Analysis Overview
SHA256
b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf
Threat Level: Known bad
The file b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf was found to be: Known bad.
Malicious Activity Summary
Blihanstealer family
BlihanStealer
Deletes itself
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-27 04:07
Signatures
Blihanstealer family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-27 04:07
Reported
2025-02-27 04:10
Platform
win7-20241023-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
BlihanStealer
Blihanstealer family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\microsofthelp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\microsofthelp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\microsofthelp.exe | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | N/A |
| File created | C:\Windows\HidePlugin.dll | C:\Windows\microsofthelp.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2520 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | C:\Windows\microsofthelp.exe |
| PID 2520 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | C:\Windows\microsofthelp.exe |
| PID 2520 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | C:\Windows\microsofthelp.exe |
| PID 2520 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | C:\Windows\microsofthelp.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe
"C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe"
C:\Windows\microsofthelp.exe
"C:\Windows\microsofthelp.exe"
Network
Files
memory/2520-0-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2520-6-0x0000000000400000-0x000000000040F000-memory.dmp
C:\Windows\microsofthelp.exe
| MD5 | 8b37ebbdbf57a826f2f35e399355788b |
| SHA1 | 3aa3a4479ec9534b9d504a9afdbbd8b1d2f53b80 |
| SHA256 | ba0ec3da0a494a487f56f7c07d2e292356e05db026b06e20d0e3ba07ae460a2b |
| SHA512 | ec5ef9e4d1b0070afc1f4fa82c436d139f34114af3cf434fa0985377454629e8da611aff74a3ca98472e42e5e6a2b1529d5ce5cf0fa2d8be38a4ddc0efdd2d1a |
memory/2516-9-0x0000000000400000-0x000000000040F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-27 04:07
Reported
2025-02-27 04:10
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
BlihanStealer
Blihanstealer family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\microsofthelp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\microsofthelp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\microsofthelp.exe | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | N/A |
| File created | C:\Windows\HidePlugin.dll | C:\Windows\microsofthelp.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\microsofthelp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3080 wrote to memory of 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | C:\Windows\microsofthelp.exe |
| PID 3080 wrote to memory of 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | C:\Windows\microsofthelp.exe |
| PID 3080 wrote to memory of 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe | C:\Windows\microsofthelp.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe
"C:\Users\Admin\AppData\Local\Temp\b50033ffc563ae8e149574b75a726aaaa970cfb168fb538ad6df098e3f87cedf.exe"
C:\Windows\microsofthelp.exe
"C:\Windows\microsofthelp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3080-0-0x0000000000400000-0x000000000040F000-memory.dmp
C:\Windows\microsofthelp.exe
| MD5 | 8b37ebbdbf57a826f2f35e399355788b |
| SHA1 | 3aa3a4479ec9534b9d504a9afdbbd8b1d2f53b80 |
| SHA256 | ba0ec3da0a494a487f56f7c07d2e292356e05db026b06e20d0e3ba07ae460a2b |
| SHA512 | ec5ef9e4d1b0070afc1f4fa82c436d139f34114af3cf434fa0985377454629e8da611aff74a3ca98472e42e5e6a2b1529d5ce5cf0fa2d8be38a4ddc0efdd2d1a |
memory/3080-4-0x0000000000400000-0x000000000040F000-memory.dmp
memory/3396-6-0x0000000000400000-0x000000000040F000-memory.dmp