{
	"id": "3d60e091-4988-4ffd-9300-63db7685b297",
	"created_at": "2026-04-10T03:22:08.191679Z",
	"updated_at": "2026-04-10T03:22:16.511828Z",
	"deleted_at": null,
	"sha1_hash": "c9597d176be5f9d19d6c1d81ca05e66aff75e2a6",
	"title": "More AgentTesla Keylogger And Nanocore RAT In One Bundle",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89154,
	"plain_text": "More AgentTesla Keylogger And Nanocore RAT In One Bundle\r\nBy Darrel Heers\r\nPublished: 2019-06-25 · Archived: 2026-04-10 02:13:01 UTC\r\nWe are seeing a continuation of even more AgentTesla malspam campaigns again this morning. However today’s\r\nis somewhat different to usual and also delivers a Nanocore RAT. Actually the Nanocore RAT is downloading the\r\nAgentTesla keylogger. And after a bit of digging around and seeing an Open Directory listing on the AgentTesla\r\ndownload site we found another multi-stage JavaScript downloader which delivers what looks like Dunhini\r\n/Houdini /h-worm and WSHRAT along with more Nanocore or at least using the same C2 and download\r\nstructures as recent nanocore samples.\r\nOnce again the scumbags sending these are using ISO attachments, which generally speaking are very badly\r\ndetected by antiviruses, mailscanners or perimeter defences. Many AV and “next gen” anti-malware services do\r\nnot routinely scan an ISO file but rely on detecting the extracted file. This is one of the few file types that you are\r\nactually slightly safer using Windows 7.\r\nYou need a 3rd party extraction (unzipping) program to extract the executable content from the container. Winzip\r\n\u0026 Winrar along with several other 3rd party unzipping tools does do this, but are not set to open iso files by\r\ndefault, so need a few clicks from you to do it. Windows 7 will natively try to open the ISO in Windows ISO\r\nburner and copy it to a cd/dvd for you. Whereas the more modern \u0026 “safer” OS W8.1 and W10 will normally\r\noffer to mount the ISO. This means open it as a virtual cd drive so the .exe file is shown in file explorer ready for\r\nyou to click on \u0026 run. While the exe file is inside the ISO container it is safe and will not harm you. It should not\r\nautomatically run when mounted.\r\nMany ISO do have an auto-run command embedded ( for example Microsoft Windows 10 or Office downloads) ,\r\nbut I can’t see one in these.\r\nYou can now submit suspicious sites, emails and files via our Submissions system\r\nJabil.com has not been hacked or had their email or other servers compromised. They are not sending the emails\r\nto you. They are just innocent victims in exactly the same way as every recipient of these emails. I first saw the\r\nsending IP / Server being used yesterday in a fake DHL campaign delivering a very similar JS downloader\r\ncontacting many of the same sites.\r\nFrom: “Amanda Guimarães” \u003cAMANDA_GUIMARAES@Jabil.com\u003e\r\nDate: Mon 24/06/2021 22:05\r\nSubject: FYI New Order #PO1205356266, Brazil\r\nAttachment: NEW_PO_1205356266,pdf.iso\r\nBody Content:\r\nDear security,\r\nhttps://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/\r\nPage 1 of 5\n\nWe are really interested in your products could you please kindly check attached?\r\nour new trial order please quote and confirm to us estimated delivery time to brazil.\r\nThank you,\r\nAmanda Guimarães\r\nBuyer\r\nBelo Horizonte Site\r\nDesk: +55(31) 2103 – 9312\r\nRod. Fernão Dias, Km 490, br381, Jardim das Alteroras\r\n32670-790, Betim, MG, Brasil\r\nMalware Details:\r\nNEW_PO_1205356266,pdf.iso ( VirusTotal) extracts to NEW_PO_1205356266,pdf.exe VirusTotal | Anyrun |\r\nWhich is the nanocore binary. The C2 for this nanocore is microsoft.btc-crypto-rewards.cash 160.202.163.246\r\nThis downloads and autoruns the AgentTesla binary virusTotal | Anyrun |\r\nThe C2 / SMTP exfiltration for this AgentTesla is smtp.vivaldi.net 82.221.130.149 but I can’t easily determine\r\nthe email address of the miscreant.