Overview

overview

10

Static

static

10

Satınalma...nu.exe

windows10-2004-x64

10

edit.dll

windows10-2004-x64

10

mscorlib.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    145s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2025, 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edit.dll

  • Size

    6.3MB

  • MD5

    4e579141c090b55f8fcfac304bcba923

  • SHA1

    69f39a145cc4c99d9e1861b53684c7b3144fff13

  • SHA256

    85c2a2e3ee850092e4eb62f7f08165bc4883cd36c30b31dc63b57ccbf5f83fbb

  • SHA512

    7223f8891e800c6c2e64ef6b939d7d4aa54ed3efe41f414b72b04ab14abac0a53d77a9bba3caf73b0b34287fcd79d25fce204a4cfd4f2986ae1708fa605ebd32

  • SSDEEP

    49152:6jI+/FaA3QOruUbRvAV+g16jzDHvAeOMSoSkW0Ly2lUhNT8298T0w4YcUiImewIh:peNrulq0ov8n90HoIC2D/Gx9q

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7727146830:AAHPH5G1BgMzNy35r8HXC1DXB8AIv-I_4cA/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\edit.dll,#1
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5396
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5848
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd.exe /C start "" /D "C:\Users\Admin\SystemRootDoc" "C:\Users\Admin\SystemRootDoc\rundll32.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\system32\cmd.exe
      cmd.exe /C start "" /D "C:\Users\Admin\SystemRootDoc" "C:\Users\Admin\SystemRootDoc\rundll32.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Users\Admin\SystemRootDoc\rundll32.exe
        "C:\Users\Admin\SystemRootDoc\rundll32.exe"
        3⤵
        • Executes dropped EXE
        PID:5472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\SystemRootDoc\dpnhupnp.dll
    Filesize

    10KB

    MD5

    ba32bb24b7da23bd7ee7ae4b576338cd

    SHA1

    17731367250361c6b1aaf24f988b8dd1150b1e92

    SHA256

    7cf4535e85ec02365c54bf460992344fe1e319381e794e51a7ce0f9cb0438929

    SHA512

    4317c083c491e74ef7e1ad30d79164b3d6ba360f3b83a88d220b21385837049a33c3023c5f9d10c42980c45fecc747d271263242976435abab7612c26e486be4

    Download Submit

  • C:\Users\Admin\SystemRootDoc\rundll32.exe
    Filesize

    70KB

    MD5

    ef3179d498793bf4234f708d3be28633

    SHA1

    dd399ae46303343f9f0da189aee11c67bd868222

    SHA256

    b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

    SHA512

    02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

    Download Submit

  • memory/5848-4423-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/5848-4426-0x000000007541E000-0x000000007541F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5848-4427-0x0000000005EA0000-0x0000000006444000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5848-4428-0x0000000005960000-0x00000000059C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5848-4429-0x0000000075410000-0x0000000075BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5848-4430-0x0000000006890000-0x00000000068E0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/5848-4431-0x0000000006980000-0x0000000006A12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5848-4432-0x0000000006910000-0x000000000691A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5848-4433-0x000000007541E000-0x000000007541F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5848-4434-0x0000000075410000-0x0000000075BC0000-memory.dmp

    Filesize

    7.7MB

    Download