{
	"id": "db1cf213-0b2e-4dc1-8fcc-9c38d2ea2c2c",
	"created_at": "2026-04-06T00:19:36.639161Z",
	"updated_at": "2026-04-10T13:11:47.328553Z",
	"deleted_at": null,
	"sha1_hash": "28cabf5c65002d51902552f60559b7d3f57d013d",
	"title": "Agent Tesla hidden in a historical anti-malware tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 569702,
	"plain_text": "Agent Tesla hidden in a historical anti-malware tool\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 13:45:12 UTC\r\nWhile going through attachments of e-mails, which were caught in my e-mail quarantine since the beginning of\r\nFebruary, I found an ISO file with what turned out to be a sample of the Agent Tesla infostealer. That, by itself, would\r\nnot be that unusual, but the Agent Tesla sample turned out to be unconventional in more ways than one...\r\nThe e-mail carrying the ISO attachment was a run-of-the-mill-looking malspam, informing the recipient about a new\r\ndelivery from DHL. It had a spoofed sender address “dhlSender@dhl.com”, which – although looking at least\r\nsomewhat believable – certainly didn’t have the impact of making the message appear trustworthy, which is what the\r\nauthors of the e-mail were most likely hoping for. On the contrary, it must have resulted in very few of the messages\r\nactually making it past any security analysis on e-mail gateways. The reason is that DHL has a valid SPF record set up\r\nfor dhl.com, so any SPF check (i.e. something that most of the worlds e-mail servers perform automatically these days)\r\nwould lead to a “soft fail” result, which would consequently most likely lead to the message being quarantined (if not\r\ndeleted outright).\r\nhttps://isc.sans.edu/diary/27088\r\nPage 1 of 8\n\nThe attached file Download_Tracking_Reference.01.02.2021.xlsx.iso contained only one EXE with identical name\r\n(except for the second extension, of course).\r\nhttps://isc.sans.edu/diary/27088\r\nPage 2 of 8\n\nThe executable was written in VB.NET and its malicious payload was hidden in it in an interesting way – the file had\r\ntwo bitmaps embedded in its Resources section, both of which were in fact encoded/encrypted DLLs.\r\nWhile the use of bitmaps for embedding DLLs is not new for Agent Tesla[1], it is certainly an interesting way to hide\r\nmalicious code and prevent its detection. In this case, it didn’t seem to help the file too much, given its 41/71 VT score\r\nat the time of writing[2], but it is quite imaginative technique nonetheless.\r\nAfter the file was executed, it would first decode and load a small (10kB) DLL named BestFit.dll.\r\nhttps://isc.sans.edu/diary/27088\r\nPage 3 of 8\n\nUsing this first DLL, the malware would then decode, decrypt and load a much larger (430kB) DLL called\r\nPositiveSign.dll.\r\nhttps://isc.sans.edu/diary/27088\r\nPage 4 of 8\n\nSince the second DLL was heavily obfuscated and its authors used couple of anti-analysis techniques in it, I didn’t have\r\ntime to go through it in detail, but from the portions of the code I saw, it did appear to contain the final stage of the\r\npayload.\r\nWhat turned out to be even more interesting than the use bitmaps to store encoded/encrypted DLLs, however, was the\r\ncode of the original executable, in which the \"malicious bitmaps\" were hidden. The EXE, which was originally named\r\nHashHelpers.exe, had its description and product name set to Virus Effect Remover. This was a name of a legitimate\r\nanti-malware tool developed during the 2000s and first half of 2010s.\r\nhttps://isc.sans.edu/diary/27088\r\nPage 5 of 8\n\nThis, by itself, would not be that unusual, since malware authors sometimes like to name their creations in creative or\r\nprovocative ways. Nevertheless, in this case, the name wasn’t the only thing which authors of Agent Tesla borrowed\r\nfrom the anti-malware tool… They reused significant portions of its code as well.\r\nWhen comparing the malicious file with the latest available release of the real tool[3], it can be clearly seen that large\r\nparts of both binaries are (nearly) identical.\r\nhttps://isc.sans.edu/diary/27088\r\nPage 6 of 8\n\nAlthough the original code in the malicious EXE is never executed, authors of the malware reused large parts of it\r\nwhen making their creation. Since Virus Effect Remover was also written in VB.NET, getting to the code and\r\nrepurposing it, even if they were working from a compiled executable, would of course be trivial for them.\r\nEven though use of \"trojanized\" security tools is not a novel concept by any means, I think this was the first time I’ve\r\nseen it done in this way – i.e. by using code of an old anti-malware solution without trying to pass the resulting\r\nexecutable to target users as the original tool.\r\nhttps://isc.sans.edu/diary/27088\r\nPage 7 of 8\n\nWhile we can only speculate on why creators of the malicious code chose to hide it in a code of a historical security\r\ntool, by far the most probable explanation seems to be that this was done in an attempt to make the malware seem\r\nbenign to anti-malware scanners. And since some security tools use signature-based allow-listing mechanisms to avoid\r\nscanning of known security tools, this might have actually worked in some instances...\r\nIndicators of Compromise (IoCs)\r\nDownload_Tracking_Reference.01.02.2021.xlsx.iso (806 kB)\r\nMD5 - 2ceb9c4347aed5dd387d261b40473f46\r\nSHA-1 - d4b93dd1bfb531b228353451977185f039407741\r\nDownload_Tracking_Reference.01.02.2021.xlsx.exe / HashHelpers.exe (745 kB)\r\nMD5 - 9417df6dc7d716b0b69e587c9d89981b\r\nSHA-1 - e905472faad91b87dbfc7afc838564fde3c87aa3\r\nBestFit.dll (10 kB)\r\nMD5 - a32a0b1cc226475671801360f6c53419\r\nSHA-1 - aa6d74a2db3c430175e79f581afc29240b17ae6c\r\nPositiveSign.dll (430 kB)\r\nMD5 - 8b1e495e40571a5912f672f38f47058d\r\nSHA-1 - c900af54932bdd4c8fd749cecb5689e7e2082037\r\n[1] https://www.zscaler.com/blogs/security-research/linkedin-job-seeker-phishing-campaign-spreads-agent-tesla\r\n[2]\r\nhttps://www.virustotal.com/gui/file/101399675ec99fcca0b69a0d6c146431c3a28c10d322499c817b2197e86971b5/detection\r\n[3] https://sourceforge.net/projects/viruseffectremo/\r\n-----------\r\nJan Kopriva\r\n@jk0pr\r\nAlef Nula\r\nSource: https://isc.sans.edu/diary/27088\r\nhttps://isc.sans.edu/diary/27088\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/27088"
	],
	"report_names": [
		"27088"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434776,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/28cabf5c65002d51902552f60559b7d3f57d013d.pdf",
		"text": "https://archive.orkl.eu/28cabf5c65002d51902552f60559b7d3f57d013d.txt",
		"img": "https://archive.orkl.eu/28cabf5c65002d51902552f60559b7d3f57d013d.jpg"
	}
}