AgentTesla Being Distributed via VBS

The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing.

The VBS script is distributed as an attachment to emails. Recently, emails impersonating those from Korean corporations have also been identified.

Distributed email

The compressed file contains the VBS, and commonly used filenames include invoices and proposals. The confirmed filenames are as follows:

10/12№ 106 – Supply of Flex.vbs
protected copy of the commercial invoice.vbs
10/15Urgent RFQ No.6554342.vbs
10/17Order List(Draft) 9419-PDF.vbs
10/21BEST SOLU.vbs
Confirmed filenames

The confirmed VBS files contain multiple annotations and dummy codes.

Confirmed VBS file

Aside from the multiple annotations and dummy codes, there is a code at the bottom responsible for reading the strings in the currently running VBS file excluding every 2 characters

Code inside the VBS

When this code is executed, the strings that were in the annotations are decoded and a new script code is executed. The decoded code includes an obfuscated shellcode and an additional PowerShell command.

Decoded VBS code

When the above script code is executed, the value of ‘Ch8’, an obfuscated shellcode, is saved to HKCU\Software\Basilicae17\Vegetates.

Value saved to the registry

Afterward, the value of the ‘O9’ variable is executed through PowerShell. The ‘O9’ variable contains a PowerShell command, and the executed command is obfuscated as shown below.

powershell.exe  “$Quegh = “””DatFMaruBidnMescFultkariStaoPtenKol EftHStaTBesBCel Uer{Taw fem Las Ude UndpLawaDokrSlaaQuamAsi(Uhj[DagSBontUnbrSkaiTilnHalgTis]Fes`$LivHPerSWir)Con;Fat Ret Hjl Amp Aft`$IntBLavySaltfaseBinsEno Che=Sax CenNDvdeDoswCyp-VovOShab <ommited> Ind5Nin3Ree#Apo;”””;;
Function Tammy159 { param([String]$HS);  For($i=3; $i -lt $HS.Length-1; $i+=(3+1)){ $Statice = $Statice + $HS.Substring($i, 1);   }    $Statice;}
$Ambulancetjeneste1820 = Tammy159 ‘UnsIPujEFolXInt ‘;
$Ambulancetjeneste1821= Tammy159 $Quegh;
& ($Ambulancetjeneste1820) $Ambulancetjeneste1821;;
PowerShell command that is executed

The PowerShell code decodes the obfuscated value saved on the ‘$Quegh’ variable by excluding every 3 characters. (ex.  UnsIPujEFolXInt -> IEX)
The decoded command is also obfuscated, and the code that is ultimately executed is as follows.

The PowerShell command that is executed ultimately

The obfuscated shellcode that was saved before in HKCU\Software\Basilicae17\Vegetates is decoded in base64 and executed. The executed shellcode injects the AgentTesla malware into CasPol.exe, a normal process. AgentTesla is an info-stealer that collects user PC information, compresses it into CO_[username]/[PC name].zip and leaks it via email.

The email information used is as follows.

  • From :
  • To :
  • pw : Fb56****65fr
Leaked information

AgentTesla is malware that is also prevalent in weekly statistics, and its distribution method is continuously changing. Also, caution is advised because a variety of malware can be executed aside from AgentTesla according to the shellcode.

[File Detection]


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating

Inline Feedbacks
View all comments