Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

5ZjBJd69zi.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	5.74620231769737
Filename:	5ZjBJd69zi.exe
Filesize:	74824
MD5:	f8fe4a90e412f083ba00e5a82aaacd75
SHA1:	167508c26c39acd68d3ea5229bfde9baeb769002
SHA256:	acbc0c7b6c149dc9400eaaa19991877ac86b9c3e2d6d54294fc519ad611ea981
SHA512:	5ed8d852eee09d6a92c9b3ffc6feb1fd32a2c0e35e436552e9b5b3d560b1bbc6032a3ed0e3db8aff527457174a202f0f759eb124f21d54ef76f9abf02d087857
SSDEEP:	1536:qAo0+j2d6rnJqlIUlizbR9XwzSPamvDsdHgHSIQEvTbWh7MzdPAxHyHfOvwXIfIE:qAoVl4lX8Pvw2PamvDsdHgHSIQEvTbW1
Preview:	MZ......................@....2..........................................!..L.!This program cannot be run in DOS mode....$.......................................................K.......................`.......Rich....................PE..L......O...........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Creates an autostart registry key pointing to binary in C:\Windows	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query network adapater information	Malware Analysis System Evasion	System Network Configuration Discovery Ingress Tool Transfer
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates files inside the system directory	System Summary
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	File and Directory Discovery
Found evasive API chain (may stop execution after accessing registry keys)	Malware Analysis System Evasion
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates an autostart registry key	Boot Survival	File and Directory Discovery
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\microsofthelp.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Windows\microsofthelp.exe
Category:	dropped
Dump:	microsofthelp.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\5ZjBJd69zi.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	5.734402464970277
Encrypted:	false
Ssdeep:	1536:qAo0+j2d6rnJqlIUlizbR9XwzSPamvDsdHgHSIQEvTbWh7MzdPAxHyHfOvwXIfIm:qAoVl4lX8Pvw2PamvDsdHgHSIQEvTbWD
Size:	75084
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Blihan Stealer	Stealing of Sensitive Information, Remote Access Functionality
Deletes itself after installation	Hooking and other Techniques for Hiding and Protection	File Deletion
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Machine Learning detection for dropped file	AV Detection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates mutexes	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\5ZjBJd69zi.exe

"C:\Users\user\Desktop\5ZjBJd69zi.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7092
Target ID:	0
Parent PID:	4088
Name:	5ZjBJd69zi.exe
Path:	C:\Users\user\Desktop\5ZjBJd69zi.exe
Commandline:	"C:\Users\user\Desktop\5ZjBJd69zi.exe"
Size:	74824
MD5:	F8FE4A90E412F083BA00E5A82AAACD75
Time:	10:56:26
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	53248
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Blihan Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7108
Target ID:	1
Parent PID:	7092
Name:	microsofthelp.exe
Path:	C:\Windows\microsofthelp.exe
Commandline:	"C:\Windows\microsofthelp.exe"
Size:	75084
MD5:	8228E31D55A982D60FF2A093FC32E36E
Time:	10:56:26
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	53248
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Blihan Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

microsofthelp

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	microsofthelp
Value data:	C:\Windows\microsofthelp.exe

Signature Hits	Behavior Group	Mitre Attack
Creates an autostart registry key pointing to binary in C:\Windows	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

401000

unkown

page execute and write copy

401000

unkown

page execute and write copy

406000

unkown

page execute and write copy

49E000

heap

page read and write

406000

unkown

page execute and write copy

49A000

heap

page read and write

40C000

unkown

page write copy

409000

unkown

page execute and write copy

89F000

stack

page read and write

400000

unkown

page readonly

405000

unkown

page execute and read and write

400000

unkown

page readonly

409000

unkown

page execute and write copy

68A000

heap

page read and write

408000

unkown

page execute and write copy

405000

unkown

page execute and read and write

698000

heap

page read and write

408000

unkown

page execute and write copy

400000

unkown

page readonly

79E000

stack

page read and write

1F0000

heap

page read and write

75F000

stack

page read and write

410000

heap

page read and write

400000

unkown

page readonly

408000

unkown

page execute and read and write

401000

unkown

page execute and write copy

40C000

unkown

page write copy

19D000

stack

page read and write

680000

heap

page read and write

40C000

unkown

page read and write

40C000

unkown

page read and write

480000

heap

page read and write

420000

heap

page read and write

490000

heap

page read and write

9C000

stack

page read and write

68E000

heap

page read and write

19D000

stack

page read and write

401000

unkown

page execute and write copy

1F0000

heap

page read and write

A40000

heap

page read and write

9C000

stack

page read and write

46E000

stack

page read and write

8F0000

heap

page read and write

408000

unkown

page execute and read and write

410000

heap

page read and write

4B5000

heap

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
5ZjBJd69zi.exe

Files

Processes

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report5ZjBJd69zi.exe

Files

Processes

Registry

Memdumps

IOC Report
5ZjBJd69zi.exe