Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2025, 17:29
Static task
static1
Behavioral task
behavioral1
Sample
Bpl New Po-2000023038.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
concrt141.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral3
Sample
concrt141.dll
Resource
win11-20250610-en
Behavioral task
behavioral4
Sample
msedge_elf.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral5
Sample
msedge_elf.dll
Resource
win11-20250610-en
General
-
Target
msedge_elf.dll
-
Size
3.6MB
-
MD5
b64096bcd104cc44ac58ccefee86e1bc
-
SHA1
3fc620ea06262fba34432db67a37ebde21c421a7
-
SHA256
5c1c18608cdd8918648425cc85a29f254ca981c7c5a48b245686a47c0391ce5f
-
SHA512
54e84c8f5768a2b23b307686397203d3813116a105b16a864bc10793d5edd6f189b0fd12c9acaa772aab486cfa39339c61d467dee5639715c0be5ddd6feb6d0b
-
SSDEEP
49152:47ppExuQ0dbvh7JFSLBE18nnmGCzkvPkpRgVNM3XHcgODfItFAFYwe/A7JHLt11w:4Vp7IBE1YSC6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
Asaprocky11 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Executes dropped EXE 1 IoCs
pid Process 4480 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "cmd.exe /C start \"\" /D \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\" \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\\rundll32.exe\"" rundll32.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 api.ipify.org 31 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2412 set thread context of 2912 2412 rundll32.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2912 AddInProcess32.exe 2912 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2412 rundll32.exe Token: SeDebugPrivilege 2912 AddInProcess32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2912 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2912 2412 rundll32.exe 98 PID 2412 wrote to memory of 2912 2412 rundll32.exe 98 PID 2412 wrote to memory of 2912 2412 rundll32.exe 98 PID 2412 wrote to memory of 2912 2412 rundll32.exe 98 PID 2412 wrote to memory of 2912 2412 rundll32.exe 98 PID 2412 wrote to memory of 2912 2412 rundll32.exe 98 PID 2412 wrote to memory of 2912 2412 rundll32.exe 98 PID 2412 wrote to memory of 2912 2412 rundll32.exe 98 PID 5000 wrote to memory of 5956 5000 cmd.exe 100 PID 5000 wrote to memory of 5956 5000 cmd.exe 100 PID 5956 wrote to memory of 4480 5956 cmd.exe 101 PID 5956 wrote to memory of 4480 5956 cmd.exe 101
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msedge_elf.dll,#11⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\system32\cmd.execmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5956 -
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"3⤵
- Executes dropped EXE
PID:4480
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5ba32bb24b7da23bd7ee7ae4b576338cd
SHA117731367250361c6b1aaf24f988b8dd1150b1e92
SHA2567cf4535e85ec02365c54bf460992344fe1e319381e794e51a7ce0f9cb0438929
SHA5124317c083c491e74ef7e1ad30d79164b3d6ba360f3b83a88d220b21385837049a33c3023c5f9d10c42980c45fecc747d271263242976435abab7612c26e486be4
-
Filesize
70KB
MD5ef3179d498793bf4234f708d3be28633
SHA1dd399ae46303343f9f0da189aee11c67bd868222
SHA256b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
SHA51202aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e