{
	"id": "66e524d8-0657-4155-9bf7-96b0528973be",
	"created_at": "2026-04-06T00:13:27.886429Z",
	"updated_at": "2026-04-10T03:22:49.653887Z",
	"deleted_at": null,
	"sha1_hash": "fcbfe2eaebfd640240e525246436a021b7288fc7",
	"title": "Scumbag Combo: Agent Tesla and XpertRAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 566605,
	"plain_text": "Scumbag Combo: Agent Tesla and XpertRAT\r\nPublished: 2018-12-18 · Archived: 2026-04-05 19:50:42 UTC\r\nUnity is strength – this age old adage is true for just about everyone, even the bad guys.\r\nIt has become a common practice for threat actors to work in tandem for various reasons, viz. better chances of\r\nevading detection, increased magnitude or sophistication of the attack, etc., all of which are means to higher ill-gotten gains. And the availability of (malicious) source code on popular platforms like GitHub, Pastebin, etc. only\r\nmakes life easier for these cyber criminals.\r\nWith this blog post we are going to explain one such recent “collaboration” which we would like to dub “The\r\nScumbag Combo”, a true story of two malware families coming together to victimize the innocent and vulnerable.\r\nFirst, an introductory pictorial representation of the infection flow (Figure 1) before going into the morbid details.\r\nFigure 1: Infection flow\r\nIt all starts with a spam email containing an XLSX attachment that exploits the Microsoft Equation Editor’s\r\nremote code execution vulnerability (CVE-2017-11882) to download the file vbs.exe hosted on an open directory\r\n(Figure 2), save it as svchost.exe under %AppData% directory and automatically execute it. That covers half the\r\npicture and is fairly standard stuff, but then the rest gets pretty interesting.\r\nhttps://labs.k7computing.com/?p=15672\r\nPage 1 of 8\n\nFigure 2: Open directory\r\nOn execution, this fake svchost.exe decrypts the code responsible for the delivery of the aforementioned scumbags\r\ninto allocated heap memory, and transfers the control to it (Figure 3).\r\nFigure 3: Decryption routine\r\nThis decrypted code then continues to construct an import table for APIs to be used later. Additionally, it also\r\nchecks for the presence of malware analysis and debugging tools (Figure 4), as well as anti-malware processes\r\n(Figure 5).\r\nhttps://labs.k7computing.com/?p=15672\r\nPage 2 of 8\n\nFigure 4: Malware analysis and debugging tools\r\nFigure 5: Anti-malware processes\r\nIt further looks for the following anti-malware processes:\r\navp.exe\r\nbdwtxag.exe\r\nbdagent.exe\r\ndwengine.exe\r\navastui.exe\r\nIf any of the aforementioned processes are found it terminates itself.\r\nIf suitably assuaged, it continues to create a folder called “folder” under %AppData% and copies itself to this\r\nlocation as folder.exe (Figure 6).\r\nFigure 6: Self-copy as folder.exe\r\nAs the next step it decrypts a PE file LUCKYGUY2NEW.exe (Figure 7) into allocated heap memory, drops it under\r\nthe %temp% folder, and executes it using the API ShellExecuteW.\r\nhttps://labs.k7computing.com/?p=15672\r\nPage 3 of 8\n\nFigure 7: Decrypting LUCKYGUY2NEW.exe\r\nThis binary, LUCKYGUY2NEW.exe, which is found to be an MSIL file, is the first of the scumbag duo to get onto\r\nthe compromised system: Agent Tesla. It has keylogging, screen and video capturing, and password stealing\r\ncapabilities. The password stealing module can extract saved passwords (Instagram, Twitter, Gmail, Facebook,\r\netc.) from various browsers (Figure 8), mails and FTP clients.\r\nFigure 8: MSIL methods used for stealing passwords\r\nHaving delivered the Agent Tesla component, svchost.exe goes on to execute its copy folder.exe from within\r\n%AppData%\\folder, which orchestrates the dramatic entry of the second protagonist of the scumbag show:\r\nXpertRAT. After executing folder.exe, the svchost.exe process gets terminated.\r\nhttps://labs.k7computing.com/?p=15672\r\nPage 4 of 8\n\nNote, persistence of folder.exe is handled by a VB script folder.vbs dropped in the Startup directory (Figure 9).