Malware Analysis Report

2025-06-15 19:58

Sample ID 250226-zj3evssvex
Target 2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef
SHA256 2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef
Tags
blihanstealer discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef

Threat Level: Known bad

The file 2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef was found to be: Known bad.

Malicious Activity Summary

blihanstealer discovery persistence stealer trojan

BlihanStealer

Blihanstealer family

Deletes itself

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-26 20:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-26 20:45

Reported

2025-02-26 20:48

Platform

win7-20241010-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef.exe"

Signatures

BlihanStealer

trojan stealer blihanstealer

Blihanstealer family

blihanstealer

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef.exe N/A
File created C:\Windows\HidePlugin.dll C:\Windows\microsofthelp.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef.exe

"C:\Users\Admin\AppData\Local\Temp\2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

N/A

Files

memory/2820-0-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 ecc45f9e71c3430d1481bea13ad44f84
SHA1 dc2ce8c12b6c43656b359fd6e1cb27b7d0ad85f7
SHA256 9af9bca0be1ae44e01974fe7a3ab3d832e9de3a0efe34c3d25e50ca342107409
SHA512 b3667aa5eec11e528f78ff9b1b9190ef7bab79652c9f88dbb140ce37f204bf9d900d46286e351483f747709c3b86fbc564a103da41358a521d6f9d90a5b25683

memory/2776-9-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2820-8-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2776-11-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-26 20:45

Reported

2025-02-26 20:48

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef.exe"

Signatures

BlihanStealer

trojan stealer blihanstealer

Blihanstealer family

blihanstealer

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef.exe N/A
File created C:\Windows\HidePlugin.dll C:\Windows\microsofthelp.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\microsofthelp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef.exe

"C:\Users\Admin\AppData\Local\Temp\2230604899758d0f4fe642806176b0b9bca6f740a5736cee8e7b91a7b8d62fef.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/5076-0-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 ecc45f9e71c3430d1481bea13ad44f84
SHA1 dc2ce8c12b6c43656b359fd6e1cb27b7d0ad85f7
SHA256 9af9bca0be1ae44e01974fe7a3ab3d832e9de3a0efe34c3d25e50ca342107409
SHA512 b3667aa5eec11e528f78ff9b1b9190ef7bab79652c9f88dbb140ce37f204bf9d900d46286e351483f747709c3b86fbc564a103da41358a521d6f9d90a5b25683

memory/5076-5-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4944-6-0x0000000000400000-0x000000000040E000-memory.dmp