\r\nNow when we looked at the download site for AgentTesla mechanicaltools.club we found an Open Directory\r\nlisting with lots of files.\r\nThis domain was only registered yesterday 24 June 2021 using privacy protection via Namecheap as registrar and\r\nhosted by Namecheap. The home page has a default hosted by Namecheap holding page. This was obviously\r\nregistered by these criminals to be used in malware campaigns.\r\nThis set of files tries to download the same nanocore that was inside the ISO container. I assume there must have\r\nbeen an email with links, that would trigger the download chain. The bad actors have made a bit of an error by\r\nstarting the chain with a MHT file( VirusTotal ) which only work in Internet Explorer and display as plain text in\r\nother browsers and will not offer the downloaded next step in the chain.\r\nwhich simply downloads  (VirusTotal) which in turn downloads \u0026 runs  VirusTotal | Anyrun | which is a heavily\r\nencoded scripting file that downloads and runs these 3 files which are actually renamed .exe files not zip files at\r\nall. But all are very well detected on VirusTotal\r\nVirusTotal | Anyrun |\r\nVirusTotal | Anyrun |\r\nVirusTotal | Anyrun |\r\nAll the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc.\r\nmentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and\r\nsome won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company\r\nwho have had their details spoofed and picked at random from a long list that the bad guys have previously found\r\n.\r\nhttps://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/\r\nPage 2 of 5\n\nThe bad guys choose companies, Government departments and other organisations with subjects that are designed\r\nto entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is\r\nhappening.\r\nEmail Headers:\r\nIP Hostname City Region Country Organisation\r\n45.14.112.110 \r\nFallings\r\nPark\r\nWolverhampton GB\r\nAS60945 VeloxServ\r\nCommunications Ltd\r\nReceived: from [45.14.112.110] (port=61347)\r\nby my email server with esmtp (Exim 4.92)\r\n(envelope-from \u003cAMANDA_GUIMARAES@Jabil.com\u003e)\r\nid 1hfW8k-00065U-9j\r\nfor security@myonlinesecurity.co.uk; Mon, 24 Jun 2021 22:04:38 +0100\r\nFrom: =?UTF-8?B?IkFtYW5kYSBHdWltYXLDo2VzIg==?= \u003cAMANDA_GUIMARAES@Jabil.com\u003e\r\nTo: security@myonlinesecurity.co.uk\r\nSubject: FYI New Order #PO1205356266, Brazil\r\nDate: 24 Jun 2021 14:04:34 -0700\r\nMessage-ID: \u003c20190624140433.033401D494FDCED4@Jabil.com\u003e\r\nMIME-Version: 1.0\r\nContent-Type: multipart/mixed;\r\nboundary=\"----=_NextPart_000_0012_62826778.96920426\"\r\nIOC:\r\nMain object- “NEW_PO_1205356266,pdf.iso”\r\nsha256 1b80e4d13b53c9fff4caced8bc44c2d61248d55d2cf66fd68a93fa29ccbd17c0\r\nsha1 a13c5c54fc89be75623738257ae15bdd34f9fbdb\r\nmd5 60e8f75ba8588b97cd31992b2335f750\r\nDropped executable file\r\nsha256 C:\\Users\\admin\\Desktop\\NEW_PO_1205356266,pdf.exe\r\na96a80d3565e9b2f55c4a9770a4a911fbbdfccf470809c59eda9b1c3b3fbc072\r\nMD5 8d46822356da392beb731ceaaf919489\r\nSHA-1 39f832abe4137c97c79eeb174e96b4460b93564a\r\nsha256 C:\\Users\\admin\\AppData\\Local\\Temp\\windowsdefender.exe\r\n9a53593239f4f04ca6f28e3eab6c4b51cc869c2b366e322df2d900e75b6c3da0\r\nMD5 557b476ea0c8b987f970b9eb3cb52e5f\r\nSHA-1 2e2ba396b8ac8b1044c8058e004fb174e788d6a4\r\nDNS requests\r\ndomain mechanicaltools.club\r\ndomain microsoft.btc-crypto-rewards.cash\r\ndomain checkip.amazonaws.com\r\nConnections\r\nhttps://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/\r\nPage 3 of 5\n\nip 