Analysis
-
max time kernel
125s -
max time network
129s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/06/2025, 17:29
Static task
static1
Behavioral task
behavioral1
Sample
Bpl New Po-2000023038.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
concrt141.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral3
Sample
concrt141.dll
Resource
win11-20250610-en
Behavioral task
behavioral4
Sample
msedge_elf.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral5
Sample
msedge_elf.dll
Resource
win11-20250610-en
General
-
Target
msedge_elf.dll
-
Size
3.6MB
-
MD5
b64096bcd104cc44ac58ccefee86e1bc
-
SHA1
3fc620ea06262fba34432db67a37ebde21c421a7
-
SHA256
5c1c18608cdd8918648425cc85a29f254ca981c7c5a48b245686a47c0391ce5f
-
SHA512
54e84c8f5768a2b23b307686397203d3813116a105b16a864bc10793d5edd6f189b0fd12c9acaa772aab486cfa39339c61d467dee5639715c0be5ddd6feb6d0b
-
SSDEEP
49152:47ppExuQ0dbvh7JFSLBE18nnmGCzkvPkpRgVNM3XHcgODfItFAFYwe/A7JHLt11w:4Vp7IBE1YSC6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
Asaprocky11 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Executes dropped EXE 1 IoCs
pid Process 5932 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-903960561-1545645218-4290906778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "cmd.exe /C start \"\" /D \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\" \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\\rundll32.exe\"" rundll32.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 api.ipify.org 2 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2872 set thread context of 4972 2872 rundll32.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msbuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4972 msbuild.exe 4972 msbuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2872 rundll32.exe Token: SeDebugPrivilege 4972 msbuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4972 msbuild.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2304 2872 rundll32.exe 85 PID 2872 wrote to memory of 2304 2872 rundll32.exe 85 PID 2872 wrote to memory of 2304 2872 rundll32.exe 85 PID 2872 wrote to memory of 2304 2872 rundll32.exe 85 PID 2872 wrote to memory of 5800 2872 rundll32.exe 87 PID 2872 wrote to memory of 5800 2872 rundll32.exe 87 PID 2872 wrote to memory of 5800 2872 rundll32.exe 87 PID 2872 wrote to memory of 5800 2872 rundll32.exe 87 PID 2872 wrote to memory of 4972 2872 rundll32.exe 88 PID 2872 wrote to memory of 4972 2872 rundll32.exe 88 PID 2872 wrote to memory of 4972 2872 rundll32.exe 88 PID 2872 wrote to memory of 4972 2872 rundll32.exe 88 PID 2872 wrote to memory of 4972 2872 rundll32.exe 88 PID 2872 wrote to memory of 4972 2872 rundll32.exe 88 PID 2872 wrote to memory of 4972 2872 rundll32.exe 88 PID 2872 wrote to memory of 4972 2872 rundll32.exe 88 PID 2032 wrote to memory of 1868 2032 cmd.exe 89 PID 2032 wrote to memory of 1868 2032 cmd.exe 89 PID 1868 wrote to memory of 5932 1868 cmd.exe 90 PID 1868 wrote to memory of 5932 1868 cmd.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\msedge_elf.dll,#11⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:2304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵PID:5800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\cmd.execmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"3⤵
- Executes dropped EXE
PID:5932
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5e750ca03b67b1b50dace1875cff645d6
SHA1bfcb9780a6357e53c414d96d56291c4eba67cd88
SHA2565cf4a8d9233ae1033788efe8f1296ffe64a314e1c38ccca33fbcbad8f3db4a7f
SHA512e735db461bb583ef07f4a5c69c6b38cb4a6d5782cda587ba55ad3ccd49a048e29cf3dac53824db4c48ae95760b5fe8e841f5fb6430e5f6261d6a9ccf4bc6c318
-
Filesize
72KB
MD510f08638e7c04d15ba4b4a740087a826
SHA107888e33210b015c0a206c60826fd40d5c3b5508
SHA25660517f898bfac156cd298fd0a45f2e06cecee232a54667213458b99dc8d80de7
SHA5125c53d3ea3b622f2e1746411642966794e733be1859df085894c075d5bf77215aca6b707913b1d6dd6af76aa81860fa163cd847af215fb805e16ffaf2fc91836a