{ "id": "4397b44d-7bce-4ef1-b425-327ca06f872a", "created_at": "2026-04-06T00:12:50.010661Z", "updated_at": "2026-04-10T03:37:08.688428Z", "deleted_at": null, "sha1_hash": "ea1d5ca00740ed5e96b3943c5c7cc64d48eaef5e", "title": "Infostealer Being Distributed via Spam Email (AgentTesla) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1122014, "plain_text": "Infostealer Being Distributed via Spam Email (AgentTesla) - ASEC\r\nBy ATCP\r\nPublished: 2023-09-26 · Archived: 2026-04-05 15:33:20 UTC\r\nAhnLab Security Emergency response Center (ASEC) spotted the AgentTesla Infostealer being distributed\r\nthrough an email in the form of a malicious BAT file. When the BAT file is executed, it employs the fileless\r\nmethod to run AgentTesla (EXE) without creating the file on the user’s PC. This blog post will provide an\r\nexplanation of the distribution process, from the spam email to the final binary (AgentTesla), along with related\r\ntechniques. Figure 1 shows the body of the spam email distributing the AgentTesla malware. It deceives recipients\r\nby mentioning in the subject line that the email was sent from an alternative email account and then encourages\r\nthem to execute the malicious file (.BAT). As shown in Figure 2, the attached zip (compressed) file contains a\r\nbatch script file (.BAT). The BAT file is a type of script file that is run by the Windows application cmd.exe when\r\nexecuted.\r\nhttps://asec.ahnlab.com/en/57546/\r\nPage 1 of 7\n\nFigure 1. Body of the phishing email\r\nFigure 2. Malicious script (.bat) inside the attached zip file\r\nFigure 3 is the obfuscated BAT script file. As shown in the EDR detection screen in Figure 4, the BAT file copies\r\nitself using the xcopy command when executed. Additionally, it disguises a normal powershell.exe with a png\r\nextension and copies it.\r\nhttps://asec.ahnlab.com/en/57546/\r\nPage 2 of 7\n\nFigure 3. Malicious BAT file\r\nFigure 4. xcopy command executed via cmd.exe (EDR showing the BAT file being copied along with\r\npowershell.exe which has been disguised with a png extension)\r\n  Afterward, it executes PowerShell commands through powershell.exe (Lynfe.png) which has been disguised with\r\na png extension. As depicted in Figure 5, the EDR detection screen displays the PowerShell process name as a\r\nprocess with the png extension (Lynfe.png), and it is this process that executes the PowerShell commands.\r\nhttps://asec.ahnlab.com/en/57546/\r\nPage 3 of 7\n\nFigure 5. EDR displaying the PowerShell script that was executed via cmd.exe\r\nFigure 6 is the decoded PowerShell commands. The PowerShell commands decode (gzip, reverse) the data\r\nencoded within the BAT file, create a DLL payload, and load it into the PowerShell process. As shown in Figure 7,\r\nthe loaded DLL executes the decoded shellcode, which, in turn, performs additional decoding routines and\r\nultimately runs the AgentTesla malware in the memory.\r\nFigure 6. Decoded PowerShell commands that load the .NET DLL encoded within the BAT file\r\nFigure 7. .NET DLL feature that executes the decoded shellcode\r\nFigure 8 shows the feature of the AgentTesla malware, which is ultimately executed by the PowerShell process\r\n(Lynfe.png). This feature is responsible for stealing account credentials from a specific browser (Edge). It collects\r\naccount credential-related data through various paths in this manner, and Table 1 provides a glimpse of the\r\ncollection paths for the stolen information.