Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
27/02/2025, 00:10
Static task
static1
Behavioral task
behavioral1
Sample
67dc9a8421c6171f182b6770c11ff140181caba58effbd61386e83330800218b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
67dc9a8421c6171f182b6770c11ff140181caba58effbd61386e83330800218b.exe
Resource
win10v2004-20250217-en
General
-
Target
67dc9a8421c6171f182b6770c11ff140181caba58effbd61386e83330800218b.exe
-
Size
70KB
-
MD5
81a60f904a524f65d328d33b1a0ad057
-
SHA1
ddc6e9d3156ea096eec9824158d3023340e045d7
-
SHA256
67dc9a8421c6171f182b6770c11ff140181caba58effbd61386e83330800218b
-
SHA512
fad3856e886a0c22a477bb0fc528db7e7efd2baec626ba6612f0327b0430cc7feabc32c379d41ba1ff5fe6b5896617f9ea3919a3fc3a10cd3b85196b25d18d8f
-
SSDEEP
1536:e6q10k0EFjed6rqJ+6vghzwYu7vih9GueIh9j2IoHAcBHUIF2kvEHrH1hyhuhrhC:E1oEFlt6vghzwYu7vih9GueIh9j2IoH7
Malware Config
Extracted
blihanstealer
pomdfghrt
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Signatures
-
BlihanStealer
Blihan is a stealer written in C++.
-
Blihanstealer family
-
Deletes itself 1 IoCs
pid Process 4416 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 4416 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" 67dc9a8421c6171f182b6770c11ff140181caba58effbd61386e83330800218b.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\microsofthelp.exe 67dc9a8421c6171f182b6770c11ff140181caba58effbd61386e83330800218b.exe File created C:\Windows\HidePlugin.dll microsofthelp.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67dc9a8421c6171f182b6770c11ff140181caba58effbd61386e83330800218b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language microsofthelp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3392 wrote to memory of 4416 3392 67dc9a8421c6171f182b6770c11ff140181caba58effbd61386e83330800218b.exe 88 PID 3392 wrote to memory of 4416 3392 67dc9a8421c6171f182b6770c11ff140181caba58effbd61386e83330800218b.exe 88 PID 3392 wrote to memory of 4416 3392 67dc9a8421c6171f182b6770c11ff140181caba58effbd61386e83330800218b.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\67dc9a8421c6171f182b6770c11ff140181caba58effbd61386e83330800218b.exe"C:\Users\Admin\AppData\Local\Temp\67dc9a8421c6171f182b6770c11ff140181caba58effbd61386e83330800218b.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5250007b54b5e38b582f226d615067e78
SHA10da643f90277a481bd90c39db0453438e5aa2ab8
SHA25676b70dea56f71e6135c3e2fae512739cb20dd13edc9bdcdfe0ec05b4fb05e50a
SHA512dc7f9f95c348b15adec9db60878aa53ea8151536d1afa83748eaceda5b826ad6a040b43885d9920e0e139be7743d1840ae52ce9da43597c0dbed08c3d3709f98