SPW AW25 — PO.010 SMS.exe.exe (AgentTesla)
- Category: CTI
- Source article: https://medium.com/@1200km/spw-aw25-po-010-sms-exe-exe-agenttesla-767fbc920295
- Published: 2025-03-24
- Preserved media: 45 image(s), including cover images, screenshots, diagrams, and infographics where present.
- Preserved technical blocks: 5 code/configuration block(s).
Ecosystem Fit
This page mirrors the original Medium article into the 1200km.com Docusaurus ecosystem. The original article flow, images, screenshots, infographics, and technical blocks are preserved from the export.
SPW AW25 — PO.010 SMS.exe.exe
Malware research report
Summary
Malware Overview
Static Analysis
Threat Intelligence Lookup
Dynamic Analysis
Yara Rules
Conclusion
Summary
As cybercriminals continue to exploit every opportunity to breach systems and steal sensitive information,AgentTeslaremains one of the most persistent and widely used malware strains in the wild. Distributed mainly through phishing emails and malicious attachments, AgentTesla disguises itself as legitimate content — such as invoices, shipping notices, or business correspondence — tricking users into executing the payload.
Once installed, this malware quietly begins harvestingusernames, passwords, credit card details, and other sensitive informationstored in the victim’s browser, email clients, and applications. It also records keystrokes and monitors clipboard data to capture anything typed or copied, including login credentials and crypto wallet addresses.
Cybersecurity researchers have observed howAgentTesla’s operators leverage current events and social engineeringtactics to enhance the malware’s spread, often tailoring campaigns to specific industries or global crises. The stolen data is then exfiltrated to remote servers, where attackers can use it for further criminal activities, such asfinancial fraud, unauthorized access, or selling it on underground forums.
AgentTesla’s ability toevade traditional antivirus solutions, coupled with its continuous evolution and ease of use, ensures that it remains a potent tool in the hands of cybercriminals — and a serious threat to users and organizations worldwide.
Sample Analyzed
-
**Sample Analyzed:**SPW AW25 — PO.010 SMS.exe.exe
-
**Analysis Tools:**Custom-built tool
File Name: SPW AW25 — PO.010 SMS.exe.exe File Path: /home/sulik/Documents/MalwareAnalysis/SPW AW25 — PO.010 SMS.exe.exe **MD5:**7c89b48a2752a771eb6457fe2fea1d8e **SHA-1:**afb602ef798b23f400fd3d474cb570aa781797c4 **SHA-256:**3d1e16dec7f88b3ccdf7197c64a6eea6a7d3599c12f34893d60012ffd61f15ce **File Size:**1482240 bytes (1.41 MB) **File Type:**application/vnd.microsoft.portable-executable **Entropy:**7.85 (⚠️ High (Possible Packing/Encryption)) Permissions:-rw-rw-r — **PE Compilation Timestamp:**2024–09–20 08:52:48 (✅ Legit)
File SPW AW25 — PO.010 SMS.exe.exe has hight entropy level, this file possible Packed or Obfuscated.
Basic file information (CFF)
DOS header:
File header (NT)
The import table contains only a limited number of DLL references.
This file is probably packed or obfuscated. You can try one of my favorite platforms to unpack this file:https://www.unpac.me/
🔍 UnpacMe — What Is It?
UnpacMeis anonline malware unpacking and analysis platform. It’s designed toautomatically unpackpacked or obfuscatedPE (Portable Executable)files and providecleaned, unpacked samplesfor deeper analysis.
Upload file:
The unpacked files are now available for download and further analysis.
First: d1f4761e2e1e15fe454a70864c3aa1da7d6dc90582222bbd7e6d53d0bbee6f62
Rename the file to a more concise name, for example, Example1.exe.
The file was subsequently scanned on VirusTotal to determine its detection status and gather preliminary threat intelligence.
This file is obfuscated using SmartAssembly, a .NET obfuscator and packer developed by Red Gate Software.
