{ "id": "94ea49a6-2a17-49f9-9d1f-aa1247b4e6e2", "created_at": "2026-04-06T00:18:13.181787Z", "updated_at": "2026-04-10T13:11:49.019854Z", "deleted_at": null, "sha1_hash": "12df71f80143ed654c10339daea2567c124f6df6", "title": "Agent TeslAggah – Malware Book Reports", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 187791, "plain_text": "Agent TeslAggah – Malware Book Reports\r\nBy muzi View all posts\r\nArchived: 2026-04-05 21:26:15 UTC\r\nIn May of 2020, Deep Instinct reported on a new variant of the malware loader called “Aggah,” a fileless loader that takes\r\nadvantage of LOLBINS and free services such as Bitly, Blogger, etc. Heading into the second December of the Covid-19\r\npandemic, Aggah has continued the trend of using Covid-19 as a lure for malspam.\r\nThe group behind “Aggah” is known for using the malware loader to deliver RATs such as Agent Tesla, NanoCore, njRAT,\r\nRevenge and Warzone. Initially, Palo Alto believed activity from “Aggah” was related to the Gorgon Group, but Palo’s\r\nUnit 42 has been unable to identify direct overlaps in activity/indicators.\r\nOn November 30, 2021, a new campaign was identified utilizing the Aggah loader to deliver Agent Tesla. The chain of\r\nactivity closely resembles previous Aggah activity, with some minor changes. Below is a summary of the observed\r\nactivity.\r\nStage 1: PPA with VBA Macros\r\nFilename: 새 구매 주문서 .ppa\r\nMD5: 9b61bc8931f7314fefebfd4da8dba2cc\r\nSHA1: a7ee21728f146b41c04b54be8a6cdbf6cc39f90f\r\nSHA256: aa121762eb34d32c7d831d7abcec34f5a4241af9e669e5cc43a49a071bd6e894\r\nPrior Aggah campaigns abused Microsoft Office Documents containing VBA macros and this round remains the same.\r\nThis Covid-19 themed .ppa file contained a very small VBA Macro that ran on Auto_Open and executed a simple mshta\r\ncall. This execution method remains consistent, but the macro is crafted in a slightly different way.\r\nFigure 1: .PPA File VBA Macros\r\nStage 2: HTML File Containing WScript\r\nFilename: gdhamksgdsadj.html | divine111.html\r\nMD5: e2370c77c35232bae8eca686d3c1126e\r\nSHA1: 20d096705b1b09d8f7d7af6c09ed61a8e8e714e2\r\nSHA256: 8d74ac866d8972e6725ffb573dbeec57d248bf5da5f4a555e1bd1d68cff12caa\r\nStage 1 of the Aggah dropper executes mshta hxxp://bitly[.]com/gdhamksgdsadj. The bit.ly URL redirects to\r\nhxxps://onedayiwillloveyouforever[.]blogspot[.]com/p/divine111.html, a mostly blank Blogspot page that contains some\r\nmalicious VBScript.\r\nhttps://malwarebookreports.com/agent-teslaggah/\r\nPage 1 of 6\n\nFigure 2: Stage 2 divine111.html contains malicious VBScript\r\nFigure 3: Malicious VBScript contained in divine111.html\r\nThe VBScript stashed in the HTML document performs the following:\r\nDownloads an additional payload from the following BitBucket URL:\r\nhxxps://bitbucket[.]org/!api/2.0/snippets/hogya/5X7My8/b271c1b3c7a78e7b68fa388ed463c7cc1dc32ddb/files/divine1-\r\n2″\r\nReverses and base64 decodes the payload from the above URL\r\nCreates a scheduled task to download and execute a payload hosted at the following BlogSpot URL (Note: This\r\npayload contains the same VBS payload as in divine111.html):\r\nhxxps://madarbloghogya[.]blogspot[.]com/p/divineback222.[]html\r\nFigure 4: Persistence via Scheduled Task\r\nWhile the VBScript obfuscation is relatively light, one interesting thing to note is the usage of CLSIDs when creating new\r\nobjects. Directly referencing CLSIDs during object creation is fairly uncommon and could be useful for creating a Yara\r\nrule.