The sample is written in C++, it deletes itself for traces clearing, persistence capabilities by adding itself as autostart with Windows with the registry paths HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ and HKEY_USERS\<USER_ID>\Software\Microsoft\Windows\CurrentVersion\Run\ and it drops the second stage threat called as microsofthelp.exe under C:\Windows folder.
Here we can see the details of the OSINT detections related to the main artifact:
The hash of the dropped second stage threat sample is 02d92fd1e712b565f65d334b385057bb63cf390c78bbe0f60f7353dce797d696
The artifact is put in autostart registry keys to gain persistence on the infected asset and perform information stealing:
We can see the mutex created by the infostealer named as pomdfghrt:
Here are the details of the OSINT detections of the artifact microsofthelp.exe, it is packed with MPress packer.
Here are further details associated to the domain in question (currently not resolvable) which seems to be created on 15th June 2016, related also to Mirai, RATs, Lazarus group and frauds:
Here we have the details of correlation of the domain to the Blihan Stealer family threats:
We have the latest information of the older historical whois data of the domain registration details.
IOCs:
- 021f44e1aac94a21e23c3240d3b5aa86
- 57c5704958e5cac4a13cf38399bd9b3e9b0b24c7
- 2f66681dbba54a0dd1f1c31c381af52166a5d090f2cd0d18b5cf91218d2b8da3
- cygdy[.]com
- pomdfghrt
- 02d92fd1e712b565f65d334b385057bb63cf390c78bbe0f60f7353dce797d696
- f4b8bbdda8a02267b1ac22ea45eb6688af62ea13
- a934643848e32956a89743c1a7d446b6
- microsofthelp.exe
YARA rules:
import "vt"
rule Blihan_C2_22022026 {
condition:
vt.net.url.raw icontains "cygdy[.]com"
}
rule BlihanStealer_22022026
{
strings:
$str = "pomdfghrt"
$hex = { 70 6f 6d 64 66 67 68 72 74 }
condition:
any of them
}
Sources of the OSINT screenshots: VirusTotal, Tria.ge, SonicWall, Threatbook, OTX AlienVault