SmartAssemblyis a**.NET obfuscator and packerdeveloped byRed Gate Software**. It’s designed toprotect .NET applicationsfrom reverse engineering by making the codeharder to decompile or analyze.
For deobfuscation of this file, utilize de4dot, a well-regarded open-source tool for reversing .NET obfuscation :https://github.com/de4dot/de4dot
de4dotis anopen-source .NET deobfuscatorused toreverse obfuscationapplied to**.NET assemblies**. It’s popular among malware analysts and reverse engineers tounpack and cleanobfuscated .NET malware for easier analysis.
No dedicated protector has been detected at this stage.
Next, we will extract the deobfuscated strings using a straightforward tool.
The deobfuscated strings will be further analyzed using AI-driven techniques to identify hidden patterns and potential indicators of malicious behavior.
WINDOWS_API_COMMANDS
-
GetPixel: Retrieves the color of a pixel at a specified location from a device context (usually the screen or an image).
-
SetPixel: Sets the color of a pixel at a specified location.
-
Sleep: Suspends execution for a specified time (milliseconds), often used to delay or throttle execution.
-
getModuleHandle: Retrieves a handle to a loaded module (DLL or EXE) in the current process.
These suggestinteraction with the screen (reading and modifying pixels)andsome control over process timing and module handling.
CMD_COMMANDS
-
Call: Invokes a batch file or function within a batch file.
-
Color: Sets the text color of the console.
-
Convert: Usually used to convert file systems (e.g., FAT to NTFS).
-
Copy: Copies files or folders.
-
Exit: Terminates the command interpreter or a script.
-
Type: Displays the contents of a text file.
These are basicfile manipulation and console control commands, commonly seen inbatch scriptingor when a DLL is used to execute system commands.
Likely Functionality of This DLL
This DLL appears to have capabilities for:
-
Screen manipulation or monitoring— using
GetPixelandSetPixel(could be for capturing screen data, automation, or visual changes). -
Process or execution control— via
SleepandgetModuleHandle. -
Interacting with the Windows command line— possiblyexecuting scripts or commandsfor file management, console manipulation, or running other executables.
Potential Use Cases:
-
Automation tools(e.g., screen-based bots or macros).
-
Simple remote administration tools (RATs)ormalware(if used maliciously to manipulate screen and run commands).
-
Scripting support DLLfor a larger application that performs file operations and screen interactions.
Next file is:
1f4334739853d5429d42f45cad3420878dea54aa1399c2d2461cd2b5e7862459
The file has been renamed to exampe2.exe for clarity in subsequent analysis.
Open in CFF:
The original filename isChomeSetup(1).exe; let’s rename the file for clarity. A suspiciously high level of entropy was observed, indicating potential packing or obfuscation.
The .text section, containing the raw executable code, appears to be packed, suggesting an additional layer of obfuscation that may require further unpacking for detailed analysis.
Next, the de4dot tool was applied to attempt deobfuscation of the packed code.
DeepSea Obfuscator was found and cleaned
DeepSea Obfuscator was detected and its obfuscation layer was successfully removed.
An additional tier of packing was detected, necessitating further unpacking to expose the underlying code structure.
The next file, exhibiting similar characteristics to those from the previous tier of packing, was downloaded and renamed to Tyrone.dll for further analysis.
A quick scan was performed using VirusTotal to assess the file’s detection status.
Analysis using DIE (Detect It Easy) indicates that the file is obfuscated.
The file was then processed with de4dot to remove the obfuscation, revealing its underlying structure and clarifying the embedded metadata for further analysis.
Next, extract the strings from both the obfuscated and deobfuscated files, then perform a comparative analysis to highlight differences in structure and reveal critical insights into the malware’s underlying functionality.
Tyron1.txt — Obfuscated/Baseline State
-
File containsheavily obfuscated strings, patterns like
*_~@,XT8, and hex-like sequences dominate. -
Embedded .NET metadata is present:System.Reflection,System.Windows.Forms,System.Drawing,mscorlib, etc.
-
Names likeTyrone.dlland manyrandom-looking base64-style stringssuggest**.NET assembly obfuscation**.
