blihanstealer | 62052ef265f9961dee07d88aeeb511cf887c7cc684e1a47171c218c534151531

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2025, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62052ef265f9961dee07d88aeeb511cf887c7cc684e1a47171c218c534151531.exe
Size

71KB
MD5

5ff90e882d0d4c5d03f7329b98b1a737
SHA1

f3d115343a1dc24eed535a7fd8384bcaa978dc8e
SHA256

62052ef265f9961dee07d88aeeb511cf887c7cc684e1a47171c218c534151531
SHA512

d20a5c53bbc32cb1bb0c0fec996a0a61a0fef9dad7a4634de2493c294f4dda6503a66ab361c780a17df5bc10ac0cd838b6ac7f0be3c6be71e879469205da9d53
SSDEEP

1536:/Ao0+j2d6rnJqlIUSJnJBSX1nV1b1N1Il1k1YFI1x1Jz1dd1MhU1l1G31w1G+Fru:/AoVl4lXinJBSX1nV1b1N1Il1k1YFI1Y

Score

10^/10

blihanstealer discovery persistence stealer trojan

Malware Config

Extracted

Family

blihanstealer

Mutex

pomdfghrt

Attributes

user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

BlihanStealer
Blihan is a stealer written in C++.
trojan stealer blihanstealer
Blihanstealer family
blihanstealer

Deletes itself 1 IoCs

pid	Process
540	microsofthelp.exe

Executes dropped EXE 2 IoCs

pid	Process
540	microsofthelp.exe
3608	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	62052ef265f9961dee07d88aeeb511cf887c7cc684e1a47171c218c534151531.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	62052ef265f9961dee07d88aeeb511cf887c7cc684e1a47171c218c534151531.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62052ef265f9961dee07d88aeeb511cf887c7cc684e1a47171c218c534151531.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsofthelp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 540	2676	62052ef265f9961dee07d88aeeb511cf887c7cc684e1a47171c218c534151531.exe	85
PID 2676 wrote to memory of 540	2676	62052ef265f9961dee07d88aeeb511cf887c7cc684e1a47171c218c534151531.exe	85
PID 2676 wrote to memory of 540	2676	62052ef265f9961dee07d88aeeb511cf887c7cc684e1a47171c218c534151531.exe	85
PID 408 wrote to memory of 3608	408	cmd.exe	88
PID 408 wrote to memory of 3608	408	cmd.exe	88
PID 408 wrote to memory of 3608	408	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\62052ef265f9961dee07d88aeeb511cf887c7cc684e1a47171c218c534151531.exe
"C:\Users\Admin\AppData\Local\Temp\62052ef265f9961dee07d88aeeb511cf887c7cc684e1a47171c218c534151531.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\microsofthelp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\microsofthelp.exe
  C:\Windows\microsofthelp.exe
  2⤵
  - Executes dropped EXE
  PID:3608

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
72KB

MD5
79270905729ac7f9df6c1371a350bdf6

SHA1
633ed42ece5fec89cd58746a604c0f22326cc3e7

SHA256
3a401d4a8f3d23fb60332ed4bfe757a2627fa6ec129094affe9d349e1ee87efa

SHA512
607fbcd3e20d9453073de6117de879737a980f403d74d60ff56b8f7c50ee2e321f9d2442460f822758124fcadda3571f64fcb6c57d7a0c409e5565e616c2f6a3

Download Submit
memory/540-8-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2676-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2676-4-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3608-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads