Keypoints
- Initial access is achieved via a phishing email with an archive attachment named “Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz” that contains the loader.
- The loader is a .NET executable using obfuscation, packing, and polymorphic decryption routines (two observed variants) to hide configuration and payloads.
- Loader performs AMSI bypass by patching AmsiScanBuffer and uses VirtualProtect and reflective loading to prepare and execute payloads entirely in memory, avoiding disk artifacts.
- Payload retrieval uses specific download URLs (hxxps://artemis-rat[.]com/get/…), requires a custom User-Agent, and can route traffic through public HTTP proxy lists to obfuscate network activity.
- Payloads are embedded in HTML responses delimited with “:::”, XOR-decrypted with an embedded key, then loaded via .NET reflection to run Agent Tesla in memory.
- Agent Tesla sample is KoiVM-protected, captures keystrokes and browser credentials, and exfiltrates data via SMTP using hijacked email accounts to reduce detectability.
MITRE Techniques
- [T1566] Phishing – Initial delivery via a phishing email with an attached archive: [‘Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz’]
- [T1204] User Execution – Execution occurs when the user opens the disguised attachment: [‘the malicious loader is executed by the user when they open the disguised attachment’]
- [T1027] Obfuscated Files or Information – Loader uses obfuscation and packing to hide functionality: [‘obfuscation and packing to hide its functionality and evade detection’]
- [T1036] Masquerading – Attachment and file name impersonate a legitimate bank payment receipt: [‘masquerading as a legitimate bank payment receipt’]
- [T1548] Bypass User Account Control – Loader attempts to elevate privileges by bypassing UAC: [‘bypasses UAC to gain higher privileges.’]
- [T1089] Disabling Security Tools – AMSI bypass via patching AmsiScanBuffer to evade in-memory scanning: [‘patching the AmsiScanBuffer function to evade malware scanning of in-memory content.’]
- [T1620] Reflective Loading – Dynamic in-memory loading and invocation using .NET reflection (Invoke/EntryPoint/Load/Assembly/GetType): [‘Invoke EntryPoint Load Assembly GetType’]
- [T1056] Input Capture – Agent Tesla performs keystroke logging to capture user input: [‘keystroke logging’]
- [T1552] Unsecured Credentials – Agent Tesla steals credentials from web browsers: [‘steals credentials from web browsers’]
- [T1071] Application Layer Protocol – Loader/payload communicates with C2 over HTTPS to retrieve payloads: [‘communicates with its C2 server using HTTPS’]
- [T1090] Proxy – Use of HTTP proxies (public list) to download payload and mask origin: [‘uses an HTTP proxy server sourced from an open-source list on GitHub’]
- [T1041] Exfiltration Over C2 Channel – Stolen data is exfiltrated via SMTP using compromised email accounts: [‘exfiltrates stolen data using SMTP via compromised email accounts’]
Indicators of Compromise
- [SHA256 hashes] Loader variants – ab9cd59d789e6c7841b9d28689743e700d492b5fae1606f184889cc7e6acadcc (Variant 1), a02388b5c352f13334f30244e9eedac3384bc2bf475d8bc667b0ce497769cc6a (Variant 2)
- [SHA256 hashes] Packed Agent Tesla – e3cb3a5608f9a8baf9c1da86324474739d6c33f8369cc3bb2fd8c79e919089c4, f74e1a37a218dc6fcfabeb1435537f709d742505505a11e4757fc7417e5eb962
- [Emails] SMTP exfiltration context – sender merve@temikan[.]com[.]tr, receiver frevillon[.]acsitec@proton[.]me
- [Download URLs] Payload hosting – hxxps://artemis-rat[.]com/get/65f0e7dd5b705f429be16c65, hxxps://artemis-rat[.]com/get/65eb0afe3a680a9851f23712
- [User-Agent] Required header – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, killer Gecko) Chrome/58.0.3029.110 Safari/537.3
- [Domains/Lists] Proxy list source – https://github.com/TheSpeedX/PROXY-List/blob/master/hxxp[.]txt (used to source HTTP proxies)
The infection chain begins with a targeted phishing message containing an archive named to resemble a bank receipt; inside the tar.gz is a .NET loader that initializes encrypted configuration data by storing encrypted strings and separate decryption keys in lists and decrypts entries by index. Two polymorphic variants were observed: Variant 1 converts a hex key to bytes, hashes the encrypted string with SHA‑256, and subtracts key-bytes from hash-bytes to decrypt; Variant 2 decodes a base64 key and performs a byte-wise XOR with the encrypted string to produce plaintext. The loader’s configuration hides API names (e.g., VirtualProtect, amsiScanBuffer/amsi.dll) and reflective-loading indicators (Invoke, EntryPoint, Load, Assembly, GetType) to enable memory modifications and dynamic assembly invocation.
Before payload retrieval the loader patches AMSI by modifying AmsiScanBuffer in memory to bypass in-memory scanning and then prepares executable memory (VirtualProtect) for the payload. It fetches content from hxxps://artemis-rat[.]com using a strict User-Agent string and, in one variant, routes requests through publicly sourced HTTP proxies (TheSpeedX PROXY-List) to create noisy network traffic. The returned HTML contains the encoded payload embedded in the body, delimited by “:::”, which the loader extracts and XOR-decrypts using an embedded hex key; the resulting byte array is loaded into memory via .NET reflection and the payload’s entry point is invoked without touching disk.
The in-memory payload is Agent Tesla protected by KoiVM, which virtualizes .NET CIL to hinder analysis; once running it performs keystroke logging and browser credential theft, then exfiltrates collected data over SMTP using compromised sender accounts to reduce traceability. Detection and mitigation should focus on email attachment inspection, AMSI integrity monitoring, anomalous process memory modifications (VirtualProtect/WriteProcessMemory patterns), unusual outbound HTTP requests with the listed User-Agent or to artemis-rat[.]com, and the provided hashes and email indicators. Read more: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-teslas-new-ride-the-rise-of-a-novel-loader/