-
Functionality hints:
-
Mentions of
WebClient,System.Net,DownloadFile,Process,System.Threading.Thread, andSystem.IOimply possiblenetwork capabilities, file handling, and process/thread management. -
Presence of
Mutexsuggestsanti-multi-instance or anti-analysislogic. -
Various
System.Security.*,System.Runtime.InteropServices, andLoadLibraryA/GetProcAddressreferences indicatepotential for native code interop(P/Invoke), possiblyunpacking or injection mechanisms. -
Common malware techniques visible:Memory manipulation, encoding/decoding (Base64), resource management, error handling, obfuscation.
Tyron2.txt — After Deobfuscation
-
File still includes PE header and section names, but:
-
Strings aremore readable and organized.
-
Manydeobfuscated .NET referencesappear in clean form (e.g.,
System.Resources.ResourceReader,System.Globalization.CultureInfo,System.Drawing.Size). -
There arekey-value-like entriesresemblingresource entries, configuration settings, or possibly decryptedembedded resources.
-
Cleaned references toSystem.Resources,System.CodeDom,System.Globalization, etc., showmetadata and reflection usageclearly.
Comparative Insights
Obfuscation Layer Removed: Tyron2.txt clearly showsdecrypted/decodedmetadata and strings, which in Tyron1.txt wereheavily obfuscatedor encrypted.
Post-Deobfuscation Reveal:
-
File likely usesresource-based storage(e.g., embedded encrypted data in resources).
-
Heavy usage ofsystem libraries,reflection, andresource access, typical inmalicious loaders or droppers.
Potential Malicious Behavior:
-
Download and execution of payloads (
WebClient,DownloadFile,ProcessStartInfo,Start,LoadLibraryA). -
Use ofmutex,encoding, andthread manipulation— common anti-analysis or persistence tactics.
-
Strings like
ApplicationException,MessageBox, andEnvironment.Exitsuggest ithandles errors silently or gracefully exits— again typical of malware trying to avoid attention.
Conclusion
-
Tyron1.txt: Obfuscated version of a likely**.NET-based dropper or loader**with signs of malicious behavior.
-
Tyron2.txt: Post-deobfuscation, the functionality becomes clearer, confirmingnetwork communication, reflection-based loading, and system interaction.
-
The code structure and patterns arevery characteristic of malware— particularlycommodity malware loaders or information stealers.
-
If these are indeed from malware analysis, it’s likely a**.NET-based malwareemployingheavy obfuscation, dynamic resource loading, and potential payload injection**.
Lets download and analyse next file:
Perform a quick analysis using VirusTotal to assess the file’s detection status and gather initial threat intelligence.
> The file is confirmed to be obfuscated, indicating efforts to evade analysis or detection.
Lets rename this file to AgentTesla.exe
Attempt deobfuscation using de4dot (or your chosen tool).
Comparative Analysis of AgentTesla.txt vs AgentTesla2.txt
Quick Overview
Both files arestring dumps from the same malware sample: Agent Tesla, a well-known**.NET-based Remote Access Trojan (RAT)and info-stealer. They containdifferent levels of deobfuscationorstring parsing clarity**.
FileStateKey DifferencesAgentTesla.txtPartially ObfuscatedRaw method tokens, numeric IDs, scattered string referencesAgentTesla2.txtDeobfuscated/ParsedClean class, method, and variable names; organized structures
Key Similarities
-
Both contain:
-
PE headers(e.g.,
"This program cannot be run in DOS mode.") -
PEsections:
.text,.rsrc,.reloc. -
References to**.NET CLR v4.0.30319**, confirming it’s a**.NET executable**.
-
Method tokens:
$$method0x600..., typical fordecompiled .NET binaries. -
Use ofHMACSHA1,SHA256,RijndaelManaged— points toencryption and hashingfor payloads or data theft.
-
System.IO,System.Net,System.Windows.Forms,System.Threading,System.Xml,System.Management, etc. — indicating a wide range of system interactions.
