{
	"id": "711fba54-d407-4e62-9146-e45eb063d48e",
	"created_at": "2026-04-06T00:06:37.739649Z",
	"updated_at": "2026-04-10T13:13:06.835897Z",
	"deleted_at": null,
	"sha1_hash": "7f9ddef8aaa831146841b7ae9f5d35194c898892",
	"title": "Do you want your Agent Tesla in the 300 MB or 8 kB package?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 228214,
	"plain_text": "Do you want your Agent Tesla in the 300 MB or 8 kB package?\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 14:44:36 UTC\r\nSince today is the last day of 2021, I decided to take a closer look at malware that got caught by my malspam trap over\r\nthe course of the year.\r\nOf the several hundred unique samples that were collected, probably the most interesting one turned out to be a fairly\r\nsizable .NET executable caught in October, which “weight in” at 300 MB and which has 26/64 detection rating on VT\r\nat the time of writing[1].\r\nAs you may see from the following image, the sample was obfuscated using multiple different tools.\r\nThe size of the file was, however, so significant not because of any complex obfuscation, but because the executable\r\nhad a sizable null byte overlay (i.e., a large number of null bytes added after the end of the file).\r\nhttps://isc.sans.edu/diary/28202\r\nPage 1 of 4\n\nWithout the overlay, the file would have been less than 700 kB in size.\r\nAlthough the use of null bytes to inflate the size of a malicious executable to the point when it will not be analyzed by\r\nanti-malware tools (AV tools on endpoints as well as on e-mail gateways/web gateways have set limit on the maximum\r\nsize of files they can scan) is nothing new[2], as the fairly low VT score of this sample shows, it can still be quite\r\neffective. Especially when one considers that after further analysis, the executable turned out to be nothing more than a\r\nsample of Agent Tesla infostealer[3]…\r\nTwo other files I found in my “2021 collection” deserve a short mention in connection with the large executable\r\ndescribed above.\r\nThey were, again, .NET PE files, and, again, were part of an Agent Tesla infection chain[4].\r\nBesides this, however they were complete opposites of the sample mentioned before. They were only about 8 kB in\r\nsize each, no obfuscation was used to protect them and their detections on VT are slightly/significantly higher\r\n(37/68[5] and 53/68[6] respectively). I mention them together because although there are slight differences in their\r\ncode, as the following images show, both were very similar, and one can clearly see that they were only supposed to\r\ndownload and run additional code from the internet.\r\nhttps://isc.sans.edu/diary/28202\r\nPage 2 of 4\n\nAs the preceding text mentions, although all three samples were used in the infection chains of the same malware, the\r\nability of anti-malware tools to detect them varies widely. And since the malware family in question is rather a\r\ncommon one and its samples are often spread by untargeted malspam messages, it goes to show (if anyone still needs\r\nto have that pointed out to them at the end of 2021) that depending only on traditional anti-malware tools for (not just)\r\nendpoint protection is simply not enough at this point in time…\r\nNevertheless, since I would like to end this post on a slightly more positive note, let me conclude by wishing you – on\r\nbehalf of all of us at the SANS Internet Storm Center – a Happy New Year 2022, with as few malware (and other)\r\ninfections and serious incidents as possible.\r\n[1]\r\nhttps://www.virustotal.com/gui/file/3a4fc42fdb5a73034c00e4d709dad5641ca8ec64c0684fa5ce5138551dd3f47a/details\r\n[2]\r\nhttps://isc.sans.edu/forums/diary/Picks+of+2019+malware+the+large+the+small+and+the+one+full+of+null+bytes/25718/\r\n[3] https://tria.ge/211231-mfe4yafcfj\r\n[4] https://tria.ge/210817-c7rr51256x\r\nhttps://isc.sans.edu/diary/28202\r\nPage 3 of 4\n\n[5] https://www.virustotal.com/gui/file/f3ebbcbcaa7a173a3b7d90f035885d759f94803fef8f98484a33f5ecc431beb6\r\n[6] https://www.virustotal.com/gui/file/12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf0080\r\n-----------\r\nJan Kopriva\r\n@jk0pr\r\nAlef Nula\r\nSource: https://isc.sans.edu/diary/28202\r\nhttps://isc.sans.edu/diary/28202\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/28202"
	],
	"report_names": [
		"28202"
	],
	"threat_actors": [],
	"ts_created_at": 1775433997,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f9ddef8aaa831146841b7ae9f5d35194c898892.pdf",
		"text": "https://archive.orkl.eu/7f9ddef8aaa831146841b7ae9f5d35194c898892.txt",
		"img": "https://archive.orkl.eu/7f9ddef8aaa831146841b7ae9f5d35194c898892.jpg"
	}
}