BreakglassIntelligence
Back to reports
highPhishing

AgentTesla JScript Dropper — RFQ Spear-Phishing Loader

PublishedMarch 12, 2026
Threat Actors:**:attribution can be made from this sample alone
phishingagentteslasocial-engineeringc2aptspearphishing

Executive Summary

This sample is a heavily obfuscated JScript (Windows Script Host) dropper distributed as a spear-phishing lure disguised as a "Request For Quote" document (RFQ No 600002389875 RG724.JS). When executed by a victim (via Windows Script Host / wscript.exe), the script decodes multiple layers of obfuscation to reconstruct and execute an AgentTesla payload. The dropper writes PE executables to C:\Users\Public\ under image file extensions (.png) to evade casual inspection, spawns PowerShell with iex([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(...))) for in-memory execution, and establishes HKCU Run-key persistence. VirusTotal detected this sample as JS:Trojan.Cryxos and associated with the Formbook/AgentTesla credential-theft family, with 20 of 76 engines flagging it at time of first submission on 2026-03-12.

Sample Metadata

FieldValue
FilenameRFQ No 600002389875 RG724.JS
SHA2566721891351a9aadcd1be105bbeacf147d9f1ceff2c26eb5f275cdcc946b03205
MD50dd621e5b0eb684d0855c4e2b3b69c8f
SHA1c520845a299c9f4a5c99ddf1badc898d76a4bbf3
File Typetext/plain; Unicode text, UTF-8, CRLF line terminators
File Size4,177,565 bytes (~4.0 MB)
MIMEapplication/javascript
VT Detections20 / 76 (2026-03-12)
Reporterabuse.ch (MalwareBazaar first-seen 2026-03-12 15:48:31)
TagsAgentTesla, js, dropper, Cryxos

Static Analysis Findings

File Structure — Obfuscation by File Inflation

The file contains 1,651 logical lines but only 3 unique lines:

Line TypeCountDescription
Junk filler line A1,082this.VBEOISTOWR += "..." — repeating Unicode junk with no trailing whitespace
Junk filler line B567Identical to A but with 2 trailing spaces — anti-diff detection
Real code line13,881,125-character obfuscated JScript code block

The real code line contains the complete malicious payload and constitutes ~93% of the 4 MB file size by character count. The other ~7% is 1,649 repetitive filler lines designed purely to bloat the file and deter analysis.

Obfuscation Layers

Layer 1 — String Array with %-padding obfuscation

The script initialises a 2,414-element string array (_0x1848). Sensitive strings are stored with every real character surrounded by sequences of % characters (typically 239 % chars per real character). The actual characters are extracted at runtime by filtering out %.

Example (decoded):

s[58]  = 'ADODB.Stream'          (raw: 'A%...%D%...%O%...%D%...%B...')
s[131] = 'Scripting.FileSystemObject'
s[182] = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\'
s[113] = 'WScript.Shell'
s[29]  = 'WScript.Shell'
s[135] = 'RegWrite'
s[134] = ' -Noexit -nop -c '    (PowerShell flags)

Layer 2 — String Array Rotation Cipher

The string array is shuffled at runtime via a push/shift rotation loop (0xf2532 = 992,562 iterations). A cryptographic integrity check via an IIFE ensures the correct rotation count has been applied before execution continues.

Layer 3 — Multi-delimiter Noise in Payload Strings

Large embedded payload strings (up to 1.8 million characters) are encoded by interspersing the characters ^ ? ~ ! # $ % & space * as random noise. The real characters are recovered by iteratively removing each delimiter:

Bi33ddy = AHONIAKO.split('^').join('')
Bi44y   = Bi33ddy.split('?').join('')
DWAYX   = Bi44y.split('~').join('')
KELOPATAT = DWAYX.split(' ').join('')
KOiddy  = KELOPATAT.split('!').join('')
WEiddy  = KOiddy.split('#').join('')
FDGFDG  = WEiddy.split('$').join('')
HAKUIP  = FDGFDG.split('%').join('')

Layer 4 — String Reversal (FDAWE function)

The FDAWE function reverses a given string (.split('').reverse().join('')). This is applied before the delimiter-stripping chain to add a further reversal step.

Layer 5 — VBEOISTOWR Marker Removal

After delimiter removal, the string .Replace('VBEOISTOWR','') strips the obfuscation marker string to produce clean base64-encoded payload data.

Embedded Payloads

Two large encoded payloads are embedded in the string array:

Array IndexEncoded SizeDecoded SizePurpose
[80]267,618 chars~26,000 charsFirst-stage payload / shellcode
[81]1,864,593 chars~185,000 charsMain PE payload (double-base64)
[132]911,792 chars325,656 charsSecondary binary payload

The decoded payloads are base64-encoded (some double-encoded). The final binary payloads (after base64 decode) are 104,592 and 244,240 bytes respectively, with very high entropy (~8.0 bits/byte) indicating encryption or compression.

