Technical analysis by the Malware Hunter JAMESWT

AgentTesla campaign via CVE-2017-11882 exploit. The doc file contacts a url from which it downloads an exe that starts the malware infection. Data is stolen via smtp with an email to a gmail address

The email with the subject “Re: ** TOP URGENT ** Shipping Documents” distributes a new AgentTesla campaign.

The doc attachment uses the CVE-2017-11882 exploit to contact a url and download an exe file, from which the malware infection starts.

Stolen data is then exfiltrated via smtp with an e-mail to a gmail address.

AgentTesla, through the keylogger function, is able to acquire everything the user types. Furthermore, it can steal browser emails and credentials and take screenshots. Finally, it has the ability to remotely issue commands on the infected PC, such as downloading additional payloads or updating existing ones.