Windows Analysis Report
CMCR5hvseX.exe

Overview

General Information

Sample name: CMCR5hvseX.exe
renamed because original name is a hash value
Original sample name: 396e01db56f1c0dfadc628fd7f880d3f697d79c5.exe
Analysis ID: 1546807
MD5: ba09bf0918b0efca89a7930b86885c9e
SHA1: 396e01db56f1c0dfadc628fd7f880d3f697d79c5
SHA256: 014de3156e730a80563fa607f6e9dd7d6a4487f04e4daf7cafdaa958d2b3a310
Tags: exeReversingLabsuser-NDA0E
Infos:

Detection

Blihan Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Blihan Stealer
AI detected suspicious sample
Creates an autostart registry key pointing to binary in C:\Windows
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
PE file contains sections with non-standard names
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: CMCR5hvseX.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\microsofthelp.exe Avira: detection malicious, Label: TR/Downloader.Gen
Multi AV Scanner detection for submitted file
Source: CMCR5hvseX.exe ReversingLabs: Detection: 92%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 88.8% probability
Machine Learning detection for dropped file
Source: C:\Windows\microsofthelp.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: CMCR5hvseX.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: CMCR5hvseX.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Code function: 0_2_00401C80 FindFirstFileA,FindClose, 0_2_00401C80
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49733
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49948
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Code function: 0_2_004017C0 HeapFree,InternetOpenA,InternetSetOptionExA,InternetOpenUrlA,GetProcessHeap,InternetReadFile,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlReAllocateHeap,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_004017C0

System Summary
barindex
PE file has a writeable .text section
Source: CMCR5hvseX.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: microsofthelp.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\Desktop\CMCR5hvseX.exe File created: C:\Windows\microsofthelp.exe Jump to behavior
Source: C:\Windows\microsofthelp.exe File created: C:\Windows\HidePlugin.dll Jump to behavior
Uses 32bit PE files
Source: CMCR5hvseX.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/1@0/0
Source: C:\Windows\microsofthelp.exe Mutant created: \Sessions\1\BaseNamedObjects\pomdfghrt
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: CMCR5hvseX.exe ReversingLabs: Detection: 92%
Source: C:\Users\user\Desktop\CMCR5hvseX.exe File read: C:\Users\user\Desktop\CMCR5hvseX.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\CMCR5hvseX.exe "C:\Users\user\Desktop\CMCR5hvseX.exe"
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Process created: C:\Windows\microsofthelp.exe "C:\Windows\microsofthelp.exe"
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Process created: C:\Windows\microsofthelp.exe "C:\Windows\microsofthelp.exe" Jump to behavior
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\microsofthelp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\microsofthelp.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\microsofthelp.exe Section loaded: wininet.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Code function: 0_2_00401510 lstrcat,LoadLibraryA,GetProcAddress, 0_2_00401510
PE file contains sections with non-standard names
Source: CMCR5hvseX.exe Static PE information: section name: .shoooo
Source: CMCR5hvseX.exe Static PE information: section name: .imports
Source: microsofthelp.exe.0.dr Static PE information: section name: .shoooo
Source: microsofthelp.exe.0.dr Static PE information: section name: .imports
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Code function: 0_2_004041C0 push eax; ret 0_2_004041EE
Source: CMCR5hvseX.exe Static PE information: section name: .shoooo entropy: 7.835447843663171
Source: microsofthelp.exe.0.dr Static PE information: section name: .shoooo entropy: 7.835447843663171

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Executable created and started: C:\Windows\microsofthelp.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\CMCR5hvseX.exe File created: C:\Windows\microsofthelp.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\CMCR5hvseX.exe File created: C:\Windows\microsofthelp.exe Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run microsofthelp Jump to behavior
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run microsofthelp Jump to behavior
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run microsofthelp Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\microsofthelp.exe File deleted: c:\users\user\desktop\cmcr5hvsex.exe Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Code function: GetProcessHeap,GetAdaptersInfo,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetAdaptersInfo,GetProcessHeap,HeapFree, 0_2_00401CC0
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Code function: 0_2_00401C80 FindFirstFileA,FindClose, 0_2_00401C80
Source: C:\Users\user\Desktop\CMCR5hvseX.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\CMCR5hvseX.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Code function: 0_2_00401510 lstrcat,LoadLibraryA,GetProcAddress, 0_2_00401510
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Code function: 0_2_00401000 EntryPoint,GetModuleFileNameA,Sleep,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetWindowsDirectoryA,lstrcat,lstrcmpiA,ExitProcess,Sleep,DeleteFileA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,Sleep,CreateThread,wsprintfA,Sleep,WaitForSingleObject, 0_2_00401000
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Code function: 0_2_00402D5E SetUnhandledExceptionFilter, 0_2_00402D5E
Source: C:\Users\user\Desktop\CMCR5hvseX.exe Code function: 0_2_00402D70 SetUnhandledExceptionFilter, 0_2_00402D70

Stealing of Sensitive Information
barindex
Yara detected Blihan Stealer
Source: Yara match File source: CMCR5hvseX.exe, type: SAMPLE
Source: Yara match File source: 0.2.CMCR5hvseX.exe.6c0860.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.microsofthelp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.CMCR5hvseX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.microsofthelp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.CMCR5hvseX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.CMCR5hvseX.exe.6c0860.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3384281375.0000000000406000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2145134276.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2147458229.0000000000406000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2146667374.0000000000401000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2147602765.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CMCR5hvseX.exe PID: 3340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: microsofthelp.exe PID: 4088, type: MEMORYSTR
Source: Yara match File source: C:\Windows\microsofthelp.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected Blihan Stealer
Source: Yara match File source: CMCR5hvseX.exe, type: SAMPLE
Source: Yara match File source: 0.2.CMCR5hvseX.exe.6c0860.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.microsofthelp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.CMCR5hvseX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.microsofthelp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.CMCR5hvseX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.CMCR5hvseX.exe.6c0860.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3384281375.0000000000406000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2145134276.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2147458229.0000000000406000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2146667374.0000000000401000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2147602765.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CMCR5hvseX.exe PID: 3340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: microsofthelp.exe PID: 4088, type: MEMORYSTR
Source: Yara match File source: C:\Windows\microsofthelp.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546807 Sample: CMCR5hvseX.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected Blihan Stealer 2->19 21 3 other signatures 2->21 6 CMCR5hvseX.exe 1 1 2->6         started        process3 file4 13 C:\Windows\microsofthelp.exe, PE32 6->13 dropped 23 Found evasive API chain (may stop execution after checking mutex) 6->23 25 Drops executables to the windows directory (C:\Windows) and starts them 6->25 27 Creates an autostart registry key pointing to binary in C:\Windows 6->27 10 microsofthelp.exe 1 6->10         started        signatures5 process6 signatures7 29 Antivirus detection for dropped file 10->29 31 Machine Learning detection for dropped file 10->31 33 Deletes itself after installation 10->33
No contacted IP infos