\r\nFigure 9: VBS in Startup folder\r\nfolder.exe does a redundant check for traces of the same set of malware analysis/debugging tools and anti-malware processes as depicted in Figures 4 and 5 above.\r\nNext it decrypts yet another PE file in yet another blob of heap memory. And if you think that this is the XpertRAT\r\ncomponent, well, you are plain wrong. Dumping the file from memory revealed it to be a Visual Basic compiled\r\nbinary which injects into a legitimate Microsoft Internet Explorer (iexplore.exe) process.\r\nfolder.exe then creates another folder.exe process in a suspended state, injects the decrypted Visual Basic binary\r\ninto it and resumes the thread (Figure 10). By the way, what’s with these guys and the word “folder”?! No\r\nimagination. Sheesh!\r\nFigure 10: Injection of the latest decrypted binary\r\nOnce the injected process begins executing, it spawns the legitimate iexplore.exe process in a suspended state,\r\ninjects its own code into it and resumes the thread. This then connects to a Command and Control server (C\u0026C or\r\nC2) to which it sends the compromised system information (Figure 11), and requests for the Remote Access\r\nTrojan (RAT) component – XpertRAT.\r\nhttps://labs.k7computing.com/?p=15672\r\nPage 5 of 8\n\nFigure 11: C\u0026C communication (compromised system information)\r\nThe C\u0026C server, after validating the information from the compromised system, will respond with the RAT\r\ncomponent – passwords.dll, an XpertRAT plugin as depicted in Figure 12.\r\nFigure 12: The XpertRAT plugin – image courtesy app.any.run\r\nThis plugin is used to retrieve all the usernames and passwords (Instagram, Twitter, Gmail, Facebook, etc.) stored\r\nin various browser caches and emails on the compromised system, which may then be stored in a text file to be\r\neither dispatched to the C\u0026C or accessed remotely.\r\nLo and behold, all the actors are now on stage.\r\nBut worry not K7 users, for as always, we have you covered at every single layer of this attack! 🙂\r\nSecurity Guidelines\r\nInstall the latest service packs \u0026 hotfixes from Microsoft and enable automatic update/notification for\r\npatches on Windows.\r\nhttps://labs.k7computing.com/?p=15672\r\nPage 6 of 8\n\nCultivate the usage of spam filters.\r\nDo not open any email attachment that looks suspicious or that you weren’t expecting.\r\nCheck the email and make sure it is not spoofed before downloading and opening any attachments.\r\nUpgrade all applications to the latest • stable versions.\r\nInstall, enable and regularly update reliable security software such as K7 Total Security.\r\nIndicators of Compromise (IoCs)\r\nFiles:\r\nHash Component K7 Detection\r\n528D53B945516C8F18C63C5B8DF4695E XLSX attachment Trojan ( 0001140e1 )\r\nE0374BCC3615F00CDD9C9E3845A1EB74 svchost.exe / vbs.exe Riskware ( 0040eff71 )\r\n88A93172E9BB75CE8638C36FF744BE55 LUCKYGUY2NEW.exe Trojan ( 0052d5341 )\r\n9F9C272BF3372F6EE920DEAA00926689 folder.vbs Trojan ( 0001140e1 )\r\n5C3E2E94AF5622A06D06EAC83CFA4C2B VB file dumped from memory Trojan ( 004be7cd1 )\r\n2EEC4FEAAD2D41A806A8D3197A4F538B passwords.dll Trojan ( 0001140e1 )\r\nURLs:\r\nDynamic detection:\r\nBehaviour based detection of folder.exe process injection into iexplore.exe\r\nhttps://labs.k7computing.com/?p=15672\r\nPage 7 of 8\n\nSource: https://labs.k7computing.com/?p=15672\r\nhttps://labs.k7computing.com/?p=15672\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/?p=15672"
	],
	"report_names": [
		"?p=15672"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434407,
	"ts_updated_at": 1775791369,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fcbfe2eaebfd640240e525246436a021b7288fc7.pdf",
		"text": "https://archive.orkl.eu/fcbfe2eaebfd640240e525246436a021b7288fc7.txt",
		"img": "https://archive.orkl.eu/fcbfe2eaebfd640240e525246436a021b7288fc7.jpg"
	}
}