The zip attachment contains an xls file: This starts a powershell script, which contacts various URLs and downloads the dll, activating the malware infection chain.
Technical analysis by the Malware Hunter JAMESWT
New AgentTesla campaign is hiding behind a fake email from Brazil
New cybercrime campaign to spread AgentTesla is hiding behind a fake email from Brazil. The message, referring to an alleged purchase offer, contains a compressed attachment in GZ format with an executable inside, the malware itself.
This one, if opened infects the machine and then exfilters the data.
AgentTesla, in fact, through the keylogger function, is able to acquire everything the user types. Additionally, it can steal browser emails and credentials and take screenshots. Finally, it has the ability to remotely issue commands on the infected PC, such as downloading additional payloads or updating existing ones.