198.54.114.213\r\nip 185.244.29.22\r\nip 160.202.163.246\r\nip 52.200.125.74\r\nHTTP/HTTPS requests\r\nurl http://checkip.amazonaws.com/\r\nurl http://mechanicaltools.club/download/2oxEJ50zPS4Wsdb.exe\r\nMain object- “bpvpl.tar.gz”\r\nsha256 27bd6db946dd85de546f6fb9b80658e46ecd327136773c949cd212ddfd52aa4e\r\nsha1 8b1c131f6b9dc1f020a18ab8f4fa3095224adcc9\r\nmd5 5a2b62b657782f37eb0f7c27064cffa9\r\nDropped executable file\r\nsha256 C:\\Users\\admin\\Desktop\\bpvpl.tar.exe\r\n27bd6db946dd85de546f6fb9b80658e46ecd327136773c949cd212ddfd52aa4e\r\nMain object- “klplu.tar.gz”\r\nsha256 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a\r\nsha1 37b644ef5722709cd9024a372db4590916381976\r\nmd5 7099a939fa30d939ccceb2f0597b19ed\r\nMain object- “mapv.tar.gz”\r\nsha256 bfcde7f66c042845af095b5600d1e7a383926e2836624f7eb1690b078e9cfe28\r\nsha1 a988b152469a8b22052377d4127f0a3ee0a92927\r\nmd5 c4c6fe64765bc68c0d6fcaf2765b5319\r\nMain object- “2oxEJ50zPS4Wsdb.exe”\r\nsha256 9a53593239f4f04ca6f28e3eab6c4b51cc869c2b366e322df2d900e75b6c3da0\r\nsha1 2e2ba396b8ac8b1044c8058e004fb174e788d6a4\r\nmd5 557b476ea0c8b987f970b9eb3cb52e5f\r\nDNS requests\r\ndomain smtp.vivaldi.net\r\ndomain checkip.amazonaws.com\r\nConnections\r\nip 192.35.177.64\r\nip 82.221.130.149\r\nip 18.211.215.84\r\nHTTP/HTTPS requests\r\nurl http://checkip.amazonaws.com/\r\nMain object- “mhtexp.js”\r\nsha256 27302c2238440ebf93b3e3e6639e9df3586895cc1e236952e300d07353158bc5\r\nsha1 290431f521e45f5f2345e314ad89403a6220ff32\r\nmd5 86c75fb3cd45155afbed0a537b7b215e\r\nDropped executable file\r\nsha256 C:\\Users\\admin\\AppData\\Roaming\\kl-plugin.exe\r\n272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a\r\nhttps://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/\r\nPage 4 of 5\n\nsha256 C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\ZSVOB39W\\bpvpl.tar[1].gz\r\n27bd6db946dd85de546f6fb9b80658e46ecd327136773c949cd212ddfd52aa4e\r\nsha256 C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\WLQBH2R9\\mapv.tar[1].gz\r\nbfcde7f66c042845af095b5600d1e7a383926e2836624f7eb1690b078e9cfe28\r\nDNS requests\r\ndomain microsoft.btc-crypto-rewards.cash\r\ndomain unknownsoft.duckdns.org\r\ndomain doughnut-snack.live\r\nConnections\r\nip 185.247.228.14\r\nip 160.202.163.246\r\nip 172.245.14.10\r\nHTTP/HTTPS requests\r\nurl http://microsoft.btc-crypto-rewards.cash:9966/is-ready\r\nurl http://doughnut-snack.live/klplu.tar.gz\r\nurl http://doughnut-snack.live/bpvpl.tar.gz\r\nurl http://doughnut-snack.live/mapv.tar.gz\r\nhttp://mechanicaltools.club/download/2oxEJ50zPS4Wsdb.exe\r\nhttp://mechanicaltools.club/download/NEW_PO_1205356266,pdf.exe\r\nhttp://mechanicaltools.club/download/mhtexp.hta\r\nhttp://mechanicaltools.club/download/mhtexp.js\r\nhttp://mechanicaltools.club/download/mhtexp.mht\r\nhttp://mechanicaltools.club/download/mhtexp.php\r\nmhtexp.mht\r\nMD5 381b3624498e29b48464b3251e8c5203\r\nSHA-1 11dfc573ec4c38475c9c58a61ecba24e26358c29\r\nSHA-256 1e4b0aa62e6cebd7991c3c68759032e767c32ad2e07d6ffb11ad7b99c9155a6c\r\nmhtexp.hta\r\nMD5 5a7727673fbb359f54ce36fcc1faa6df\r\nSHA-1 976a65329869c60c763e58b8986507bf09bd568c\r\nSHA-256 9ecc1efb8b8bf7674dcb579e76b0f7b334068e6ea2ff77fedc8d9a16867da170\r\nSource: https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/\r\nhttps://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/"
	],
	"report_names": [
		"more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle"
	],
	"threat_actors": [],
	"ts_created_at": 1775791328,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c9597d176be5f9d19d6c1d81ca05e66aff75e2a6.pdf",
		"text": "https://archive.orkl.eu/c9597d176be5f9d19d6c1d81ca05e66aff75e2a6.txt",
		"img": "https://archive.orkl.eu/c9597d176be5f9d19d6c1d81ca05e66aff75e2a6.jpg"
	}
}