Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

rU7laIXI5D.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	5.856792003596459
Filename:	rU7laIXI5D.exe
Filesize:	72224
MD5:	c2066aea51ee5eedd9790378151f52da
SHA1:	389a3651a3fb8c5a51f0f0d14848b62ecd4028df
SHA256:	7195e707c8af0b316fe7d3bc0a74dcce3736f6ad7df7a07bcefb22701252c741
SHA512:	f61c73d437bad3523ce0298a75e36fe0accf8dacf460856311eddfd15e2f45cd2e9b0018eeeb84dbbf01486ce1ed88300c33fe9951f4fe05dc2d66a7788f3353
SSDEEP:	1536:qAo0+j2d6rnJqlIUlizbR9XwzSPamvDsdHgHSIQEvTbWh7MzdPAxHyHfOdIRIRZx:qAoVl4lX8Pvw2PamvDsdHgHSIQEvTbWv
Preview:	MZ......................@....2..........................................!..L.!This program cannot be run in DOS mode....$.......................................................K.......................`.......Rich....................PE..L......O...........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Creates an autostart registry key pointing to binary in C:\Windows	Boot Survival	File and Directory Discovery
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query network adapater information	Malware Analysis System Evasion	System Network Configuration Discovery Ingress Tool Transfer
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates files inside the system directory	System Summary
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	File and Directory Discovery
Found evasive API chain (may stop execution after accessing registry keys)	Malware Analysis System Evasion
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\microsofthelp.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Windows\microsofthelp.exe
Category:	dropped
Dump:	microsofthelp.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\rU7laIXI5D.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	5.844510359378987
Encrypted:	false
Ssdeep:	1536:qAo0+j2d6rnJqlIUlizbR9XwzSPamvDsdHgHSIQEvTbWh7MzdPAxHyHfOdIRIRZF:qAoVl4lX8Pvw2PamvDsdHgHSIQEvTbWX
Size:	72484
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Blihan Stealer	Stealing of Sensitive Information, Remote Access Functionality
Deletes itself after installation	Hooking and other Techniques for Hiding and Protection	File Deletion
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Machine Learning detection for dropped file	AV Detection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates mutexes	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\rU7laIXI5D.exe

"C:\Users\user\Desktop\rU7laIXI5D.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4884
Target ID:	0
Parent PID:	4004
Name:	rU7laIXI5D.exe
Path:	C:\Users\user\Desktop\rU7laIXI5D.exe
Commandline:	"C:\Users\user\Desktop\rU7laIXI5D.exe"
Size:	72224
MD5:	C2066AEA51EE5EEDD9790378151F52DA
Time:	11:04:40
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	53248
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Blihan Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Details

Is windows:	false
Is dropped:	true
PID:	6232
Target ID:	1
Parent PID:	4884
Name:	microsofthelp.exe
Path:	C:\Windows\microsofthelp.exe
Commandline:	"C:\Windows\microsofthelp.exe"
Size:	72484
MD5:	FDB9ABFB08DBA6EDA764C4E18070B285
Time:	11:04:40
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	53248
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Blihan Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

Domains

Name

Malicious

s-part-0017.t-0009.t-msedge.net

13.107.246.45

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

microsofthelp

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	microsofthelp
Value data:	C:\Windows\microsofthelp.exe

Signature Hits	Behavior Group	Mitre Attack
Creates an autostart registry key pointing to binary in C:\Windows	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

401000

unkown

page execute and write copy

406000

unkown

page execute and write copy

406000

unkown

page execute and write copy

401000

unkown

page execute and write copy

4C8000

heap

page read and write

40C000

unkown

page write copy

408000

unkown

page execute and read and write

5D0000

heap

page read and write

401000

unkown

page execute and write copy

410000

heap

page read and write

8BF000

stack

page read and write

410000

heap

page read and write

19D000

stack

page read and write

405000

unkown

page execute and read and write

408000

unkown

page execute and read and write

9C000

stack

page read and write

4D6000

heap

page read and write

400000

unkown

page readonly

40C000

unkown

page read and write

40C000

unkown

page write copy

408000

unkown

page execute and write copy

480000

heap

page read and write

1F0000

heap

page read and write

AB0000

heap

page read and write

400000

unkown

page readonly

400000

unkown

page readonly

409000

unkown

page execute and write copy

9C000

stack

page read and write

19D000

stack

page read and write

1F0000

heap

page read and write

7BE000

stack

page read and write

408000

unkown

page execute and write copy

400000

unkown

page readonly

4B0000

heap

page read and write

77F000

stack

page read and write

401000

unkown

page execute and write copy

4BA000

heap

page read and write

45E000

stack

page read and write

405000

unkown

page execute and read and write

4BE000

heap

page read and write

9B0000

heap

page read and write

40C000

unkown

page read and write

5DA000

heap

page read and write

5E8000

heap

page read and write

409000

unkown

page execute and write copy

4C0000

heap

page read and write

5DE000

heap

page read and write

There are 37 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
rU7laIXI5D.exe

Files

Processes

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportrU7laIXI5D.exe

Files

Processes

Domains

Registry

Memdumps

IOC Report
rU7laIXI5D.exe