Keypoints
- Delivery via malicious VBS attachments that execute wscript to invoke obfuscated PowerShell commands.
- PowerShell stages: initial encoded command decodes into a second PowerShell invocation that downloads an image and extracts hidden data.
- Steganography hides a base64-encoded .NET DLL inside the downloaded JPEG between markers <> and <>.
- The extracted DLL loads into memory, retrieves a reversed URL (http://195.178.120.24/castrnewbaze64.txt), decodes the returned text (base64 + reversal) to produce the final .NET executable payload.
- The DLL performs process injection into the signed RegAsm.exe by calling APIs such as VirtualAllocEx, WriteProcessMemory, Get/SetThreadContext (and Wow64 variants), ZwUnmapViewOfSection, and ResumeThread.
- The final payload collects system fingerprinting data, browser and mail-client credentials, and keystrokes, then exfiltrates via SMTP (port 587) using harvested email credentials/domains (e.g., corpsa.net).
MITRE Techniques
- [T1566.001] Spearphishing Attachment – used to deliver the VBS via deceptive emails (‘Generally, Agent Tesla uses deceptive emails to infect victims, disguising as business inquiries or shipment updates.’)
- [T1059.001] Command and Scripting Interpreter: PowerShell – the VBS executes multiple PowerShell commands to decode and stage payloads (‘The examined VBS file executed numerous PowerShell commands’)
- [T1027] Obfuscated Files or Information – PowerShell and final executables are obfuscated to evade static analysis (‘Obfuscating PowerShell commands serves as a defense mechanism employed by malware authors to make their malicious intentions harder to detect.’)
- [T1027.004] Steganography – attackers store base64 command data inside a downloaded image and extract it at runtime (‘This image serves as the canvas for steganography, where attackers have concealed their data.’)
- [T1055] Process Injection – the DLL injects the final payload into RegAsm.exe using a sequence of API calls (‘perform process injection into RegAsm.exe’)
- [T1056.001] Input Capture: Keylogging – the malware records keystrokes as part of credential harvesting (‘It is capable of recording keystrokes’)
- [T1005] Data from Local System – the malware searches the disk and collects system fingerprinting data (computer name, serial number, MAC, etc.) (‘searching the disk for valuable data’)
- [T1041] Exfiltration Over C2 Channel (email/SMTP) – harvested data is exfiltrated via SMTP using compromised account credentials and port 587 (‘The observed sample utilizes SMTP as its chosen method of exfiltration.’ )
Indicators of Compromise
- [File hashes] VBS/JPEG/DLL/final payload – MD5 e2a4a40fe8c8823ed5a73cdc9a8fa9b9 (VBS), MD5 ec8dfde2126a937a65454323418e28da (JPEG), and 2 more hashes (DLL, final payload SHA256s listed in article).
- [IP address] C2 payload host – 195.178.120.24 (used to fetch castrnewbaze64.txt).
- [Domain] SMTP/exfiltration domain – corpsa.net (domain/email hostname used for SMTP exfiltration and credentials).
- [File name / path] Staged/remote files – castrnewbaze64.txt (remote text file containing reversed+base64 payload), and the downloaded JPEG containing <>/<> markers.
The technical chain begins with a VBS dropper executed by wscript.exe that launches an obfuscated, encoded PowerShell command. The first PowerShell decodes (by replacing obfuscation tokens and base64-decoding) into a second PowerShell invocation which downloads a large JPEG and treats it as a steganographic container. The script looks for explicit markers (<> and <>), extracts the enclosed base64 block, decodes it into a .NET DLL, and loads that DLL into the process via reflection.
The in-memory DLL then resolves a reversed URL parameter, yielding http://195.178.120.24/castrnewbaze64.txt; it downloads that text, reverses and base64-decodes the content to obtain the final .NET executable payload. Instead of spawning a new suspicious binary, the DLL injects the decoded payload into the legitimate Microsoft .NET tool RegAsm.exe to run within a trusted context. The injection sequence uses API calls such as CreateProcessA (to initiate/prepare), VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, GetThreadContext / Wow64GetThreadContext, SetThreadContext / Wow64SetThreadContext, ZwUnmapViewOfSection, and ResumeThread to transfer and activate the payload in the target process.
Once active, the payload fingerprints the host (computer name, IP, motherboard/processor IDs, MAC), logs keystrokes, and harvests browser and mail-client data (cookies, stored credentials, server settings). Exfiltration is implemented via SMTP: the sample computes the SMTP port (587), retrieves the target domain and email account (example corpsa.net), uses the stored password to authenticate, and sends collected data through the compromised email account. Key IOCs include the provided file hashes for the VBS, JPEG, DLL, and final payload, the C2 IP 195.178.120.24, and the domain corpsa.net.