Windows Analysis Report
5ZjBJd69zi.exe

Overview

General Information

Sample name: 5ZjBJd69zi.exe
renamed because original name is a hash value
Original sample name: 167508c26c39acd68d3ea5229bfde9baeb769002.exe
Analysis ID: 1546800
MD5: f8fe4a90e412f083ba00e5a82aaacd75
SHA1: 167508c26c39acd68d3ea5229bfde9baeb769002
SHA256: acbc0c7b6c149dc9400eaaa19991877ac86b9c3e2d6d54294fc519ad611ea981
Tags: exeReversingLabsuser-NDA0E
Infos:

Detection

Blihan Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Blihan Stealer
Creates an autostart registry key pointing to binary in C:\Windows
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
PE file contains sections with non-standard names
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 5ZjBJd69zi.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\microsofthelp.exe Avira: detection malicious, Label: TR/Downloader.Gen
Multi AV Scanner detection for submitted file
Source: 5ZjBJd69zi.exe ReversingLabs: Detection: 92%
Machine Learning detection for dropped file
Source: C:\Windows\microsofthelp.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 5ZjBJd69zi.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 5ZjBJd69zi.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Code function: 0_2_00401C80 FindFirstFileA,FindClose, 0_2_00401C80
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.12:49710
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.12:49717
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Code function: 0_2_004017C0 HeapFree,InternetOpenA,InternetSetOptionExA,InternetOpenUrlA,GetProcessHeap,InternetReadFile,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlReAllocateHeap,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_004017C0

System Summary
barindex
PE file has a writeable .text section
Source: 5ZjBJd69zi.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: microsofthelp.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe File created: C:\Windows\microsofthelp.exe Jump to behavior
Source: C:\Windows\microsofthelp.exe File created: C:\Windows\HidePlugin.dll Jump to behavior
Uses 32bit PE files
Source: 5ZjBJd69zi.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/1@0/0
Source: C:\Windows\microsofthelp.exe Mutant created: \Sessions\1\BaseNamedObjects\pomdfghrt
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 5ZjBJd69zi.exe ReversingLabs: Detection: 92%
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe File read: C:\Users\user\Desktop\5ZjBJd69zi.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\5ZjBJd69zi.exe "C:\Users\user\Desktop\5ZjBJd69zi.exe"
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Process created: C:\Windows\microsofthelp.exe "C:\Windows\microsofthelp.exe"
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Process created: C:\Windows\microsofthelp.exe "C:\Windows\microsofthelp.exe" Jump to behavior
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\microsofthelp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\microsofthelp.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\microsofthelp.exe Section loaded: wininet.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Code function: 0_2_00401510 lstrcat,LoadLibraryA,GetProcAddress, 0_2_00401510
PE file contains sections with non-standard names
Source: 5ZjBJd69zi.exe Static PE information: section name: .shoooo
Source: 5ZjBJd69zi.exe Static PE information: section name: .imports
Source: microsofthelp.exe.0.dr Static PE information: section name: .shoooo
Source: microsofthelp.exe.0.dr Static PE information: section name: .imports
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Code function: 0_2_004041C0 push eax; ret 0_2_004041EE
Source: 5ZjBJd69zi.exe Static PE information: section name: .shoooo entropy: 7.835447843663171
Source: microsofthelp.exe.0.dr Static PE information: section name: .shoooo entropy: 7.835447843663171

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Executable created and started: C:\Windows\microsofthelp.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe File created: C:\Windows\microsofthelp.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe File created: C:\Windows\microsofthelp.exe Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run microsofthelp Jump to behavior
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run microsofthelp Jump to behavior
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run microsofthelp Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\microsofthelp.exe File deleted: c:\users\user\desktop\5zjbjd69zi.exe Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Code function: GetProcessHeap,GetAdaptersInfo,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetAdaptersInfo,GetProcessHeap,HeapFree, 0_2_00401CC0
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Code function: 0_2_00401C80 FindFirstFileA,FindClose, 0_2_00401C80
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Code function: 0_2_00401510 lstrcat,LoadLibraryA,GetProcAddress, 0_2_00401510
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Code function: 0_2_00401000 EntryPoint,GetModuleFileNameA,Sleep,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetWindowsDirectoryA,lstrcat,lstrcmpiA,ExitProcess,Sleep,DeleteFileA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,Sleep,CreateThread,wsprintfA,Sleep,WaitForSingleObject, 0_2_00401000
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Code function: 0_2_00402D5E SetUnhandledExceptionFilter, 0_2_00402D5E
Source: C:\Users\user\Desktop\5ZjBJd69zi.exe Code function: 0_2_00402D70 SetUnhandledExceptionFilter, 0_2_00402D70

Stealing of Sensitive Information
barindex
Yara detected Blihan Stealer
Source: Yara match File source: 5ZjBJd69zi.exe, type: SAMPLE
Source: Yara match File source: 0.2.5ZjBJd69zi.exe.4af438.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ZjBJd69zi.exe.4af438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ZjBJd69zi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.microsofthelp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.microsofthelp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5ZjBJd69zi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2405655773.0000000000406000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.2405440885.0000000000401000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2405041765.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.3663123424.0000000000406000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2405773168.000000000049E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5ZjBJd69zi.exe PID: 7092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: microsofthelp.exe PID: 7108, type: MEMORYSTR
Source: Yara match File source: C:\Windows\microsofthelp.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected Blihan Stealer
Source: Yara match File source: 5ZjBJd69zi.exe, type: SAMPLE
Source: Yara match File source: 0.2.5ZjBJd69zi.exe.4af438.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ZjBJd69zi.exe.4af438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5ZjBJd69zi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.microsofthelp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.microsofthelp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5ZjBJd69zi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2405655773.0000000000406000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.2405440885.0000000000401000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2405041765.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.3663123424.0000000000406000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2405773168.000000000049E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5ZjBJd69zi.exe PID: 7092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: microsofthelp.exe PID: 7108, type: MEMORYSTR
Source: Yara match File source: C:\Windows\microsofthelp.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546800 Sample: 5ZjBJd69zi.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected Blihan Stealer 2->19 21 2 other signatures 2->21 6 5ZjBJd69zi.exe 1 1 2->6         started        process3 file4 13 C:\Windows\microsofthelp.exe, PE32 6->13 dropped 23 Found evasive API chain (may stop execution after checking mutex) 6->23 25 Drops executables to the windows directory (C:\Windows) and starts them 6->25 27 Creates an autostart registry key pointing to binary in C:\Windows 6->27 10 microsofthelp.exe 1 6->10         started        signatures5 process6 signatures7 29 Antivirus detection for dropped file 10->29 31 Machine Learning detection for dropped file 10->31 33 Deletes itself after installation 10->33
No contacted IP infos