Malware Hunter JAMESWT technical analysis

Payment-themed AgentTesla campaign via Guloader. The gz attachment contains a VBS which contacts 2 urls of the same domain and downloads other scripts, executing the final malware. Data is exfiltrated via Telegram API

New AgentTesla campaign via Guloader with a payment theme.

The gz attachment of an email contains a VBS which contacts two urls of the same domain and downloads other scripts, executing the final malware. The stolen data is then exfiltrated via Telegram API bot.

AgentTesla, through the keylogger function, is able to acquire everything the user types. Also, it can steal emails and browser credentials and take screenshots. Finally, it has the ability to remotely issue commands to the infected PC, such as downloading additional payloads or updating existing ones.