Malware Analysis Report

2025-06-15 19:58

Sample ID 250226-y8hlbasmx3
Target 190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630
SHA256 190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630
Tags
blihanstealer discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630

Threat Level: Known bad

The file 190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630 was found to be: Known bad.

Malicious Activity Summary

blihanstealer discovery persistence stealer trojan

BlihanStealer

Blihanstealer family

Executes dropped EXE

Deletes itself

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-26 20:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-26 20:27

Reported

2025-02-26 20:29

Platform

win7-20240903-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630.exe"

Signatures

BlihanStealer

trojan stealer blihanstealer

Blihanstealer family

blihanstealer

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630.exe N/A
File created C:\Windows\HidePlugin.dll C:\Windows\microsofthelp.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630.exe

"C:\Users\Admin\AppData\Local\Temp\190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

N/A

Files

memory/3036-0-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 7243cd8d76f12745a9f733147be0d208
SHA1 997e37a1c6c442256ad4d6e2fce402115f5a9cf7
SHA256 1696a58b4086521d1b9f1104c6e7591f79458bb6816fa55e4bb47b389ebac1c0
SHA512 f9d15eb9adf8de18ff60215555f948cc2cce613a01ed2e8dd58397c9023121021f7a151ad6bcfd74e953fccbe07bb75bbb92d6dc81eb89ecd79a2371605bf4c4

memory/3036-7-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2488-9-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2488-11-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-26 20:27

Reported

2025-02-26 20:29

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630.exe"

Signatures

BlihanStealer

trojan stealer blihanstealer

Blihanstealer family

blihanstealer

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630.exe N/A
File created C:\Windows\HidePlugin.dll C:\Windows\microsofthelp.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\microsofthelp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630.exe

"C:\Users\Admin\AppData\Local\Temp\190a2e3947226ecf31204dbb57fb5103376e8e8dfcc52d04e8b36702f6fa9630.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3764-0-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 7243cd8d76f12745a9f733147be0d208
SHA1 997e37a1c6c442256ad4d6e2fce402115f5a9cf7
SHA256 1696a58b4086521d1b9f1104c6e7591f79458bb6816fa55e4bb47b389ebac1c0
SHA512 f9d15eb9adf8de18ff60215555f948cc2cce613a01ed2e8dd58397c9023121021f7a151ad6bcfd74e953fccbe07bb75bbb92d6dc81eb89ecd79a2371605bf4c4

memory/3764-6-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4688-7-0x0000000000400000-0x000000000040E000-memory.dmp