{
	"id": "f3eabdc7-5000-4d41-8f44-bc76e720182a",
	"created_at": "2026-04-06T00:21:11.525966Z",
	"updated_at": "2026-04-10T03:19:55.292977Z",
	"deleted_at": null,
	"sha1_hash": "7c83d9db8d11f3cdd1e2d6b238eabb2d3007ed88",
	"title": "New AgentTesla variant steals WiFi credentials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 900357,
	"plain_text": "New AgentTesla variant steals WiFi credentials\r\nBy Hossein Jazi\r\nPublished: 2020-04-15 · Archived: 2026-04-05 21:25:00 UTC\r\nPopular stealer looking to expand\r\nSince AgentTesla added the WiFi-stealing feature, we believe the threat actors may be considering using WiFi as a\r\nmechanism for spread, similar to what was observed with Emotet. Another possibility is using the WiFi profile to\r\nset the stage for future attacks.\r\nEither way, Malwarebytes users were already protected from this new variant of AgentTesla through our real-time\r\nprotection technology.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 1 of 44\n\nIndicators of compromise\r\nAgentTesla samples:\r\n91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09b\r\ndd4a43b0b8a68db65b00fad99519539e2a05a3892f03b869d58ee15fdf5aa044\r\n27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b\r\nFirst payload:\r\n249a503263717051d62a6d65a5040cf408517dd22f9021e5f8978a819b18063b\r\nSecond payload: \r\n63393b114ebe2e18d888d982c5ee11563a193d9da3083d84a611384bc748b1b0\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 2 of 44\n\nNote: If the final list has less than three elements, it won’t generate a SMTP message. If everything checks out, a\r\nmessage is finally sent via smtp.yandex.com, with SSL enabled (Figure 9):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 3 of 44\n\nThe following diagram shows the whole process explained above from extraction of first payload from the image\r\nresource to exfiltration of the stolen information over SMTP:\r\nPopular stealer looking to expand\r\nSince AgentTesla added the WiFi-stealing feature, we believe the threat actors may be considering using WiFi as a\r\nmechanism for spread, similar to what was observed with Emotet. Another possibility is using the WiFi profile to\r\nset the stage for future attacks.\r\nEither way, Malwarebytes users were already protected from this new variant of AgentTesla through our real-time\r\nprotection technology.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 4 of 44\n\nIndicators of compromise\r\nAgentTesla samples:\r\n91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09b\r\ndd4a43b0b8a68db65b00fad99519539e2a05a3892f03b869d58ee15fdf5aa044\r\n27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b\r\nFirst payload:\r\n249a503263717051d62a6d65a5040cf408517dd22f9021e5f8978a819b18063b\r\nSecond payload: \r\n63393b114ebe2e18d888d982c5ee11563a193d9da3083d84a611384bc748b1b0\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 5 of 44\n\nCollected information forms the body section of a SMTP message in html format (Figure 8):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 6 of 44\n\nNote: If the final list has less than three elements, it won’t generate a SMTP message. If everything checks out, a\r\nmessage is finally sent via smtp.yandex.com, with SSL enabled (Figure 9):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 7 of 44\n\nThe following diagram shows the whole process explained above from extraction of first payload from the image\r\nresource to exfiltration of the stolen information over SMTP:\r\nPopular stealer looking to expand\r\nSince AgentTesla added the WiFi-stealing feature, we believe the threat actors may be considering using WiFi as a\r\nmechanism for spread, similar to what was observed with Emotet. Another possibility is using the WiFi profile to\r\nset the stage for future attacks.\r\nEither way, Malwarebytes users were already protected from this new variant of AgentTesla through our real-time\r\nprotection technology.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 8 of 44\n\nIndicators of compromise\r\nAgentTesla samples:\r\n91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09b\r\ndd4a43b0b8a68db65b00fad99519539e2a05a3892f03b869d58ee15fdf5aa044\r\n27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b\r\nFirst payload:\r\n249a503263717051d62a6d65a5040cf408517dd22f9021e5f8978a819b18063b\r\nSecond payload: \r\n63393b114ebe2e18d888d982c5ee11563a193d9da3083d84a611384bc748b1b0\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 9 of 44\n\nFor example, in Figure 5, “119216” is decrypted into “wlan show profile name=” and “119196” is decrypted into\r\n“key=clear”.\r\nIn addition to WiFi profiles, the executable collects extensive information about the system, including FTP clients,\r\nbrowsers, file downloaders, and machine info (username, computer name, OS name, CPU architecture, RAM) and\r\nadds them to a list (Figure 7).