helper.exe

File Path: C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
Description: Thunderbird Helper

Hashes

Type	Hash
MD5	`3B1D817E52F9DA64E69F67CB27EB2FFD`
SHA1	`98AD21AA76AB53E0F6E094418CAD339696AC9C93`
SHA256	`764F8A8745CD521879553BA3ACA34668A6FB9199E2F4E2F450A0F956E26C1DFF`
SHA384	`54F7E82DC917766DE2D92517641E4C8A137237DB8ADE5DC0B544F68695A310C15BDB5CCE62DD75D2867E9C1047EF5B04`
SHA512	`C2EEF0F491882CC4C0F2A8BB822070BD12D591C579DB85979173161B392F183135EEB8EDE6884FF7A70C6DCF30FE7CCD1ADE24508B8B30A2046EC9095093DA3E`
SSDEEP	`12288:dc/UjD5guP7y8H++OUDDvP6Va1nbAIk3uhP77+7qB3ayH:dQu/e+zu7C3aQ`
IMP	`E2A592076B17EF8BFB48B7E03965A3FC`
PESHA1	`B4E56F92848387B4513A8280E588791896CBCA21`
PE256	`264A23DE07265B1FA70DA550652CA97D9A418EE4F5FE4A7E519799CAEC8FCFD5`

Runtime Data

Loaded Modules:

Path
C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

Status: Signature verified.
Serial: 0C1CD3EEA47EDDA7A032573B014D0AFD
Thumbprint: 1326B39C3D5D2CA012F66FB439026F7B59CB1974
Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject: CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US

File Metadata

Original Filename: helper.exe
Product Name: Thunderbird
Company Name: Mozilla Corporation
File Version: 91.3.0
Product Version: 91.3.0
Language: English (United States)
Legal Copyright: Mozilla Corporation
Machine Type: 32-bit

File Scan

VirusTotal Detections: 0/73
VirusTotal Link: https://www.virustotal.com/gui/file/764f8a8745cd521879553ba3aca34668a6fb9199e2f4e2f450a0f956e26c1dff/detection

File Similarity (ssdeep match)

File	Score
C:\program files\Mozilla Firefox\uninstall\helper.exe	58
C:\Program Files\Mozilla Firefox\uninstall\helper.exe	55
C:\Program Files\Mozilla Firefox\uninstall\helper.exe	58
C:\program files\Mozilla Thunderbird\uninstall\helper.exe	72
C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe	75
C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe	75

