Overview

overview

10

Static

static

3

e96c39e2e3...ff.exe

windows7-x64

10

e96c39e2e3...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24/03/2025, 00:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e96c39e2e39407695c120a317ff6a7eb159041989ab1a1e6d689ce1f23860cff.exe

  • Size

    71KB

  • MD5

    1712579bbf8f1918816a8934f2282c8d

  • SHA1

    0ee95c429e1ea88431cb7d65fe469a5817a9528e

  • SHA256

    e96c39e2e39407695c120a317ff6a7eb159041989ab1a1e6d689ce1f23860cff

  • SHA512

    40a36152483da9d1159a9e3951827ac869361b4b504ea44fa203008339556d1b7457e33b6952ea62ed4e2663ec6c32acce961f825b3d9df9614ed72ec4ed756e

  • SSDEEP

    1536:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYVFl2g5u58dO0xXHQEyYfdhNhFO5h3xhIj:+MA6C1VqaqhtgVRNToV7TtRu8rM0wYVF

Score
10/10
blihanstealerdiscoverypersistencestealertrojan

Malware Config

Signatures

  • BlihanStealer

    Blihan is a stealer written in C++.

    trojanstealerblihanstealer
  • Blihanstealer family
    blihanstealer
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e96c39e2e39407695c120a317ff6a7eb159041989ab1a1e6d689ce1f23860cff.exe
    "C:\Users\Admin\AppData\Local\Temp\e96c39e2e39407695c120a317ff6a7eb159041989ab1a1e6d689ce1f23860cff.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\microsofthelp.exe
      "C:\Windows\microsofthelp.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\microsofthelp.exe
    Filesize

    71KB

    MD5

    5a95205fbf657a9979ce536c25257191

    SHA1

    13c229affd9ca51c824f163536bb3fe569fbc0e9

    SHA256

    ae7349ee4c88bc11316f56c238872adb73f937c08710e6185e1f82e834098a93

    SHA512

    00f0e0c4dbca6491cd921c063249aa7c6982e4835b11ad171d97f390b7eeef261b91e83168d1ee63091e189edb0f4e53d5264e97dc921040f50f9d8ea47f150f

    Download Submit

  • memory/2100-7-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2100-9-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2264-0-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.