MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f83900a393fb8d8318bcf8d1afe880bc482b83284fb74b0b99c66240caa0eb8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f83900a393fb8d8318bcf8d1afe880bc482b83284fb74b0b99c66240caa0eb8e
SHA3-384 hash: a26d8209130487be54741215e68cb36ca177b4800512bde311f0608f4e88630247efaed54bfd889111d3c6e7b8a433f8
SHA1 hash: e3fa09a37d0ebaa272226fb3bb905b40a93f19ea
MD5 hash: 1cd5d1139a357149489a5d6d081c8a5b
humanhash: alpha-winner-kentucky-king
File name:1cd5d1139a357149489a5d6d081c8a5b.dll
Download: download sample
Signature ServHelper
Create hunting rule
File size:761'344 bytes
First seen:2021-06-16 09:14:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb7697ac38be5e4fdd7bfeafa886a0ad (6 x ServHelper)
ssdeep 12288:/6V/j5YFjRUR7xcWV1q8tp2iQUZy4KiHW2Z1P6JPp7STC6A4wFUkGl7V8IJo6Co9:slY1RaxVdtVhuAET2knIJonQ
Threatray 99 similar samples on MalwareBazaar
TLSH 7FF4234813C6D3B3F97A58719A402E68052971C9EBEFCD03937C6CB923360DA19DD0A7
Reporter abuse_ch
Tags:dll exe ServHelper

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'433
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1cd5d1139a357149489a5d6d081c8a5b.dll
Verdict:
No threats detected
Analysis date:
2021-06-16 09:17:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c27ce2cd-0132-4785-bd29-bae1d248150c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.ServHelper-9835385-1
Create hunting rule

Win.Malware.ServHelper-9835387-1
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/358d4e2b-0e0b-4b91-af7d-abf5d385211d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/802887
Signature
Antivirus / Scanner detection for submitted sample
Hides user accounts
Modifies security policies related information
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 435298 Sample: FFftNpj5Vj.dll Startdate: 16/06/2021 Architecture: WINDOWS Score: 84 86 wheredoyougo.cn 2->86 88 raw.githubusercontent.com 2->88 96 Multi AV Scanner detection for domain / URL 2->96 98 Antivirus / Scanner detection for submitted sample 2->98 100 Multi AV Scanner detection for submitted file 2->100 11 loaddll64.exe 4 2 2->11         started        signatures3 process4 dnsIp5 94 wheredoyougo.cn 194.180.174.41, 443, 49761, 49762 MIVOCLOUDMD unknown 11->94 102 Hides user accounts 11->102 104 Modifies security policies related information 11->104 15 rundll32.exe 11->15         started        18 rundll32.exe 11->18         started        21 cmd.exe 1 11->21         started        23 7 other processes 11->23 signatures6 process7 dnsIp8 106 System process connects to network (likely due to code injection or exploit) 15->106 108 Tries to evade analysis by execution special instruction which cause usermode exception 15->108 25 cmd.exe 1 15->25         started        27 cmd.exe 1 15->27         started        29 cmd.exe 15->29         started        31 WerFault.exe 20 9 15->31         started        90 wheredoyougo.cn 18->90 39 2 other processes 18->39 33 rundll32.exe 21->33         started        35 cmd.exe 23->35         started        37 cmd.exe 23->37         started        41 2 other processes 23->41 signatures9 process10 process11 47 2 other processes 25->47 49 2 other processes 27->49 51 2 other processes 29->51 43 cmd.exe 1 33->43         started        45 cmd.exe 1 33->45         started        53 2 other processes 33->53 56 2 other processes 35->56 58 2 other processes 37->58 60 4 other processes 39->60 dnsIp12 72 2 other processes 43->72 74 2 other processes 45->74 62 net1.exe 1 47->62         started        64 net1.exe 1 49->64         started        66 net1.exe 51->66         started        92 192.168.2.1 unknown unknown 53->92 76 2 other processes 53->76 68 net1.exe 56->68         started        70 net1.exe 58->70         started        78 2 other processes 60->78 process13 process14 80 net1.exe 1 72->80         started        82 net1.exe 74->82         started        84 net1.exe 76->84         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f83900a393fb8d8318bcf8d1afe880bc482b83284fb74b0b99c66240caa0eb8e/
Threat name:
Win64.Backdoor.ServHelper
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 20:43:07 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7a4qbi4t7ogyggf47di272eaxrecxazij63uwc4zyzrebsva5oha._file
Verdict:
malicious
Similar samples:
2347cc0db179374f808400368b0a66f1c15e02ad28d2b93ccc26d5aafb9777ca
ServHelper
35b236fbe87c82a8481485fcf00f3a08749e7a7b49bb2adbd6729c72906a1a60
ServHelper
4e0cca88ac33e671cd7cc9689605b8830d03ad80e39e716516381499be1c906a
ServHelper
6f7c097945c1602bbae27e4664004cf2139e66226f54b9499df311bdab804ebb
ServHelper
7ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99
ServHelper
a6e43031567484437341b50ea0c165ad416ffa629e2951a0e82844dcfb27e408
ServHelper
b436fbb05650df4facc948f49ee619c4825e747c373f2d461d5a1c26b0c7aa15
ServHelper
b591e73c3ebfe7ba44eb161c3cc1ee7b9a794d4e9b9b9aa4e3936f518e814ceb
ServHelper
d7420d82ddf1f14456c5c8fc3c1a4a128937bad4d34794dbe103aacc4a2aa699
ServHelper
d926fe443c0ceb65e70cd64ac3d18a77d75d039486f1698dbd103c3cda2dff52
ServHelper
+ 89 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210616-61aedkz3xa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
f83900a393fb8d8318bcf8d1afe880bc482b83284fb74b0b99c66240caa0eb8e
MD5 hash:
1cd5d1139a357149489a5d6d081c8a5b
SHA1 hash:
e3fa09a37d0ebaa272226fb3bb905b40a93f19ea
Link:
https://www.unpac.me/results/0cb3e6cc-2b96-4de8-80d3-ec622962ad46/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/f83900a393fb8d8318bcf8d1afe880bc482b83284fb74b0b99c66240caa0eb8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_servhelper_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments