{
	"id": "dec00092-7a4e-49b3-a4de-8fad8e448f1a",
	"created_at": "2026-04-06T00:13:37.140729Z",
	"updated_at": "2026-04-10T03:21:44.601957Z",
	"deleted_at": null,
	"sha1_hash": "a747ce9bad65bbaee3bb2f047a1a90ef13ef4bbb",
	"title": "Malware Analysis — AgentTesla",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4333290,
	"plain_text": "Malware Analysis — AgentTesla\r\nBy 0xMrMagnezi\r\nPublished: 2024-02-15 · Archived: 2026-04-05 23:45:04 UTC\r\n3 min read\r\nFeb 15, 2024\r\nAgent Tesla is a widely-used remote access Trojan (RAT) known for its keylogging and data exfiltration\r\ncapabilities, often used in cyber espionage and information theft.\r\nIn this report I will Analyze an AgentTesla Sample that was uploaded to MalwareBazaar.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825\r\nPage 1 of 8\n\nMalwareBazaar — Initial Sample\r\nStage 1-\r\nAs usual I downloaded the file and extracted it using the password “infected”.\r\nPress enter or click to view image in full size\r\n.BAT file\r\nJust from looking at it I noticed that I’m dealing with JS and PowerShell code. I assumed that trying to\r\ndeobfuscate this .BAT file would be a waste of time. So I ran it in order to capture the PowerShell script that was\r\nbeing executed.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825\r\nPage 2 of 8\n\nCapture of the PowerShell code\r\nAs I suspected the PS was starting under the cmd.exe (.BAT) , so I extracted it from the command line. Also its\r\nimportant to note that the original BAT file was deleted after execution.\r\nStage 2-\r\nPress enter or click to view image in full size\r\nObfuscated PowerShell code that was extracted from the command line\r\nAfter a little bit of dirty work I managed to Deobfuscate the PS code.\r\nPress enter or click to view image in full size\r\nDeobfuscated PowerShell code\r\nhttps://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825\r\nPage 3 of 8\n\nIn summary this script downloads a new file (.JPG) and executes it.\r\nStage 3-\r\nI decided to get that file on my own terms without executing it , so I curled to this path and saved the output as\r\n“out”.\r\nPress enter or click to view image in full size\r\nCurl to the attacker JPG path\r\nThis out file contained another obfuscated PowerShell , so I had to do more deobfuscation.\r\nPress enter or click to view image in full size\r\nObfuscated PowerShell\r\nThe first Var — “u8yee” was going through manipulation in which at the end it swapped “A” with “00”.\r\nhttps://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825\r\nPage 4 of 8\n\nPress enter or click to view image in full size\r\nUsing CyberChef to decode\r\nPress enter or click to view image in full size\r\nAfter some cleaning and deobfuscation of the code\r\nIn summary the first function is decompressing any byte array that its getting as an argument.\r\nGet 0xMrMagnezi’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe next 2 Vars — “y74gh00rffd” and “eSQy” are also going through manipulation just like before , just a bit\r\ndifferent. The letters “EV” are being replace by “0x” which is representation of Hex. In addition to this\r\nreplacement the output of this byte array is being passed to the Decoding functions.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825\r\nPage 5 of 8\n\nFirst Byte Array Decode\r\nPress enter or click to view image in full size\r\nSecond Byte Array Decode\r\nI knew this process was a success as soon as I saw the “MZ” in the beginning of the file — Indication of DOS\r\nExecutable. I saved those 2 new files as .BIN files.\r\nStage 4-\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825\r\nPage 6 of 8\n\nFinding out that One file is EXE and the other is DLL — Both written in .NET\r\nWhile Debugging this executable in DNSPY I noticed that I'm dealing with Info Stealer / Key Logger with more\r\nfeatures and capabilities.\r\nThe Data is being sent using SMTP.\r\nPress enter or click to view image in full size\r\nFinding SMTP Password to the attacker\r\nPress enter or click to view image in full size\r\nFinding The Information about the computer that is being sent to the attacker\r\nhttps://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825\r\nPage 7 of 8\n\nPress enter or click to view image in full size\r\nThe Mail Addresses that were found.\r\nSource: https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825\r\nhttps://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825"
	],
	"report_names": [
		"malware-analysis-agenttesla-2af3d73a7825"
	],
	"threat_actors": [],
	"ts_created_at": 1775434417,
	"ts_updated_at": 1775791304,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a747ce9bad65bbaee3bb2f047a1a90ef13ef4bbb.pdf",
		"text": "https://archive.orkl.eu/a747ce9bad65bbaee3bb2f047a1a90ef13ef4bbb.txt",
		"img": "https://archive.orkl.eu/a747ce9bad65bbaee3bb2f047a1a90ef13ef4bbb.jpg"
	}
}