Overview

overview

10

Static

static

3

54e73e7360...90.exe

windows7-x64

10

54e73e7360...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/03/2025, 00:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54e73e7360b7bee8ca0fe7b2a5ceb2cd68cd95a7f7baf0b0782b72a832ef2190.exe

  • Size

    65KB

  • MD5

    78b1a9e7ab10ac6b6285c44f7191602e

  • SHA1

    9aa1eac52a8e5e3486987262d622c2d8fd966b56

  • SHA256

    54e73e7360b7bee8ca0fe7b2a5ceb2cd68cd95a7f7baf0b0782b72a832ef2190

  • SHA512

    153b4c1467c38f9f7cc48b3f499d7eebf23695bb491130b1b34b166f24f04764209da5f88a81a9a86b3be93ce334e13f9b99ef0862c1dbc43d626ac70c9c7287

  • SSDEEP

    1536:e6q10k0EFjed6rqJ+6vghzwYu7vih9GueIh9j2IoHAcBHUIF2kvEHrH1hyhuhrhK:E1oEFlt6vghzwYu7vih9GueIh9j2IoH3

Score
10/10
blihanstealerdiscoverypersistencestealertrojan

Malware Config

Extracted

Family

blihanstealer

Mutex

pomdfghrt

Attributes
  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

  • BlihanStealer

    Blihan is a stealer written in C++.

    trojanstealerblihanstealer
  • Blihanstealer family
    blihanstealer
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54e73e7360b7bee8ca0fe7b2a5ceb2cd68cd95a7f7baf0b0782b72a832ef2190.exe
    "C:\Users\Admin\AppData\Local\Temp\54e73e7360b7bee8ca0fe7b2a5ceb2cd68cd95a7f7baf0b0782b72a832ef2190.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\microsofthelp.exe
      "C:\Windows\microsofthelp.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:1864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\microsofthelp.exe
    Filesize

    66KB

    MD5

    6f30d8542a6cee4060a354b23a766a1b

    SHA1

    98d543d0568bb6d6b5ddddbcbb0996aa3922e73f

    SHA256

    3457339cccdb92647a9a28bd4308001a085780c1b767441b3554144cffbb338f

    SHA512

    fb99b47e967cff9fcda9a55b4002296603edfce873ec10b59f3819dc8d527e400cc05f7b686870c4b00d28a2192a124b91d26dac2ce19990d934fb4ac465ba22

    Download Submit

  • memory/1864-10-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2080-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2080-7-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.