\r\nhttps://asec.ahnlab.com/en/57546/\r\nPage 4 of 7\n\nFigure 8. Account credential-stealing feature of the final payload, AgentTesla\r\nA Portion of Collection Paths for Account Credential-related Data\r\n“Sputnik\\Sputnik\\User Data” “Elements Browser\\User Data” “\\NETGATE\r\nTechnologies\\BlackHawk\\” “BraveSoftware\\Brave-Browser\\User Data” “\\Waterfox\\”\r\n“uCozMedia\\Uran\\User Data” “Opera Software\\Opera Stable” “Microsoft\\Edge\\User Data”\r\n“\\Comodo\\IceDragon\\” “CatalinaGroup\\Citrio\\User Data” “7Star\\7Star\\User Data” “Fenrir\r\nInc\\Sleipnir5\\setting\\modules\\ChromiumViewer” “Yandex\\YandexBrowser\\User Data”\r\n“\\Thunderbird\\” “Chedot\\User Data” “Iridium\\User Data” “Kometa\\User Data”\r\n“Chromium\\User Data” “QIP Surf\\User Data” “\\Mozilla\\Firefox\\” “\\Mozilla\\SeaMonkey\\” “\\K-Meleon\\” “liebao\\User Data” “CocCoc\\Browser\\User Data” “\\Mozilla\\icecat\\” “Amigo\\User\r\nData” “Vivaldi\\User Data” “Orbitum\\User Data” “MapleStudio\\ChromePlus\\User Data”\r\n“360Chrome\\Chrome\\User Data” “Google\\Chrome\\User Data” “Comodo\\Dragon\\User Data”\r\n“Epic Privacy Browser\\User Data” “\\Flock\\Browser\\” “\\Postbox\\” “Coowon\\Coowon\\User\r\nData” “\\Moonchild Productions\\Pale Moon\\” “\\8pecxstudios\\Cyberfox\\” “Torch\\User Data”\r\n“CentBrowser\\User Data”\r\nTable 1. A portion of collection paths for account credential-related data   In Figure 9, which is the EDR detection\r\nscreen for infostealing behavior, you can see that the PowerShell process disguised as a png file accessed the\r\naccount credential within a browser.\r\nhttps://asec.ahnlab.com/en/57546/\r\nPage 5 of 7\n\nFigure 9. EDR showing evidence of AgentTesla’s account credential theft\r\n  After stealing information, AgentTesla, which is running within the PowerShell process (Lynfe.png), transfers the\r\ncollected data to an FTP server controlled by the threat actor, as depicted in Figure 10.\r\nFigure 10. The feature of the final payload, AgentTesla, to transfer stolen information to a C2 via FTP\r\nUsing EDR’s evidence data, we explained the infection flow of AgentTesla Infostealer that is being distributed\r\nthrough spam emails. The threat actor employed a sophisticated fileless technique that does not create an EXE file\r\nand cunningly disguised the distribution email by writing in the subject line that the email had been sent from an\r\nalternative email account. It is essential to exercise caution when opening attachments and ensure that there is no\r\nextension present that is capable of executing malware. Additionally, continuous monitoring using security\r\nproducts is crucial for detecting and controlling unauthorized access from threat actors. [Behavior Detection]\r\nCredentialAccess/EDR.Event.M11362 [File Detection] Trojan/BAT.Agent.SC192347\r\nMD5\r\n6d9821bc1ca643a6f75057a97975db0e\r\nAdditional IOCs are available on AhnLab TIP.\r\nTo learn more about AhnLab EDR's advanced behavior-based detection and reponse, please click the banner\r\nbelow\r\nhttps://asec.ahnlab.com/en/57546/\r\nPage 6 of 7\n\nSource: https://asec.ahnlab.com/en/57546/\r\nhttps://asec.ahnlab.com/en/57546/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/57546/" ], "report_names": [ "57546" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434370, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ea1d5ca00740ed5e96b3943c5c7cc64d48eaef5e.pdf", "text": "https://archive.orkl.eu/ea1d5ca00740ed5e96b3943c5c7cc64d48eaef5e.txt", "img": "https://archive.orkl.eu/ea1d5ca00740ed5e96b3943c5c7cc64d48eaef5e.jpg" } }