Overview

overview

10

Static

static

3

1 (601).exe

windows7-x64

10

1 (601).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/03/2025, 06:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1 (601).exe

  • Size

    55KB

  • MD5

    52a2bb69f2c4000b9fb73b9b201d4ce0

  • SHA1

    a4481c96ac27c3e3585094dcc1037b1dce28bf16

  • SHA256

    171e03ee551c8d354140720ae36b9ddea7d6ef7d30edeffe569e0dadc610d1d1

  • SHA512

    c6b4e790502192348d35d1de6c851fa3bbc60ad244ccc2554b923124ba381f024e217eba792b163d2598479515960402674fb444828d68db2f5cf7f7ed0acfae

  • SSDEEP

    1536:e6q10k0EFjed6rqJ+6vghzwYu7vih9GueIh9j2IoHAcBHUIF2kvEHrH1hyhuhrh7:E1oEFlt6vghzwYu7vih9GueIh9j2IoHo

Score
10/10
blihanstealerdiscoverypersistencestealertrojan

Malware Config

Extracted

Family

blihanstealer

Mutex

pomdfghrt

Attributes
  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

  • BlihanStealer

    Blihan is a stealer written in C++.

    trojanstealerblihanstealer
  • Blihanstealer family
    blihanstealer
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1 (601).exe
    "C:\Users\Admin\AppData\Local\Temp\1 (601).exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\microsofthelp.exe
      "C:\Windows\microsofthelp.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:1964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\microsofthelp.exe
    Filesize

    56KB

    MD5

    2cd9a779af6ea6e138c1089661d973f3

    SHA1

    9f25214bdbedd00a7e75caf748f5f1d44ded3e3f

    SHA256

    777bd7ead01268ca940076f2413f22746858d43d79adcf1a9ca08c50cdd20674

    SHA512

    00bf5b3b7dd8b5ed79eed04ebea05ef3874173c12dd2bafe3875daf2237daf304b2c45724597e7093e6b50ee8474c826f48b81e2ce19582d2993eb8c7fcbf6d4

    Download Submit

  • memory/1964-10-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1964-12-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2988-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2988-3-0x0000000000220000-0x000000000022E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2988-8-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.