Threat Research

Agent Tesla Malware Analysis: WSHRAT Acting as a Dropper

Securonix

Uptycs reports a new campaign where WSHRAT acts as a dropper for Agent Tesla through a multi-stage infection chain emphasizing evasion techniques like steganography and in-memory DLL loading. The campaign begins with phishing emails containing GZ and R00 archives, delivering WSHRAT and Agent Tesla payloads that steal credentials and other sensitive data. #AgentTesla #WSHRAT #0xToxin

Keypoints

  • New campaign shows WSHRAT (VBScript/JavaScript RAT) dropping Agent Tesla payloads for credential theft.
  • Initial access via spam email with two archives attached (GZ and R00).
  • Stage 1 uses steganography to hide a PE binary inside an image, which decrypts to a new DLL.
  • Stage 2 loads another DLL from base64-encoded gzip-compressed data in memory.
  • Stage 3 decrypts to an executable that drops WSHRAT in the Roaming folder, enabling remote commands.
  • WSHRAT collects system info, enables startup persistence, and provides a large set of remote commands; Agent Tesla is dropped in Roaming and used to steal credentials.
  • Extensive IOCs include multiple MD5 hashes and dropped file names associated with both GZip and R00 attachments.

MITRE Techniques

  • [T1566.001] Phishing: Attachment – The initial vector was a spam email with two archives attached, a GZ file and an R00 file. ‘In this campaign, the initial vector used by the threat actors was a spam email which had two archives attached, a GZ file and an R00 file.’
  • [T1059.005] VBScript – WSHRAT is VBScript/Javascript-based malware used as part of the dropper chain.
  • [T1059.007] JavaScript – The R00 archive contains a JavaScript file that drops files during execution. ‘The R00 archive contains a JavaScript file which while executing drops three files in the Roaming folder.’
  • [T1027] Obfuscated/Compressed Files and Information – Stage 1 steganography embeds a PE binary in an image; Stage 2 uses base64-encoded gzip-compressed data within a loaded DLL. ‘The binary Copia de pago.exe uses the Steganography method to embed PE binary in an image file to evade AV/EDR.’ and ‘The newly loaded DLL binary file contains base64-encoded gzip compressed data.’
  • [T1547.001] Registry Run Keys/Startup Folder – WSHRAT creates a startup entry to persist via Run key. ‘HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunMGosm: “wscript.exe //B “C:Usersmygame1AppDataRoamingMGosm.vbs””‘
  • [T1056.001] Input Capture: Keylogging – WSHRAT is described as capable of keylogging and collecting device info.
  • [T1555.003] Credentials in Browser – Agent Tesla’s capability to steal browser credentials and other sensitive data. ‘Agent Tesla malware … steal browser credentials and other sensitive information like VPN client credentials, FTP client credentials, etc.’
  • [T1041] Exfiltration Over C2 – WSHRAT activities include uploading logs to attacker server (bring-log). ‘Bring-log – Upload log to attacker server’

Indicators of Compromise

  • [MD5 hash] GZip attachment payloads – 3915b18cb04787f2273b56f15ba2c164
  • [MD5 hash] Copia de pago.exe/stage 1 – 6d231b98f7bc3098fd9797c0e1d6744f
  • [MD5 hash] stage 2 – 9ce9b744dcd250e04ddd2a08e6b40c37
  • [MD5 hash] stage 3 – 7d0626010ba6a5408a5844be37fc51b0
  • [MD5 hash] stage 4 – 75f9dd638c7c601e48d2f3ecada80e27
  • [MD5 hash] MGosm.vbs/stage 5 – 42bc41987e5e104aafa3570d52cd4b0c
  • [MD5 hash] nicon4.0origin.exe/stage 6 – 993c330b4f0e94b46664f2f0bf3309c2
  • [MD5 hash] Recibo de pago.js – 7d685c3a21c226778a183ced19fcac28
  • [MD5 hash] dohKlqYtRl.js – 82334b4f98af5abc62a6fcfe554fc0d7
  • [MD5 hash] Vjw0rm – bd992a0055c8f5b4ee92fedac8fa39cd

Read more: https://www.uptycs.com/blog/wshrat-acting-as-a-dropper-for-agent-tesla