\r\nset MicrosoftWINdows = GetObject(\"new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B\")\r\nSet Somosa = GetObject(\"new:13709620-C279-11CE-A49E-444553540000\")\r\nhttps://malwarebookreports.com/agent-teslaggah/\r\nPage 2 of 6\n\nStage 3: Obfuscated VBScript Containing Encoded PE File\r\nFilename: divine1-2\r\nMD5: ace852b1489826d80ea0b3fc1e1a3ccd\r\nSHA1: 1391fe80309f38addb1fc011eb8d3fefecf4ac73\r\nSHA256: c4f374f18ed5aba573b6883981a8074b86b79c2bdc314af234e98bed69623686\r\nThe final stage of Aggah is built around deobfuscating and executing the final payload, which is embedded in the\r\ndocument: Agent Tesla (for this campaign, at least). According to the comment at the top of the VBScript, this stage of\r\nAggah was updated 11/18/2021.\r\nFigure 5: Third Stage of Aggah last updated 11/18/2021.\r\nThe VBScript in this stage deobfuscates the embedded Agent Tesla payload, adds it to startup and executes the payload.\r\nThere are three main functions that handle deobfuscation, seen below.\r\nFigure 6: Functions Used to Deobfuscate Payload\r\nFigure 7: Building PowerShell Command to Create Persistence and Execute Payload\r\nOnce the replacements and substitutions are made, we see an old friend reappear. After a simple base64 decode, we’re left\r\nwith our payload: Agent Tesla.\r\nhttps://malwarebookreports.com/agent-teslaggah/\r\nPage 3 of 6\n\nFigure 8: Base64 Exe, Anyone?\r\nStage 4: Agent Tesla\r\nFilename: MVuVmuzKeduVVeroJXAhxJFg.exe\r\nMD5: d6373ce833327ecb3afeb81b62729ec9\r\nSHA1: a80137dc1ffe68fa1527bab0933471f28b9c29df\r\nSHA256: 3bb3440898b6e2b0859d6ff66f760daaa874e1a25b029c0464944b5fc2f5a903\r\nAgent Tesla is a .NET based keylogger and RAT readily available to actors and is one of the RATs preferred by Aggah. It\r\nlogs keystrokes, the host’s clipboard and steals various credentials and beacons this information back to the C2. This\r\nparticular sample was surprisingly not packed, which is relatively uncommon.\r\nAgent Tesla is known to steal a wide-variety of stored/cached credentials. The strings containing the targeted applications\r\nare typically encoded/encrypted, but are typically easily extracted in a debugger. The sections below walk through\r\nextracting the strings/configuration of this Agent Tesla sample and contain a Yara rule for detection.\r\nString/Configuration Extraction\r\nWhile the Agent Tesla payload delivered in this campaign was not packed, the configuration as well as the strings related\r\nto information stealing are hidden. The Agent Tesla sample uses the following function to decode these strings during\r\nruntime to make static detection more difficult.\r\nFigure 9: Config/String Decode Function\r\nThe decode function consists of an incremental xor as well as a static xor by key 0xAA (170). While this decode function\r\ncould be easily implemented with Python or any language of choice, dnSpy was used as it aided in creating the Yara rule in\r\nthe next step. In order to debug properly, the Agent Tesla sample must first be run through de4dot to clean up variable\r\nnames. Once the sample has been cleaned, a watch can be set on the byte array byte_0 and the contents can be saved\r\nonce the decode loop has completed.\r\nhttps://malwarebookreports.com/agent-teslaggah/\r\nPage 4 of 6\n\nFigure 10: Decode Loop Cleaned up by de4dot\r\nOnce a watch for the byte array byte_0 is set, the decode loop is allowed to complete and decode the configuration and\r\nstrings. The decoded content in byte_0 can then be saved to a file.\r\nFigure 11: Byte Array Decoded\r\nAfter saving the contents from dnSpy to a file, the configuration and strings appear in cleartext, providing information\r\naround types of data being collected, exfiltration method, etc.