Key Differences
AgentTesla.txt (Obfuscated State)
-
Manyraw method references: e.g.,
$$method0x6000190-1, no clear mappings to what they do. -
Variable names aremeaningless, such as
AdXaxFT50,Cg9pvSzv61, etc. -
Containslower-level structure: GUIDs, Base64-like strings, andWin32 API calls(e.g.,
kernel32,user32,Advapi32,GetModuleHandle, etc.). -
Indicators of Cryptography:
HMAC,SHA1Managed,RijndaelManaged,ComputeHash,FromBase64String. -
Potential Persistence & Keylogging: Hooks (
SetWindowsHookEx,GetKeyboardState), file handling, clipboard access, and email exfiltration (SmtpSSL,MailMessage). -
Obfuscation shows use ofpackers/protectorsormanual obfuscationto deter reverse engineering.
AgentTesla2.txt (Deobfuscated State)
-
Containsclarified class/method names:
-
Example:
get_AdXaxFT50,get_UInt32_0,get_Byte_0,GClass10,GDelegate0. -
Organized structure:class numbers and variable namesgive clearhierarchical structure(e.g.,
GClass0,GClass1,GStruct0). -
Dynamic loading & interop clearly visible: e.g.,
Marshal,CreateThread,VirtualMemoryRead,MapViewOfFile. -
Clear exfiltration targets:
-
PublicIpAddressGrab,Clipboard,KeyloggerInterval,SmtpPassword,VaultGetItem,CreateFile,GetLastAccessTime, etc. -
Behavioral Indicators:
-
References toscreen capture,clipboard logging,file system monitoring,registry access,password vault stealing, andnetwork credential harvesting.
Behavioral Profile (Both Files)
-
Malicious Intent Confirmed: Clear evidence ofpassword stealing,network credential access,keylogging, anddata exfiltration.
-
Usesemail via SMTPfor exfiltration: strings like
SmtpSSL,SmtpPort,SmtpClient,SmtpPassword. -
Interaction withWindows vaults and secure storage:
VaultEnumerateItems,VaultGetItem,passwordVaultPtr. -
Heavy use ofreflectionanddynamic invocation:
GetType,GetField,MethodInfo, common foranti-analysisordynamic payload execution. -
Interaction withWindows APIsfor low-level access:file mapping,memory read/write,process injection potential.
Conclusion
-
AgentTesla.txt: Obfuscated,raw dump. More chaotic, hard to analyze quickly.
-
AgentTesla2.txt: Deobfuscated withstructured, clear viewof malware logic.
-
Both confirmclassic Agent Tesla functionality:data theft, persistence, and evasion.
-
No strange unrelated textlike in the Tyron files (no HIV-related filler), suggestingmore professionally maintained malware.
Tyrone.dll comparision
After complete unpacking, three files named Tyrone.dll were identified. However, a hash comparison revealed that one of these files has a different hash, suggesting potential variations in functionality or configuration that merit further investigation.
One of the Tyrone.dll files has already been analyzed, so the next step is to examine the remaining file for further discrepancies.
The remaining Tyrone.dll sample is also obfuscated. Preliminary analysis indicates that it appears to exhibit similar functionality to the previously analyzed Tyrone.dll files, suggesting a consistent operational role across these components.
Static Analysis Summary
Two Tiers of Packing (Revised)
-
First Tier (Outer Layer): Upon depacking the primary executable, five separate files were extracted. The high entropy of the outer layer initially signaled that the file was packed or encrypted, which aligns with standard obfuscation methods to hinder static analysis.
-
Second Tier (Inner Layer): Among the extracted files, one was found to be further packed. This secondary packed file required an additional round of unpacking, revealing deeper nested code structures and embedded resources. This process highlights the multi-layered approach employed by the malware to complicate analysis.
Multiple Layers of Obfuscation
-
Obfuscation Techniques: The malware uses tools like SmartAssembly for .NET obfuscation, alongside custom string encoding and encryption methods.
