Analysis

  • max time kernel
    125s
  • max time network
    129s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/06/2025, 17:29

General

  • Target

    msedge_elf.dll

  • Size

    3.6MB

  • MD5

    b64096bcd104cc44ac58ccefee86e1bc

  • SHA1

    3fc620ea06262fba34432db67a37ebde21c421a7

  • SHA256

    5c1c18608cdd8918648425cc85a29f254ca981c7c5a48b245686a47c0391ce5f

  • SHA512

    54e84c8f5768a2b23b307686397203d3813116a105b16a864bc10793d5edd6f189b0fd12c9acaa772aab486cfa39339c61d467dee5639715c0be5ddd6feb6d0b

  • SSDEEP

    49152:47ppExuQ0dbvh7JFSLBE18nnmGCzkvPkpRgVNM3XHcgODfItFAFYwe/A7JHLt11w:4Vp7IBE1YSC6

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Agenttesla family
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\msedge_elf.dll,#1
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:2304
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        2⤵
          PID:5800
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4972
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\system32\cmd.exe
          cmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1868
          • C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe
            "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"
            3⤵
            • Executes dropped EXE
            PID:5932

      Network

            MITRE ATT&CK Enterprise v16

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\dpnhupnp.dll

              Filesize

              28KB

              MD5

              e750ca03b67b1b50dace1875cff645d6

              SHA1

              bfcb9780a6357e53c414d96d56291c4eba67cd88

              SHA256

              5cf4a8d9233ae1033788efe8f1296ffe64a314e1c38ccca33fbcbad8f3db4a7f

              SHA512

              e735db461bb583ef07f4a5c69c6b38cb4a6d5782cda587ba55ad3ccd49a048e29cf3dac53824db4c48ae95760b5fe8e841f5fb6430e5f6261d6a9ccf4bc6c318

            • C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe

              Filesize

              72KB

              MD5

              10f08638e7c04d15ba4b4a740087a826

              SHA1

              07888e33210b015c0a206c60826fd40d5c3b5508

              SHA256

              60517f898bfac156cd298fd0a45f2e06cecee232a54667213458b99dc8d80de7

              SHA512

              5c53d3ea3b622f2e1746411642966794e733be1859df085894c075d5bf77215aca6b707913b1d6dd6af76aa81860fa163cd847af215fb805e16ffaf2fc91836a

            • memory/4972-4460-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

            • memory/4972-4463-0x0000000005A50000-0x0000000005FF6000-memory.dmp

              Filesize

              5.6MB

            • memory/4972-4464-0x0000000005490000-0x00000000054A0000-memory.dmp

              Filesize

              64KB

            • memory/4972-4465-0x0000000005310000-0x0000000005376000-memory.dmp

              Filesize

              408KB

            • memory/4972-4466-0x0000000006600000-0x0000000006650000-memory.dmp

              Filesize

              320KB

            • memory/4972-4467-0x00000000066F0000-0x0000000006782000-memory.dmp

              Filesize

              584KB

            • memory/4972-4468-0x0000000006890000-0x000000000689A000-memory.dmp

              Filesize

              40KB

            • memory/4972-4469-0x0000000005490000-0x00000000054A0000-memory.dmp

              Filesize

              64KB