced9980a87b98a8858ccc3547fb51e154ecaa
MD5 hash:
9d3aca5a645ffb272565181da7aa12b4
SHA1 hash:
911b9cd7fcc9a16751dcd4fd7558857c0bafdbb4
Link:
https://www.unpac.me/results/b1dccc7c-1f13-4cd8-a623-0345cfda10eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4adc9d5df2c5543d17faa940efced9980a87b98a8858ccc3547fb51e154ecaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_TOOL_GoCLR
Create hunting rule
Author:ditekSHen
Description:Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ServHelper

Executable exe f4adc9d5df2c5543d17faa940efced9980a87b98a8858ccc3547fb51e154ecaa

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1478750/
Cape
Cape
https://www.capesandbox.com/analysis/173934/

Comments


Avatar
zbet commented on 2021-07-24 18:16:50 UTC

url : hxxp://103.253.43.60/archiv/power.exe