-
Layered Defense: Initial analysis reveals heavily obfuscated strings and metadata. After applying deobfuscation (e.g., using de4dot), clearer .NET references (such as those to System.Reflection, System.Drawing, etc.) and structured resource entries become visible, exposing the underlying malicious logic.
Functionality of Depacked and Deobfuscated Files
-
Primary Executable (SPW AW25 — PO.010 SMS.exe.exe):
-
Initially obscured by packing and obfuscation, it reveals calls to Windows API functions likeGetPixel/SetPixel(suggesting screen interaction),Sleep(timing control), andgetModuleHandle(module management).
-
Basic file operations and command executions (via CMD commands) hint at its role in initiating further malicious actions.
-
DLL Components (e.g., Tyrone.dll):
-
Post-deobfuscation, these DLLs exhibit functionality for dynamic resource loading and extended system interactions.
-
They reference network communication methods (such as WebClient/DownloadFile) and include elements like mutex usage, reflection, and P/Invoke techniques, which are typical for payload loaders or droppers.
-
AgentTesla Components:
-
Separate analysis of related string dumps (AgentTesla.txt vs. AgentTesla2.txt) confirms classic remote access and info-stealing capabilities.
-
Obfuscated states hide critical functions (keylogging, clipboard monitoring, and exfiltration routines) that are clearly revealed upon deobfuscation.
Probable Behavior and Functionality of the Malware
-
Multi-Stage Deployment: The sample appears to operate as a multi-layered .NET malware loader or dropper, using successive unpacking and deobfuscation to reveal deeper levels of malicious code.
-
Malicious Capabilities:
-
**Screen Interaction & Process Control:**The use of Windows API functions (e.g., GetPixel/SetPixel) implies potential screen monitoring or manipulation.
-
**Network & File Operations:**Decrypted strings reveal capabilities for file management, dynamic payload download, and process/thread management, suggesting remote administration or data exfiltration functionalities.
-
**Anti-Analysis Measures:**Techniques like mutex usage, reflection, and heavy obfuscation serve to hinder reverse engineering and evade detection.
-
Overall Impact: The combination of these behaviors is consistent with malware designed for persistence, covert operation, and data theft — characteristics seen in known families like AgentTesla.
Conclusion
The static analysis of SPW AW25 — PO.010 SMS.exe.exe reveals a sophisticated .NET-based malware that employs at least two tiers of packing along with multiple layers of obfuscation. Each depacked and deobfuscated file — whether it is the main executable or the accompanying DLLs — contributes to a coordinated malicious framework. The sample demonstrates functionalities ranging from screen and process manipulation to network communications and data exfiltration, consistent with modern droppers or information stealers designed to evade analysis and detection.
Threat Intelligence Lookup: AgentTesla
-
Name: AgentTesla
-
Type: Remote Access Trojan (RAT), Infostealer
-
First Seen: 2014
-
Status: Active, widespread
-
Distribution Methods:
-
Phishing emails with malicious attachments (Office docs, executables in ZIP/RAR)
-
Malicious links
-
Exploit-based payloads (CVE-2017–11882,CVE-2017–0199)
Key Capabilities:
-
Credential theft (browsers, email clients, FTP, VPN)
-
Keylogging
-
Clipboard monitoring (crypto theft)
-
Data exfiltration (SMTP, FTP, HTTP)
-
Persistence via registry/run keys, scheduled tasks
Exploitation:
-
UsesOffice document exploitsto achieve code execution without macros.
-
Frequentlyobfuscatedwith packers (e.g., Themida, UPX).
-
Exploits human factors throughsocial engineering and topical lures(e.g., invoices, shipment notices).
Targets:
-
Global, across multiple industries
-
Especially prevalent inSMBs,logistics,finance, andmanufacturing
TTPs (Tactics, Techniques, Procedures):
-
Initial Access: Phishing, Exploit Docs (T1566, T1203)
-
Execution: User Execution, Exploit Office Apps (T1204, T1203)
-
Credential Access: Credential Dumping, Input Capture (T1003, T1056)
-
Exfiltration: Exfil via C2 (SMTP, FTP) (T1041)
IOCs (Common Indicators):
-
Domains/IPs for C2 communication (dynamic, often changing)
-
Unusual SMTP/FTP traffic
-
File hashes (vary per campaign; detection via behavior preferred)
Dynamic Analysis
1. Pre-Execution Confirmation
- Snapshot Verification: Ensure the system snapshot is intact and all necessary monitoring tools are operational.