\r\nCollected information forms the body section of a SMTP message in html format (Figure 8):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 10 of 44\n\nNote: If the final list has less than three elements, it won’t generate a SMTP message. If everything checks out, a\r\nmessage is finally sent via smtp.yandex.com, with SSL enabled (Figure 9):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 11 of 44\n\nThe following diagram shows the whole process explained above from extraction of first payload from the image\r\nresource to exfiltration of the stolen information over SMTP:\r\nPopular stealer looking to expand\r\nSince AgentTesla added the WiFi-stealing feature, we believe the threat actors may be considering using WiFi as a\r\nmechanism for spread, similar to what was observed with Emotet. Another possibility is using the WiFi profile to\r\nset the stage for future attacks.\r\nEither way, Malwarebytes users were already protected from this new variant of AgentTesla through our real-time\r\nprotection technology.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 12 of 44\n\nIndicators of compromise\r\nAgentTesla samples:\r\n91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09b\r\ndd4a43b0b8a68db65b00fad99519539e2a05a3892f03b869d58ee15fdf5aa044\r\n27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b\r\nFirst payload:\r\n249a503263717051d62a6d65a5040cf408517dd22f9021e5f8978a819b18063b\r\nSecond payload: \r\n63393b114ebe2e18d888d982c5ee11563a193d9da3083d84a611384bc748b1b0\r\nString encryption\r\nAll the strings used by the malware are encrypted and are decrypted by Rijndael symmetric encryption algorithm\r\nin the “.u200E” function. This function receives a number as an input and generates three byte arrays containing\r\ninput to be decrypted, key and IV (Figure 6).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 13 of 44\n\nFor example, in Figure 5, “119216” is decrypted into “wlan show profile name=” and “119196” is decrypted into\r\n“key=clear”.\r\nIn addition to WiFi profiles, the executable collects extensive information about the system, including FTP clients,\r\nbrowsers, file downloaders, and machine info (username, computer name, OS name, CPU architecture, RAM) and\r\nadds them to a list (Figure 7).\r\nCollected information forms the body section of a SMTP message in html format (Figure 8):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 14 of 44\n\nNote: If the final list has less than three elements, it won’t generate a SMTP message. If everything checks out, a\r\nmessage is finally sent via smtp.yandex.com, with SSL enabled (Figure 9):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 15 of 44\n\nThe following diagram shows the whole process explained above from extraction of first payload from the image\r\nresource to exfiltration of the stolen information over SMTP:\r\nPopular stealer looking to expand\r\nSince AgentTesla added the WiFi-stealing feature, we believe the threat actors may be considering using WiFi as a\r\nmechanism for spread, similar to what was observed with Emotet. Another possibility is using the WiFi profile to\r\nset the stage for future attacks.\r\nEither way, Malwarebytes users were already protected from this new variant of AgentTesla through our real-time\r\nprotection technology.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 16 of 44\n\nIndicators of compromise\r\nAgentTesla samples:\r\n91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09b\r\ndd4a43b0b8a68db65b00fad99519539e2a05a3892f03b869d58ee15fdf5aa044\r\n27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b\r\nFirst payload:\r\n249a503263717051d62a6d65a5040cf408517dd22f9021e5f8978a819b18063b\r\nSecond payload: \r\n63393b114ebe2e18d888d982c5ee11563a193d9da3083d84a611384bc748b1b0\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 17 of 44\n\nIn the next step for each wireless profile, the following command is executed to extract the profile’s credential:\r\n“netsh wlan show profile PRPFILENAME key=clear” (Figure 5).\r\nString encryption\r\nAll the strings used by the malware are encrypted and are decrypted by Rijndael symmetric encryption algorithm\r\nin the “.u200E” function. This function receives a number as an input and generates three byte arrays containing\r\ninput to be decrypted, key and IV (Figure 6).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 18 of 44\n\nFor example, in Figure 5, “119216” is decrypted into “wlan show profile name=” and “119196” is decrypted into\r\n“key=clear”.\r\nIn addition to WiFi profiles, the executable collects extensive information about the system, including FTP clients,\r\nbrowsers, file downloaders, and machine info (username, computer name, OS name, CPU architecture, RAM) and\r\nadds them to a list (Figure 7).\r\nCollected information forms the body section of a SMTP message in html format (Figure 8):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 19 of 44\n\nNote: If the final list has less than three elements, it won’t generate a SMTP message. If everything checks out, a\r\nmessage is finally sent via smtp.yandex.com, with SSL enabled (Figure 9):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 20 of 44\n\nThe following diagram shows the whole process explained above from extraction of first payload from the image\r\nresource to exfiltration of the stolen information over SMTP:\r\nPopular stealer looking to expand\r\nSince AgentTesla added the WiFi-stealing feature, we believe the threat actors may be considering using WiFi as a\r\nmechanism for spread, similar to what was observed with Emotet. Another possibility is using the WiFi profile to\r\nset the stage for future attacks.