2 mails with different gz attachment contain the same chm file. This downloads and launches the malware. Stolen data is exfiltrated thanks to the FTP of a Bosnian company.
Technical analysis by the Malware Hunter JAMESWT
New AgentTesla courier-themed campaign. The GZ attachment of the email directly contains the malware (an exe file). This steals sensitive information and exfilters it via FTP
AgentTesla returns with a new courier-themed campaign. The bait is an email about a false non-delivery with a document in GZ format attached.
This directly contains the malware (an executable file). When opened, it steals sensitive information from victims and exfilters it via FTP.
AgentTesla, in fact, through the keylogger function, is able to acquire everything the user types. Additionally, it can doctract emails and browser credentials and take screenshots. Finally, it has the ability to remotely issue commands on the infected PC, such as downloading additional payloads or updating existing ones.