Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign

This analysis describes a multi-stage Agent Tesla campaign that begins with a spearphishing email and an obfuscated JScript (.jse) loader which downloads encrypted PowerShell stages from catbox[.]moe. The attack proceeds with reflective .NET assembly loading and process hollowing of Aspnet_compiler.exe combined with virtualization checks to harvest browser cookies and credentials for exfiltration. #AgentTesla #Aspnet_compiler

Keypoints

Initial access is achieved via a business-themed spearphishing email (e.g., subject “New purchase order PO0172”) with a RAR attachment containing a JScript (.jse) loader.
The JSE loader fetches a secondary, encrypted PowerShell script from file-hosting (catbox[.]moe), using script-based obfuscation and evasion.
The second-stage PowerShell drops two Base64-encoded .NET assemblies and uses reflective loading and process hollowing against C:WindowsMicrosoft.NETFrameworkv4.0.30319Aspnet_compiler.exe to run in-memory.
Post-injection checks probe WMI for virtualization indicators (VMware, VirtualBox, Hyper-V) and may halt activity if a sandbox is detected.
Agent Tesla proceeds to harvest sensitive information, notably browser cookies (hostnames, expiry dates, security flags) and credentials from local stores, then exfiltrates data (SMTP indicated).
Fortinet protections (FortiMail, FortiEDR, FortiGate, FortiGuard services) are noted as capable of blocking various stages including phishing, memory-based attacks, malicious downloads, and malicious attachments.

MITRE Techniques

[T1566.001 ] Spearphishing Attachment – Initial access via a malicious attachment in a deceptive email; (‘”New purchase order PO0172″‘).
[T1059.001 ] PowerShell – Used to execute downloaded scripts and perform in-memory stages; (‘PowerShell (in-memory execution)’).
[T1059.007 ] JavaScript/JScript – JScript (.jse) loader is used as the first-stage loader to fetch additional payloads; (‘JScript loader (.jse)’).
[T1055.012 ] Process Hollowing – The legitimate Aspnet_compiler.exe process is started suspended, its memory “hollows out” and is replaced with malicious code to evade detection; (‘hollows out’ its memory).
[T1620 ] Reflective Code Loading – .NET assemblies are loaded reflectively from Base64-encoded blobs to execute in-memory; (‘reflective loading of .NET assemblies’).
[T1497.001 ] Virtualization/Sandbox Evasion – The malware queries WMI for virtualization indicators and may cease operations if detected; (‘queries WMI to identify if the manufacturer is “VMware,” “VirtualBox,” or “Microsoft Corporation” (Hyper-V)’).
[T1539 ] Steal Web Session Cookie – The actor extracts browser cookies including hostnames, expiry dates, and security flags for credential/access theft; (‘extracts browser cookies, including hostnames, expiry dates, and security flags.’).
[T1555.003 ] Credentials from Password Stores – The campaign targets stored credentials and local credential stores as part of its harvesting routine; (‘Credential Harvesting’).
[T1005 ] Data from Local System – The malware collects sensitive artifacts from the local host as part of its collection phase; (‘harvesting sensitive data’).
[T1048.003 ] Exfiltration Over Alternative Protocol: SMTP – Exfiltration capabilities include sending stolen data via SMTP channels; (‘Exfiltration Over Alternative Protocol: SMTP (T1048.003)’).

Indicators of Compromise

[SHA256 Hash ] payload and stage file hashes – Cc2b26bbcbaa2d0593e15a45734fe3fd940451fc7290d49bc841c496b906a9c1 (PO0172.jse), 83F9C6A3978D926F2C0155E22008C1BCE6510B321031598509A2937ADD2D5A54 (first encrypted PS1), and 2 more hashes.
[Download URL ] secondary stage host – hxxps://files[.]catbox[.]moe/2x0j75[.]ps1 (download location for encrypted PowerShell stage).
[C2 Mail Server ] command-and-control infrastructure – mail[.]taikei-rmc-co[.]biz (identified as mail/C2 server used by the campaign).
[File Names ] loader and stage filenames – PO0172.jse (initial JScript loader), 2x0j75.ps1 (downloaded PowerShell stage).