\r\nEither way, Malwarebytes users were already protected from this new variant of AgentTesla through our real-time\r\nprotection technology.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 21 of 44\n\nIndicators of compromise\r\nAgentTesla samples:\r\n91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09b\r\ndd4a43b0b8a68db65b00fad99519539e2a05a3892f03b869d58ee15fdf5aa044\r\n27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b\r\nFirst payload:\r\n249a503263717051d62a6d65a5040cf408517dd22f9021e5f8978a819b18063b\r\nSecond payload: \r\n63393b114ebe2e18d888d982c5ee11563a193d9da3083d84a611384bc748b1b0\r\nTo collect wireless profile credentials, a new “netsh” process is created by passing “wlan show profile” as\r\nargument (Figure 4). Available WiFi names are then extracted by applying a regex: “All User Profile * :  (?.*)”, on\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 22 of 44\n\nthe stdout output of the process.\r\nIn the next step for each wireless profile, the following command is executed to extract the profile’s credential:\r\n“netsh wlan show profile PRPFILENAME key=clear” (Figure 5).\r\nString encryption\r\nAll the strings used by the malware are encrypted and are decrypted by Rijndael symmetric encryption algorithm\r\nin the “.u200E” function. This function receives a number as an input and generates three byte arrays containing\r\ninput to be decrypted, key and IV (Figure 6).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 23 of 44\n\nFor example, in Figure 5, “119216” is decrypted into “wlan show profile name=” and “119196” is decrypted into\r\n“key=clear”.\r\nIn addition to WiFi profiles, the executable collects extensive information about the system, including FTP clients,\r\nbrowsers, file downloaders, and machine info (username, computer name, OS name, CPU architecture, RAM) and\r\nadds them to a list (Figure 7).\r\nCollected information forms the body section of a SMTP message in html format (Figure 8):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 24 of 44\n\nNote: If the final list has less than three elements, it won’t generate a SMTP message. If everything checks out, a\r\nmessage is finally sent via smtp.yandex.com, with SSL enabled (Figure 9):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 25 of 44\n\nThe following diagram shows the whole process explained above from extraction of first payload from the image\r\nresource to exfiltration of the stolen information over SMTP:\r\nPopular stealer looking to expand\r\nSince AgentTesla added the WiFi-stealing feature, we believe the threat actors may be considering using WiFi as a\r\nmechanism for spread, similar to what was observed with Emotet. Another possibility is using the WiFi profile to\r\nset the stage for future attacks.\r\nEither way, Malwarebytes users were already protected from this new variant of AgentTesla through our real-time\r\nprotection technology.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 26 of 44\n\nIndicators of compromise\r\nAgentTesla samples:\r\n91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09b\r\ndd4a43b0b8a68db65b00fad99519539e2a05a3892f03b869d58ee15fdf5aa044\r\n27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b\r\nFirst payload:\r\n249a503263717051d62a6d65a5040cf408517dd22f9021e5f8978a819b18063b\r\nSecond payload: \r\n63393b114ebe2e18d888d982c5ee11563a193d9da3083d84a611384bc748b1b0\r\nThe second payload (owEKjMRYkIfjPazjphIDdRoPePVNoulgd) is the main component of AgentTesla that steals\r\ncredentials from browsers, FTP clients, wireless profiles, and more (Figure 3). The sample is heavily obfuscated to\r\nmake the analysis more difficult for researchers.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 27 of 44\n\nTo collect wireless profile credentials, a new “netsh” process is created by passing “wlan show profile” as\r\nargument (Figure 4). Available WiFi names are then extracted by applying a regex: “All User Profile * :  (?.*)”, on\r\nthe stdout output of the process.\r\nIn the next step for each wireless profile, the following command is executed to extract the profile’s credential:\r\n“netsh wlan show profile PRPFILENAME key=clear” (Figure 5).\r\nString encryption\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 28 of 44\n\nAll the strings used by the malware are encrypted and are decrypted by Rijndael symmetric encryption algorithm\r\nin the “.u200E” function. This function receives a number as an input and generates three byte arrays containing\r\ninput to be decrypted, key and IV (Figure 6).\r\nFor example, in Figure 5, “119216” is decrypted into “wlan show profile name=” and “119196” is decrypted into\r\n“key=clear”.