{
	"id": "c2b48bba-c447-4fe1-8083-0fa293e511de",
	"created_at": "2026-04-06T00:14:26.358233Z",
	"updated_at": "2026-04-10T03:21:47.098566Z",
	"deleted_at": null,
	"sha1_hash": "787697e465332b9dc8912b1bc7983ee842ea6178",
	"title": "Dissecting Agent Tesla: Unveiling Threat Vectors and Defense Mechanisms | Idan Malihi",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43065,
	"plain_text": "Dissecting Agent Tesla: Unveiling Threat Vectors and Defense\r\nMechanisms | Idan Malihi\r\nArchived: 2026-04-05 22:30:13 UTC\r\nAgentTesla Execution Diagram\r\nThe WSF script is written in JavaScript and embedded within the batch file. It is executed by\r\nthe cscript command. The script is obfuscated, making it difficult to read and understand the first stage’s code.\r\nThis is a common technique used by malware authors to evade detection and analysis. After the de-obfuscation\r\nprocess, the script executes a PowerShell payload, which is also obfuscated.\r\nAfter running the script, two processes were launched: the cscript process, which executes the WSF script, and\r\nthe PowerShell process, which runs the payload.\r\nThe PowerShell payload sets the system’s security protocol to TLS 1.2 and loads the Microsoft.VisualBasic\r\nassembly. The script then repeatedly pings Google until an internet connection is detected. Upon connection, it\r\ncreates a new WebClient object to download and execute a script from https://didaktik-labor.de/mx1.jpg.\r\nAfter replacing the ‘A’ character with ‘00’ in the payload, we can understand that the first payload is coded\r\nin binary.\r\nIt is a PowerShell function that is responsible for decompressing the other two payloads that exist in the second\r\nstage using Gzip.\r\nThe first payload decompresses the second and third payloads using Gzip. The second payload is stored in the\r\nvariable y74gh00rffd and contains an obfuscated payload in which the script replaces the ‘EV’ characters with\r\n‘0x’. This suggests that the second payload is in hexadecimal format.\r\nAfter decompressing the second payload, the script produces a DLL file.\r\nThe eSQy variable contains an obfuscated payload, in which the script replaces the ‘EV’ characters with ‘0x’.\r\nThis suggests that the third payload is in hexadecimal format, also.\r\nAfter decompressing the third payload, the script produces an EXE file. The file is written in .NET and runs on a\r\n32-bit architecture.\r\nAfter decompressing the script and dropping the DLL and EXE files, it extracts the Black function from\r\nthe toooyou module in the DLL file and then uses the InstallUtil tool to execute the EXE file.\r\nThe Black function executes code using the calli instruction, repeatedly calling a method until a certain condition\r\nis met. This is part of a larger obfuscated malware process that decompresses, drops, and executes malicious\r\npayloads (EXE and DLL files) on the target system. In conjunction with the rest of the script, this function’s\r\nhttps://idanmalihi.com/dissecting-agent-tesla-unveiling-threat-vectors-and-defense-mechanisms/\r\nPage 1 of 3\n\npurpose is to evade detection and execute malicious binaries and operations. Furthermore, the Black function gets\r\ntwo variables as values; the first value that the function gets is the InstallUtil.exe, and the second value is\r\nthe eSQy variable, which executes the EXE file.\r\nAt the beginning of the malware debugging, the malware configures the ServicePointManager to\r\nallow HTTPS connections using SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 protocols.\r\nAfter the malware sets up the HTTPS connections, it prepares the execution process by ensuring that only one\r\ncopy of the current process is running and terminating any other copies of the same process. It does this by\r\ncomparing the process IDs of all running copies of the process and terminating those with different IDs from the\r\ncurrent process.\r\nThe malware checks for the %appdata%\\Roaming path in the endpoint in the StartupDirectoryPath variable\r\nfor dropping the gnxLZ.exe file.\r\nThen, the malware enumerates the username and the hostname of the current endpoint.\r\nThe malware gathers detailed system information, including the current time, computer name, operating system,\r\nusername, RAM, CPU, and external IP address. Threat actors can utilize this information to profile victims, plan\r\nfurther attacks, or sell on dark net forums.\r\nAfter stealing all the intended information, the malware organizes the data from the victim’s computer and then\r\nsends it to the attacker’s C2 server.\r\nThen, the malware configures and opens an SMTP connection with the attacker’s SMTP mail server.\r\nThe attacker’s SMTP server information:\r\nThe malware connects to the SMTP server using port 587 to 94.237.43.240.\r\nThe SMTP connection packets in Wireshark:\r\nThe SMTP server’s IP address is 94.237.43.240. The first packet sent from the SMTP server indicates that it is\r\nhosted on the stablehost.com website.\r\nThe malware exfiltrates the data to the SMTP server over TLSv1.2 (HTTPS).\r\nAn example of a stolen data from a victim:\r\nMITRE ATT\u0026CK\r\nYara Rule\r\nhttps://idanmalihi.com/dissecting-agent-tesla-unveiling-threat-vectors-and-defense-mechanisms/\r\nPage 2 of 3\n\nYara Detection\r\nSnort Rule\r\nSnort Detection\r\nSource: https://idanmalihi.com/dissecting-agent-tesla-unveiling-threat-vectors-and-defense-mechanisms/\r\nhttps://idanmalihi.com/dissecting-agent-tesla-unveiling-threat-vectors-and-defense-mechanisms/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://idanmalihi.com/dissecting-agent-tesla-unveiling-threat-vectors-and-defense-mechanisms/"
	],
	"report_names": [
		"dissecting-agent-tesla-unveiling-threat-vectors-and-defense-mechanisms"
	],
	"threat_actors": [],
	"ts_created_at": 1775434466,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/787697e465332b9dc8912b1bc7983ee842ea6178.pdf",
		"text": "https://archive.orkl.eu/787697e465332b9dc8912b1bc7983ee842ea6178.txt",
		"img": "https://archive.orkl.eu/787697e465332b9dc8912b1bc7983ee842ea6178.jpg"
	}
}