**Analysis Tool:**Procmon Log Analysis **File Type:**Executable (.exe) **Environment:**Windows 10
Process tree:
Performed a drill-down to the processes:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Add
-
MpPreference
-
ExclusionPath "C:\Users\Malware\Desktop\Sample2\SPW AW25 - PO.010 SMS.exe.exe"
Explanation:
This PowerShell command usesWindows Defender’s configuration utility(Add-MpPreference) to add anexclusionfor the malware’s own file path.
-
Command Breakdown:
-
Add-MpPreference— A PowerShell cmdlet used to change Microsoft Defender settings. -
-ExclusionPath— Specifies a folder or file path that Defender will ignore during scans. -
"C:\Users\Malware\Desktop\Sample2\SPW AW25 - PO.010 SMS.exe.exe"— The malware's exact file path being excluded.
Impact:
-
This actiondisables detectionof the malware byMicrosoft Defender Antivirus, allowing it to operate undetected.
-
It is a classicdefense evasion technique— self-whitelisting to avoid quarantine or deletion.
Security Implication:
-
This is ared flag behaviortypical of malicious software aiming topersist longeron the system without interference.
-
It also indicates the malware has sufficient permissions to modify Defender preferences (likely running withelevated privileges).
Next
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
What is**conhost.exe**?
-
LegitimateWindows Console Hostprocess.
-
It acts as an**interface between the Command Prompt (cmd.exe)**or other console-based applications and the Windows GUI.
-
Supports input/output rendering, especially for older console apps.
Malwaremay spawnconhost.exetohide PowerShell or cmd execution, making it less visible in task managers.
-
TheNT-style path (
**\??\**)and**-ForceV1**flag suggestlow-level, intentional use, likelynot initiated by a user, but bymalicious code. -
It could bemasking command execution, orattaching to a spawned shell(e.g., PowerShell), especially after spawning it via
CreateProcess.
Next
C:
\Windows\System32\WindowsPowerShell\v1.
0
\powershell.exe
" Add-MpPreference -ExclusionPath "
C:\Users\Malware\AppData\Roaming\IbwIIBmUDWimTZ.exe
"
- This actiondisables detectionof the malware byMicrosoft Defender Antivirus, allowing it to operate undetected.(like first process)
We can see same actions for next files:
wlBldyvi.exe, SPW AW25 — PO.010 SMS.exe.exe,
"C:\Windows\System32\schtasks.exe"
/
Create
/
TN "Updates\IbwIIBmUDWimTZ"
/
XML "C:\Users\Malware\AppData\Local\Temp\tmpBF68.tmp"
**Component Explanation ****schtasks.exe —**A legitimate Windows utility used to create, delete, or modify scheduled tasks. Frequently abused by malware for persistence. /Create— Instructs schtasks to create a new scheduled task. /TN “Updates\IbwIIBmUDWimTZ”— Assigns a task name. It’s placed under the Updates folder. The name IbwIIBmUDWimTZ is likely randomized to avoid detection. /XML “C:\Users\Malware\AppData\Local\Temp\tmpBF68.tmp” — The task’s configuration is provided via an XML file, located in the Temp directory. This file defines what the task does (e.g., what binary to execute, triggers, conditions).
Task scheduler:
Found two identical files (same hash):
This file was excluded from Defender scanning in a previous task.
Virus total check:
The file, likely a version of ChromeSetup(1).exe, was analyzed during the Static Analysis stage.
“Execution of the child file demonstrates identical functionality.”
The behavior diagram below illustrates the file’s execution flow.