\r\nIn addition to WiFi profiles, the executable collects extensive information about the system, including FTP clients,\r\nbrowsers, file downloaders, and machine info (username, computer name, OS name, CPU architecture, RAM) and\r\nadds them to a list (Figure 7).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 29 of 44\n\nCollected information forms the body section of a SMTP message in html format (Figure 8):\r\nNote: If the final list has less than three elements, it won’t generate a SMTP message. If everything checks out, a\r\nmessage is finally sent via smtp.yandex.com, with SSL enabled (Figure 9):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 30 of 44\n\nThe following diagram shows the whole process explained above from extraction of first payload from the image\r\nresource to exfiltration of the stolen information over SMTP:\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 31 of 44\n\nPopular stealer looking to expand\r\nSince AgentTesla added the WiFi-stealing feature, we believe the threat actors may be considering using WiFi as a\r\nmechanism for spread, similar to what was observed with Emotet. Another possibility is using the WiFi profile to\r\nset the stage for future attacks.\r\nEither way, Malwarebytes users were already protected from this new variant of AgentTesla through our real-time\r\nprotection technology.\r\nIndicators of compromise\r\nAgentTesla samples:\r\n91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09b\r\ndd4a43b0b8a68db65b00fad99519539e2a05a3892f03b869d58ee15fdf5aa044\r\n27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b\r\nFirst payload:\r\n249a503263717051d62a6d65a5040cf408517dd22f9021e5f8978a819b18063b\r\nSecond payload: \r\n63393b114ebe2e18d888d982c5ee11563a193d9da3083d84a611384bc748b1b0\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 32 of 44\n\nThis executable (ReZer0V2) also has a resource that is encrypted. After doing several anti-debugging, anti-sandboxing, and anti-virtualization checks, the executable decrypts and injects the content of the resource into\r\nitself (Figure 2).\r\nThe second payload (owEKjMRYkIfjPazjphIDdRoPePVNoulgd) is the main component of AgentTesla that steals\r\ncredentials from browsers, FTP clients, wireless profiles, and more (Figure 3). The sample is heavily obfuscated to\r\nmake the analysis more difficult for researchers.\r\nTo collect wireless profile credentials, a new “netsh” process is created by passing “wlan show profile” as\r\nargument (Figure 4). Available WiFi names are then extracted by applying a regex: “All User Profile * :  (?.*)”, on\r\nthe stdout output of the process.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 33 of 44\n\nIn the next step for each wireless profile, the following command is executed to extract the profile’s credential:\r\n“netsh wlan show profile PRPFILENAME key=clear” (Figure 5).\r\nString encryption\r\nAll the strings used by the malware are encrypted and are decrypted by Rijndael symmetric encryption algorithm\r\nin the “.u200E” function. This function receives a number as an input and generates three byte arrays containing\r\ninput to be decrypted, key and IV (Figure 6).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 34 of 44\n\nFor example, in Figure 5, “119216” is decrypted into “wlan show profile name=” and “119196” is decrypted into\r\n“key=clear”.\r\nIn addition to WiFi profiles, the executable collects extensive information about the system, including FTP clients,\r\nbrowsers, file downloaders, and machine info (username, computer name, OS name, CPU architecture, RAM) and\r\nadds them to a list (Figure 7).\r\nCollected information forms the body section of a SMTP message in html format (Figure 8):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 35 of 44\n\nNote: If the final list has less than three elements, it won’t generate a SMTP message. If everything checks out, a\r\nmessage is finally sent via smtp.yandex.com, with SSL enabled (Figure 9):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 36 of 44\n\nThe following diagram shows the whole process explained above from extraction of first payload from the image\r\nresource to exfiltration of the stolen information over SMTP:\r\nPopular stealer looking to expand\r\nSince AgentTesla added the WiFi-stealing feature, we believe the threat actors may be considering using WiFi as a\r\nmechanism for spread, similar to what was observed with Emotet. Another possibility is using the WiFi profile to\r\nset the stage for future attacks.\r\nEither way, Malwarebytes users were already protected from this new variant of AgentTesla through our real-time\r\nprotection technology.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 37 of 44\n\nIndicators of compromise\r\nAgentTesla samples:\r\n91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09b\r\ndd4a43b0b8a68db65b00fad99519539e2a05a3892f03b869d58ee15fdf5aa044\r\n27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b\r\nFirst payload:\r\n249a503263717051d62a6d65a5040cf408517dd22f9021e5f8978a819b18063b\r\nSecond payload: \r\n63393b114ebe2e18d888d982c5ee11563a193d9da3083d84a611384bc748b1b0\r\nAgentTesla is a .Net-based infostealer that has the capability to steal data from different applications on victim\r\nmachines, such as browsers, FTP clients, and file downloaders. The actor behind this malware is constantly\r\nmaintaining it by adding new modules. One of the new modules that has been added to this malware is the\r\ncapability to steal WiFi profiles.