Possible Misuse

The following table contains possible examples of helper.exe being misused. While helper.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	posh_ps_winlogon_helper_dll.yml	`title: Winlogon Helper DLL`	DRL 1.0
sigma	posh_ps_winlogon_helper_dll.yml	description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.	DRL 1.0
sigma	proc_creation_win_susp_netsh_dll_persistence.yml	`description: Detects persitence via netsh helper`	DRL 1.0
sigma	proc_creation_win_susp_netsh_dll_persistence.yml	`- 'helper'`	DRL 1.0
sigma	proc_creation_win_susp_pcwutl.yml	`- Use of Program Compatibility Troubleshooter Helper`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification.yml	`- '\Explorer\Browser Helper Objects'`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification_currentversion.yml	`- '\Explorer\Browser Helper Objects'`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification_wow6432node.yml	`- '\Explorer\Browser Helper Objects'`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification_wow6432node.yml	`TargetObject\\|contains: '\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\'`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification_wow6432node.yml	`TargetObject\\|endswith: '\Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer'`	DRL 1.0
LOLBAS	Netsh.yml	`- Command: netsh.exe add helper C:\Path\file.dll`
LOLBAS	Netsh.yml	`Description: Load (execute) NetSh.exe helper DLL file.`
LOLBAS	Atbroker.yml	`Description: Helper binary for Assistive Technology (AT)`
LOLBAS	Netsh.yml	`- Command: netsh.exe add helper C:\Users\User\file.dll`
malware-ioc	misp_invisimole.json	`"comment": "RC2FM helper DLL",`	© ESET 2014-2018
malware-ioc	invisimole	`==== RC2FM helper DLL`	© ESET 2014-2018
malware-ioc	win_apt_invisimole_helper_dll.yml	`title: InvisiMole Helper DLLs dropped`	© ESET 2014-2018
atomic-red-team	index.md	- T1546.007 Netsh Helper DLL	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: Netsh Helper DLL Registration [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- T1547.004 Winlogon Helper DLL	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1546.007 Netsh Helper DLL	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: Netsh Helper DLL Registration [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1547.004 Winlogon Helper DLL	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	\| \| \| Local Account \| Netsh Helper DLL \| File Deletion \| Unsecured Credentials CONTRIBUTE A TEST \| \| \| \| \| \| \|	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	\| \| \| Netsh Helper DLL \| Path Interception by Search Order Hijacking CONTRIBUTE A TEST \| Hidden Files and Directories \| \| \| \| \| \| \| \|	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	\| \| \| Systemd Service \| Winlogon Helper DLL \| Pass the Ticket \| \| \| \| \| \| \| \|	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	\| \| \| Winlogon Helper DLL \| \| Process Hollowing \| \| \| \| \| \| \| \|	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	\| \| \| Logon Script (Windows) \| Netsh Helper DLL \| File and Directory Permissions Modification CONTRIBUTE A TEST \| Silver Ticket CONTRIBUTE A TEST \| \| \| \| \| Traffic Signaling CONTRIBUTE A TEST \| \|	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	\| \| \| Netsh Helper DLL \| Parent PID Spoofing \| Hidden File System CONTRIBUTE A TEST \| Steal or Forge Kerberos Tickets CONTRIBUTE A TEST \| \| \| \| \| Web Service CONTRIBUTE A TEST \| \|	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	\| \| \| Shortcut Modification \| Winlogon Helper DLL \| Odbcconf \| \| \| \| \| \| \| \|	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	\| \| \| Winlogon Helper DLL \| \| Portable Executable Injection CONTRIBUTE A TEST \| \| \| \| \| \| \| \|	MIT License. © 2018 Red Canary
atomic-red-team	T1219.md	Invoke-WebRequest -OutFile C:\Users$env:username\Downloads\GoToAssist.exe “https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1”	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	# T1546.007 - Netsh Helper DLL	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	<blockquote>Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at `HKLM\SOFTWARE\Microsoft\Netsh`.	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	- Atomic Test #1 - Netsh Helper DLL Registration	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	## Atomic Test #1 - Netsh Helper DLL Registration	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	netsh.exe add helper #{helper_file}	MIT License. © 2018 Red Canary
atomic-red-team	T1547.004.md	# T1547.004 - Winlogon Helper DLL	MIT License. © 2018 Red Canary
atomic-red-team	T1547.004.md	<blockquote>Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in `HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\` and `HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)	MIT License. © 2018 Red Canary
atomic-red-team	T1548.002.md	Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.	MIT License. © 2018 Red Canary
atomic-red-team	T1548.002.md	PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.	MIT License. © 2018 Red Canary
signature-base	apt_sofacy_dec15.yar	description = “Dropped C&C helper DLL for AZZY 4.3”	CC BY-NC 4.0
signature-base	crime_crypto_miner.yar	description = “Detects helper script used in a crypto miner campaign”	CC BY-NC 4.0
signature-base	gen_anomalies_keyword_combos.yar	$fp5 = “Firefox Helper” wide fullword	CC BY-NC 4.0
signature-base	yara_mixed_ext_vars.yar	$s2 = “AcroTray - Adobe Acrobat Distiller helper application” fullword wide	CC BY-NC 4.0
signature-base	yara_mixed_ext_vars.yar	$s2 = “Virtual hardware upgrade helper service” fullword wide	CC BY-NC 4.0