{
	"id": "00818493-edf9-48a8-a8cf-9bae76ba1d6c",
	"created_at": "2026-04-06T00:12:48.228647Z",
	"updated_at": "2026-04-10T03:20:52.05572Z",
	"deleted_at": null,
	"sha1_hash": "8171d2c4daa9d731bb20bb9865db863dc638bb3a",
	"title": "Negasteal/Agent Tesla, Ave Maria Delivered via Malspam",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84778,
	"plain_text": "Negasteal/Agent Tesla, Ave Maria Delivered via Malspam\r\nBy Miguel Carlo Ang, Earle Maui Earnshaw ( words)\r\nPublished: 2019-10-25 · Archived: 2026-04-05 22:33:10 UTC\r\nWe recently saw a malicious spam campaign that has AutoIT-compiled payloads – the trojan spy Negasteal or Agent Tesla\r\n(detected by Trend Micro as TrojanSpy.Win32.NEGASTEAL.DOCGC), and remote access trojan (RAT) Ave Maria or\r\nWarzone (TrojanSpy.Win32.AVEMARIA.T) – in our honeypots.  The upgrading of payloads from a typical trojan spy to a\r\nmore insidious RAT may indicate that the cybercriminals behind this campaign are moving towards deploying more\r\ndestructive (and lucrative) payloads, such as ransomware, post-reconnaissance.\r\nThis campaign uses AutoIT-obfuscated ISO image filesnews- cybercrime-and-digital-threats as well as RAR- and LZH-compressed archive attachments to evade detection. ISO images, specifically, can be used to bypass spam filters, and the file\r\nformat is also easier to mount on more recent Windows versions.  We observed that this spam campaign was sent using a\r\npossibly compromised webmail address.\r\nTechnical analysis\r\nThe AutoIT-obfuscated malware strains are delivered via malicious spam emails. The malspam emails we saw associated\r\nwith this campaign included a fake shipment advisory and a financial document.\r\nintel\r\nFigure 1. A fake shipment advisory spam email that has a .RAR attachment containing Negasteal\r\nintel\r\nFigure 2. A fake down payment notification email that has an .LZH attachment containing the Ave Maria RAT\r\nThe downloaded malicious attachments will then extract the AutoIT-obfuscated malware strains of Negasteal and  Ave\r\nMaria.\r\nAutoIT, a scripting language that is originally intended to automate basic tasks in Windows GUI, has been abused by\r\ncybercriminals in the past to obfuscate malware binaries. In the case of Negasteal and Ave Maria, the AutoIT obfuscation\r\ntechnique has two layers: The actual malware binaries are obfuscated into AutoIT scripts (.au3), after which the scripts are\r\ncompiled into an executable using an AutoIT compiler like Aut2Exe.\r\nBecause of the malicious attachments’ highly obfuscated nature, endpoints without cybersecurity solutions equipped with\r\nbehavior monitoring powered by machine learning will not be able to proactively detect and defend against these threats.\r\nintel\r\nFigure 3. Infection flow of the Negasteal (top) and Ave Maria (bottom)\r\nOnce the malicious attachment is downloaded, it will proceed to extract an AutoIT-obfuscated malware strain to the\r\nmachine.\r\nThe attachments contain an AutoIT-based packer or crypter that executes a script that decrypts and loads version 5 of the\r\nFrenchy shellcode. We deobfuscated the “Frenchy_shellcode_005” script by:\r\nExtracting the .au3 file from the binary.\r\nFinding the variable in the AutoIt script where the shellcode is assembled.Writing the content of the variable to a file.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-negasteal-agent-tesla-ave-maria-delivered-via-malspam/\r\nPage 1 of 3\n\nTrojan spies are popular malspam payloads. The same is true for this particular campaign, at least initially. The first payload\r\nis a Negasteal/Agent Tesla variant. Typical of previously seen Negasteal/Agent Tesla variants, the one used in this campaign\r\nis able to log and monitor keystrokes, webcam and screen captures, as well as collect information saved on clipboards. It is\r\nalso able to collect system information and saved usernames and passwords from browsers and mail clients, among many\r\nothers.\r\nWe observed that later versions of this campaign, which uses the same double-layered AutoIT-obfuscation technique, have\r\nupgraded its payload from Negasteal/Agent Tesla to the Ave Maria RAT.\r\nWe observed that the Ave Maria RAT variant in this campaign is armed with more functions than the typical trojan spy. It\r\nuses UAC bypass and process tokens to elevate its privileges. Once it has done that, it will execute the PowerShell Add-MpPreference –ExclusionPath cmdlet, which allows the modification of Windows Defender’s settings to exclude specific\r\npaths from being scanned in real-time.\r\nThe malware is also configured to establish a connection to a command-and-control (C\u0026C) server.\r\nintel\r\nFigure 4. Screen capture of Ave Maria’s code establishing a C\u0026C connection after its privileges have been elevated\r\nRegardless of whether privilege escalation occurs or not, if Ave Maria is able to create a registry key in the system or drop a\r\ncopy of itself in “%Program Data%” directory, it will create a cmd.exe process and, afterward, inject malicious code into\r\nit. If that still fails, it will execute explorer.exe for code injection.