\r\nAgentTesla was first seen in 2014, and has been frequently used by cybercriminals in various malicious\r\ncampaigns since. During the months of March and April 2020, it was actively distributed through spam campaigns\r\nin different formats, such as ZIP, CAB, MSI, IMG files, and Office documents.\r\nNewer variants of AgentTesla seen in the wild have the capability to collect information about a victim’s WiFi\r\nprofile, possibly to use it as a way to spread onto other machines. In this blog, we review how this new feature\r\nworks.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 38 of 44\n\nTechnical analysis\r\nThe variant we analyzed was written in .Net. It has an executable embedded as an image resource, which is\r\nextracted and executed at run-time (Figure 1).\r\nThis executable (ReZer0V2) also has a resource that is encrypted. After doing several anti-debugging, anti-sandboxing, and anti-virtualization checks, the executable decrypts and injects the content of the resource into\r\nitself (Figure 2).\r\nThe second payload (owEKjMRYkIfjPazjphIDdRoPePVNoulgd) is the main component of AgentTesla that steals\r\ncredentials from browsers, FTP clients, wireless profiles, and more (Figure 3). The sample is heavily obfuscated to\r\nmake the analysis more difficult for researchers.\r\nTo collect wireless profile credentials, a new “netsh” process is created by passing “wlan show profile” as\r\nargument (Figure 4). Available WiFi names are then extracted by applying a regex: “All User Profile * :  (?.*)”, on\r\nthe stdout output of the process.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 39 of 44\n\nIn the next step for each wireless profile, the following command is executed to extract the profile’s credential:\r\n“netsh wlan show profile PRPFILENAME key=clear” (Figure 5).\r\nString encryption\r\nAll the strings used by the malware are encrypted and are decrypted by Rijndael symmetric encryption algorithm\r\nin the “.u200E” function. This function receives a number as an input and generates three byte arrays containing\r\ninput to be decrypted, key and IV (Figure 6).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 40 of 44\n\nFor example, in Figure 5, “119216” is decrypted into “wlan show profile name=” and “119196” is decrypted into\r\n“key=clear”.\r\nIn addition to WiFi profiles, the executable collects extensive information about the system, including FTP clients,\r\nbrowsers, file downloaders, and machine info (username, computer name, OS name, CPU architecture, RAM) and\r\nadds them to a list (Figure 7).\r\nCollected information forms the body section of a SMTP message in html format (Figure 8):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 41 of 44\n\nNote: If the final list has less than three elements, it won’t generate a SMTP message. If everything checks out, a\r\nmessage is finally sent via smtp.yandex.com, with SSL enabled (Figure 9):\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 42 of 44\n\nThe following diagram shows the whole process explained above from extraction of first payload from the image\r\nresource to exfiltration of the stolen information over SMTP:\r\nPopular stealer looking to expand\r\nSince AgentTesla added the WiFi-stealing feature, we believe the threat actors may be considering using WiFi as a\r\nmechanism for spread, similar to what was observed with Emotet. Another possibility is using the WiFi profile to\r\nset the stage for future attacks.\r\nEither way, Malwarebytes users were already protected from this new variant of AgentTesla through our real-time\r\nprotection technology.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 43 of 44\n\nIndicators of compromise\r\nAgentTesla samples:\r\n91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09b\r\ndd4a43b0b8a68db65b00fad99519539e2a05a3892f03b869d58ee15fdf5aa044\r\n27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b\r\nFirst payload:\r\n249a503263717051d62a6d65a5040cf408517dd22f9021e5f8978a819b18063b\r\nSecond payload: \r\n63393b114ebe2e18d888d982c5ee11563a193d9da3083d84a611384bc748b1b0\r\nSource: https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nPage 44 of 44",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/"
	],
	"report_names": [
		"new-agenttesla-variant-steals-wifi-credentials"
	],
	"threat_actors": [],
	"ts_created_at": 1775434871,
	"ts_updated_at": 1775791195,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c83d9db8d11f3cdd1e2d6b238eabb2d3007ed88.pdf",
		"text": "https://archive.orkl.eu/7c83d9db8d11f3cdd1e2d6b238eabb2d3007ed88.txt",
		"img": "https://archive.orkl.eu/7c83d9db8d11f3cdd1e2d6b238eabb2d3007ed88.jpg"
	}
}