Overview

overview

10

Static

static

3

a63a8b2cc6...a1.exe

windows7-x64

10

a63a8b2cc6...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a63a8b2cc66e20ceee31abc51cf4e4521c59a8b8e7f2b2b246741c0b69bae7a1.exe

  • Size

    54KB

  • MD5

    4c4bd8320b656966d01874d3f8f89500

  • SHA1

    6dcd7370f2d380f55b657bdd6ae5685a2c3bdb48

  • SHA256

    a63a8b2cc66e20ceee31abc51cf4e4521c59a8b8e7f2b2b246741c0b69bae7a1

  • SHA512

    cef0daa529ece6a062fd75004949e4c03de2690909033c5a1d09b11618c60f8cbe82595b1ec292c7853cf47a4b1a0e164d391dae17a90278948b4ea9be87fe69

  • SSDEEP

    1536:e6q10k0EFjed6rqJ+6v8tvGE9UHrSdghj8bvHRIkhbUIchUh80mhDhNIhH+hjhUY:E1oEFlt6v8tvGE9UHrSdghj8bvHRIkhI

Score
10/10
blihanstealerdiscoverypersistencestealertrojan

Malware Config

Extracted

Family

blihanstealer

Mutex

pomdfghrt

Attributes
  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

  • BlihanStealer

    Blihan is a stealer written in C++.

    trojanstealerblihanstealer
  • Blihanstealer family
    blihanstealer
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a63a8b2cc66e20ceee31abc51cf4e4521c59a8b8e7f2b2b246741c0b69bae7a1.exe
    "C:\Users\Admin\AppData\Local\Temp\a63a8b2cc66e20ceee31abc51cf4e4521c59a8b8e7f2b2b246741c0b69bae7a1.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5132
    • C:\Windows\microsofthelp.exe
      "C:\Windows\microsofthelp.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2720
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\microsofthelp.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4444
    • C:\Windows\microsofthelp.exe
      C:\Windows\microsofthelp.exe
      2⤵
      • Executes dropped EXE
      PID:1812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\microsofthelp.exe
    Filesize

    55KB

    MD5

    abc4589b1a71e7d8936eb656447ac10d

    SHA1

    fc7e1b7f34ecbf4cb3aa97e8f8346beb2014fecc

    SHA256

    e1b94bc11427af75109e8671b607ce8bada72a1d726adce1579d7593f2a4c27c

    SHA512

    268273e869bfa6c7a5adeeda0916dbbfead58c235a6c56c8fb9417b496777a02e3fcbc1647b1023da8a542a351f8695a72780b22791cbdeaadb262c1357543ba

    Download Submit

  • memory/1812-8-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2720-9-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/5132-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/5132-6-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download