Network:
03/24/25 09:06:21 AM [ DNS Server] Received A request for domain ‘api.ipify.org’. 03/24/25 09:06:22 AM [ Diverter] SPW AW25 — PO.010 SMS.exe.exe (2428) requested TCP 192.0.2.123:443
fakeNet
Real Net:
Below is the summary of the dynamic analysis conducted on the sample.
Behavioral Characteristics:
-
**Data Exfiltration:**Agent Tesla is designed to steal sensitive information such as credentials, keystrokes, and clipboard data from infected systems.
-
**Persistence Mechanisms:**The malware establishes persistence by creating scheduled tasks and modifying registry keys to ensure it runs at startup.
-
**Defense Evasion:**It employs techniques to evade detection, including adding exclusions to Windows Defender settings via PowerShell commands.
Network Indicators:
-
**C2 Communication:**The sample communicates with command and control servers to exfiltrate collected data. Notable indicators include:
-
**IP Address:**104.26.12.205 (on this sample)
File System Activity:
- **Dropped Files:**The malware drops executable files in the
AppData\Roamingdirectory, such asIbwIIBmUDWimTZ.exe, which are used to carry out its malicious activities.
YARA -rules
rule
AgentTesla_SPWAW25_FullDetection
{
meta:
description
=
"Detects Agent Tesla variant SPW AW25 - PO.010 SMS.exe.exe using hash, behavior, and IoCs"
author
=
"Malware Researcher"
malware_family
=
"Agent Tesla"
md5
=
"7c89b48a2752a771eb6457fe2fea1d8e"
sha1
=
"afb602ef798b23f400fd3d474cb570aa781797c4"
sha256
=
"3d1e16dec7f88b3ccdf7197c64a6eea6a7d3599c12f34893d60012ffd61f15ce"
reference
=
"Full Malware Research Report"
strings:
// Unique and high-confidence IoCs
$p1
=
"Add-MpPreference"
wide ascii
$p2
=
"ExclusionPath"
wide ascii
$s1
=
"schtasks.exe"
wide ascii
$s2
=
"/Create /TN
\"
Updates
\\
IbwIIBmUDWimTZ
\"
"
wide ascii
$s3
=
"tmpBF68.tmp"
wide ascii
$f1
=
"IbwIIBmUDWimTZ.exe"
wide ascii
$api1
=
"GetPixel"
wide ascii
$api2
=
"SetPixel"
wide ascii
$api3
=
"Sleep"
wide ascii
$api4
=
"getModuleHandle"
wide ascii
$comm1
=
"smtp."
wide ascii
$comm2
=
"MailMessage"
wide ascii
$vault
=
"VaultGetItem"
wide ascii
$net
=
"api.ipify.org"
ascii
$ip
=
"104.26.12.205"
ascii
condition:
uint32(
0
)
==
0x5A4D
and
(
hash.md5(
0
, filesize)
==
"7c89b48a2752a771eb6457fe2fea1d8e"
or
(
7
of (
$p
*
,
$s
*
,
$f
*
,
$api
*
,
$comm
*
,
$vault
,
$net
,
$ip
)
)
)
}
Conclusion
AgentTesla continues to be a major cyber threat due to its effectiveness in stealing sensitive information and its widespread use in phishing campaigns. Its constant evolution, ease of use, and ability to bypass traditional defenses make it a favored tool among cybercriminals. Vigilance, up-to-date security measures, and user awareness are key to defending against this persistent malware.
References
Tools Used: Process Monitor (Procmon) — Sysinternals Wireshark / tshark — Network analysis tools VirusTotal — Malware hash and detection analysis CFF Explorer — PE (Portable Executable) analysis tool Regshot — Registry monitoring FakeNet — Network simulation tool Custom string analysis tools (String_Analyser) **Threat Intelligence Sources: **Any.Run Sandbox Analysis VirusTotal Abuse.ch MalwareBazaar CyberSec Sentinel SecurityOnline.info Emerging Threats IDS Signatures Malwarebytes Threat Intelligence Blog **Additional Documentation: **MITRE ATT&CK Framework —https://attack.mitre.org Sysinternals Suite Documentation — Microsoft