\r\nFigure 12: Decoded Configuration and Strings\r\nAgent Tesla Yara Rule\r\nWhile this Agent Tesla sample did not contain a great number of strings that would allow creation of an effective Yara rule,\r\none could certainly be created. However, targeting the strings alone will likely not result in a robust Yara rule. A better\r\napproach might be to target the decode loop covered in the previous section. This blog post will not cover in-depth writing\r\nrules based on IL, however, Stephan Simon of Binary Defense put out a great blog post that covers this topic very well.\r\ndnSpy provides an option for decompilation to IL. After selecting IL as the decompilation language, the decode loop can\r\nbe seen in IL form. This link serves as an excellent reference when reading IL and writing Yara rules targeting it. The Yara\r\nrule below breaks down each IL instruction and relates it to the corresponding portion of the decode loop.\r\nFigure 13: Decode Loop Decompiled to IL\r\nNote: The rules below should be tested before being implemented in a production environment (especially the second\r\none). I’m not responsible for blowing up your environment! 🙂\r\nrule Classification_Agent_Tesla {\r\n meta:\r\n author = \"muzi\"\r\n date = \"2021-12-02\"\r\n description = \"Detects Agent Tesla delivered by Aggah Campaign in November 2021.\"\r\n hash = \"3bb3440898b6e2b0859d6ff66f760daaa874e1a25b029c0464944b5fc2f5a903\"\r\n strings:\r\n $string_decryption = {\r\n 91 // byte array[i]\r\n (06|07|08|09) // push local var\r\n 61 // xor array[i] ^ 0xAA (const xor key)\r\n 20 [4] // push const xor key (170 or 0xAA in example)\r\n 61 // xor array[i] ^ i\r\n D2 // convert to unsigned int8 and push int32 to stack\r\n 9C // Replace array element at index with int8 value on stack\r\n (06|07|08|09) // push local var\r\nhttps://malwarebookreports.com/agent-teslaggah/\r\nPage 5 of 6\n\n17 // push 1\r\n 58 // add i +=1\r\n (0A|0B|0C|0D) // pop value from stack into local var\r\n (06|07|08|09) // push local var\r\n 7E [4] // push value of static field on stack (byte array)\r\n 8E // push length of array onto stack\r\n 69 // convert to int32\r\n FE (04|05) // conditional if i \u003e= len(bytearray)\r\n }\r\n condition:\r\n all of them\r\n}\r\nrule WScript_CLSID_Object_Creation {\r\n meta:\r\n author = \"muzi\"\r\n date = \"2021-12-02\"\r\n description = \"Detects various CLSIDs used to create objects rather than their object name.\"\r\n hash = \"9b36b76445f76b411983d5fb8e64716226f62d284c673599d8c54decdc80c712\"\r\n strings:\r\n $clsid_windows_script_host_shell_object = \"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B\" ascii wide nocase\r\n $clsid_shell = \"13709620-C279-11CE-A49E-444553540000\" ascii wide nocase\r\n $clsid_mmc = \"49B2791A-B1AE-4C90-9B8E-E860BA07F889\" ascii wide nocase\r\n $clsid_windows_script_host_shell_object_2 = \"72C24DD5-D70A-438B-8A42-98424B88AFB8\" ascii wide nocase\r\n $clsid_filesystem_object = \"0D43FE01-F093-11CF-8940-00A0C9054228\" ascii wide nocase\r\n condition:\r\n any of them\r\n}\r\nSource: https://malwarebookreports.com/agent-teslaggah/\r\nhttps://malwarebookreports.com/agent-teslaggah/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://malwarebookreports.com/agent-teslaggah/" ], "report_names": [ "agent-teslaggah" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434693, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12df71f80143ed654c10339daea2567c124f6df6.pdf", "text": "https://archive.orkl.eu/12df71f80143ed654c10339daea2567c124f6df6.txt", "img": "https://archive.orkl.eu/12df71f80143ed654c10339daea2567c124f6df6.jpg" } }