Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
27/02/2025, 04:07
Behavioral task
behavioral1
Sample
b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe
Resource
win10v2004-20250217-en
General
-
Target
b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe
-
Size
72KB
-
MD5
28d319677ad95453ca6f28a7a805216f
-
SHA1
d266ca0561cb76c4aaf8ad4c94eb16b425453265
-
SHA256
b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf
-
SHA512
4c6844bd2c3edb5e1b255e3dca4035d850c015c4e8e5b792b586a5f9d85f18f8bdef4106fd0f3af683d4d43ca9d230e89daa5899afe239c7c31931db795127d7
-
SSDEEP
1536:lAo0ej2d6rnJwwvlKlIUBP6vghzwYu7vih9GueIh9j2IoHAjUvJQ/johleHhvGhW:lAo1lOwvlKlXBP6vghzwYu7vih9GueIp
Malware Config
Extracted
blihanstealer
pomdfghrt
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Signatures
-
BlihanStealer
Blihan is a stealer written in C++.
-
Blihanstealer family
-
Deletes itself 1 IoCs
pid Process 2516 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 2516 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\microsofthelp.exe b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe File created C:\Windows\HidePlugin.dll microsofthelp.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2516 2520 b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe 30 PID 2520 wrote to memory of 2516 2520 b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe 30 PID 2520 wrote to memory of 2516 2520 b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe 30 PID 2520 wrote to memory of 2516 2520 b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe"C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Windows directory
PID:2516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD58b37ebbdbf57a826f2f35e399355788b
SHA13aa3a4479ec9534b9d504a9afdbbd8b1d2f53b80
SHA256ba0ec3da0a494a487f56f7c07d2e292356e05db026b06e20d0e3ba07ae460a2b
SHA512ec5ef9e4d1b0070afc1f4fa82c436d139f34114af3cf434fa0985377454629e8da611aff74a3ca98472e42e5e6a2b1529d5ce5cf0fa2d8be38a4ddc0efdd2d1a