\r\nintel\r\nFigure 5. Screen capture of Ave Maria’s code executing explorer.exe for code injection\r\nOnce successfully running in a compromised system, Ave Maria can log users’ keystrokes as well as steal usernames and\r\npasswords from the following protocols and applications:\r\nProtocols:\r\nHTTP\r\nIMAP\r\nPOP3\r\nSMTP\r\nApplications:\r\nMicrosoft Outlook (1997-2010, 2013, and 2016 versions)\r\nWindows Messaging\r\nInternet Explorer\r\nGoogle Chrome\r\nFoxmail\r\nThunderbird\r\nFirefox\r\nAve Maria can also modify, drop, and create arbitrary files in a compromised system, as well as enumerate processes, files,\r\ndirectories, and drives. It is also able to terminate running processes, delete files, and uninstall itself.\r\nSecurity Recommendations\r\nHere are some of the best practices businesses and users can adopt to protect against Negasteal, Ave Maria, and other highly\r\nobfuscated threats:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-negasteal-agent-tesla-ave-maria-delivered-via-malspam/\r\nPage 2 of 3\n\nSecure the email gateway. Because Negasteal and Ave Maria are delivered via malicious spam emails, it’s important\r\nto be aware of social engineering tactics so as not to fall for them. Practicing cybersecurity hygienenews-cybercrime-and-digital-threats, both in the workplace and at home, e.g., identifying red flags in phishing emails,\r\nhelps just as much as deploying security solutions.\r\nThink before you click. Refrain from opening email attachments from unverified sources.\r\nEnforce the principle of least privilege. Ave Maria abuses legitimate tools such as PowerShellnews article as part of\r\nits attack chain. Disabling, restrictingnews article, or securingnews- cybercrime-and-digital-threats its use can\r\nsignificantly deter the threat from abusing them.\r\nObserve, monitor, and log. Keep comprehensive records of what happens within the network to enable IT personnel\r\nto track suspicious activities like traffic from malicious URLs.\r\nProactively monitor the organization’s online infrastructure. For organizations, a multilayered approach can help\r\ndefend against highly obfuscated threats. Firewallsnews article and intrusion detection and prevention systems help\r\ndetect and block suspicious traffic or malicious network activities. Application control and behavior\r\nmonitoring prevent anomalous executables and malware-related routines from running, while URL filtering helps\r\nblock malicious URLs and websites that may be hosting malware.\r\nTrend Micro solutions\r\nintelUsers and organizations are protected from highly obfuscated threats such as the AutoIT-compiled Negasteal and Ave\r\nMaria malware strains with Trend Micro’s multilayered proactive and reactive approaches to cybersecurity.\r\nAt the email level, the Trend Micro™ Anti-Spam Engine (TMASE)™ and Hosted Email Security (HES)™ solutions\r\nblock spam emails, such as the fake shipment advisory and financial document in this campaign, from reaching users\r\nand organizations. Both solutions use machine learning technologies that include statistical analysis, advanced\r\nheuristics, whitelists and blacklists, as well as signature filtering.\r\nMalicious files, scripts, and messages like the Negasteal- and Ave Maria-containing ISO, LZH, and RAR attachments\r\nare proactively detected by Trend Micro’s behavior monitoring technology, a key component in its endpoint solutions\r\nsuch as the Smart Protection Suites productsand Worry-Free™ Business Security\r\nTwo robust reactive layers of protection from the Smart Protection Suites and the Trend Micro Deep\r\nDiscovery™products solution detect Negasteal and Ave Maria’s remote scripts even if they are not being downloaded\r\non the physical endpoints.\r\nThe Trend Micro Deep Discovery Inspector productsprotects customers by detecting suspicious network traffic and\r\npreventing Negasteal and Ave Maria from connecting to C\u0026C servers, which may lead to data exfiltration, via these\r\nDDI rules:\r\nRule 4248: WARZONE – DNS (Response)\r\nRule 4249: NEGASTEAL - SMTP (Request)\r\n  Indicators of Compromise (IoCs)\r\nSHA-256 Hash\r\nTrend Micro Predictive\r\nMachine Learning Detection\r\nTrend Micro Pattern Detection\r\nBc077b31c61d61d5d077b68b7f0b110efe85d138 Troj.Win32.TRX.XXPE50FFF032 TrojanSpy.Win32.NEGASTEAL.DOCG\r\n224f6e0c21145534ec2bab670bcb1b690c08a26d Troj.Win32.TRX.XXPE50FFF032 TrojanSpy.Win32.AVEMARIA.T\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-negasteal-agent-tesla-ave-maria-delivered-via-malspam/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-negasteal-agent-tesla-ave-maria-delivered-via-malspam/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-negasteal-agent-tesla-ave-maria-delivered-via-malspam/"
	],
	"report_names": [
		"autoit-compiled-negasteal-agent-tesla-ave-maria-delivered-via-malspam"
	],
	"threat_actors": [],
	"ts_created_at": 1775434368,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8171d2c4daa9d731bb20bb9865db863dc638bb3a.pdf",
		"text": "https://archive.orkl.eu/8171d2c4daa9d731bb20bb9865db863dc638bb3a.txt",
		"img": "https://archive.orkl.eu/8171d2c4daa9d731bb20bb9865db863dc638bb3a.jpg"
	}
}