Key Strings Recovered

C:\Users\Public\Libraries\             (drop directory 1)
C:\Users\Public\                       (drop directory 2)
Vile.png                               (dropped PE disguised as image)
Mands.png                              (dropped PE disguised as image)
ADODB.Stream                           (file write COM object)
WScript.Shell                          (command execution COM object)
Scripting.FileSystemObject             (file system operations)
Microsoft.XMLDOM                       (base64 decode via nodeTypedValue)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\  (persistence key)
RegWrite                               (registry write method)
SaveToFile                             (ADODB.Stream file save method)
 -Noexit -nop -c                       (PowerShell flags)
iex([Text.Encoding]::Unicode.GetString (PowerShell IEX command fragment)
[Convert]::FromBase64String(           (base64 decode in PowerShell)
bin.base64                             (XMLDOM base64 data type)
windows-1251                           (codepage for string decode)
nodeTypedValue                         (XMLDOM base64 trick attribute)
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef...  (base64 alphabet — custom encoding)
ScriptName                             (WScript.ScriptName — self-reference)
CopyFile / DeleteFile                  (FSO self-copy / cleanup)

Behavioral Analysis (Static Inference)

Based on static analysis of the recovered strings and code structure, the execution flow of this dropper proceeds as follows:

Stage 1 — Script Execution

  • File is executed via wscript.exe (Windows Script Host)
  • The IIFE decryption bootstrap initialises the string array
  • Environment check: LOUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUONIA = 'BBBBBSTBBBBB' is used as a canary/check variable (likely checking environment or run-key state)

Stage 2 — Anti-Reinfection Check

  • Creates a Scripting.FileSystemObject instance
  • Calls FileExists() to check for existing dropped files
  • If already dropped, skips re-infection (avoids re-running)

Stage 3 — Payload Decoding

  • Creates Microsoft.XMLDOM object; uses nodeTypedValue attribute to base64-decode the embedded payload using the bin.base64 data type
  • Alternatively uses the multi-delimiter decode chain to reconstruct base64 strings
  • The FDAWE string-reversal function is applied as part of decoding

Stage 4 — Payload Drop

  • Creates an ADODB.Stream object with Type = 1 (binary)
  • Calls Open(), then Write(decoded_bytes), sets Position = 0
  • Calls SaveToFile("C:\Users\Public\Vile.png", 2) — overwrites with binary PE
  • Repeats for C:\Users\Public\Libraries\Mands.png

Stage 5 — Execution via PowerShell

  • Creates WScript.Shell object
  • Executes: 
    powershell.exe -Noexit -nop -c iex([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(PAYLOAD)))
  • This executes the AgentTesla payload in-memory without writing a PE to typical locations

Stage 6 — Persistence

  • Creates WScript.Shell object
  • Calls RegWrite() with:
    • Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<ScriptName>
    • Value: path to the dropped file or the WScript invocation
    • Type: REG_SZ

Stage 7 — Self-Copy / Cleanup

  • Uses Scripting.FileSystemObject.CopyFile() to copy the script
  • Potentially deletes the original using DeleteFile()

Network Indicators

No hardcoded C2 URLs or IP addresses were directly recoverable from static analysis due to the multi-layer encryption of the embedded PE payload. However, AgentTesla payloads typically exfiltrate credentials via:

  • SMTP: Sends emails with stolen credentials to attacker-controlled mail accounts
  • FTP/FTPS: Uploads credential dumps to compromised FTP servers
  • HTTP/HTTPS: Sends POST requests to web panels

The C2 infrastructure details are embedded within the encrypted second-stage PE (Vile.png / Mands.png), which requires dynamic analysis or memory forensics to recover.

MITRE ATT&CK TTPs

Technique IDTechnique NameDescription
T1566.001Phishing: Spearphishing Attachment.JS file delivered as email attachment with RFQ lure
T1204.002User Execution: Malicious FileVictim must execute the JScript file
T1059.007Command and Scripting Interpreter: JavaScriptExecution via wscript.exe
T1059.001Command and Scripting Interpreter: PowerShellpowershell.exe -nop -c iex(...) execution
T1027Obfuscated Files or Information5-layer string obfuscation, Unicode obfuscation
T1027.001Obfuscated Files or Information: Binary PaddingFile inflated to 4 MB with 1,649 junk lines
T1027.002Obfuscated Files or Information: Software PackingEncrypted payload with ~8.0 bits/byte entropy
T1027.010Obfuscated Files or Information: Command ObfuscationMulti-delimiter noise removal chain
T1036.008Masquerading: Masquerade File TypePE executables saved as .png image files
T1105Ingress Tool TransferDecodes and writes embedded PE payloads to disk
T1140Deobfuscate/Decode Files or InformationMulti-step base64/reversal/delimiter decode
T1547.001Boot or Logon Autostart Execution: Registry Run KeysHKCU\...\CurrentVersion\Run persistence
T1555Credentials from Password StoresAgentTesla final payload steals stored credentials
T1056.001Input Capture: KeyloggingAgentTesla keylogger capability
T1114.001Email Collection: Local Email CollectionAgentTesla exfiltrates email credentials
T1041Exfiltration Over C2 ChannelAgentTesla SMTP/FTP/HTTP exfiltration

IOCs

File Hashes

TypeHash
SHA2566721891351a9aadcd1be105bbeacf147d9f1ceff2c26eb5f275cdcc946b03205
MD50dd621e5b0eb684d0855c4e2b3b69c8f
SHA1c520845a299c9f4a5c99ddf1badc898d76a4bbf3

Dropped Files

PathDescription
C:\Users\Public\Vile.pngDropped PE executable (disguised as image)
C:\Users\Public\Libraries\Mands.pngSecond-stage PE payload (disguised as image)

Registry Keys

KeyValueTypeDescription
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Path to dropped payloadREG_SZAutorun persistence

Behaviors / Strings

IOCTypeDescription
VBEOISTOWRObfuscation markerString inserted into payload as anti-analysis noise
wscript.exe *.jsProcessWScript execution of dropped JS file
powershell.exe -Noexit -nop -c iex(...)CommandLinePowerShell in-memory execution
ADODB.StreamCOM ObjectUsed to write binary payloads to disk
WScript.ShellCOM ObjectUsed for process execution
Scripting.FileSystemObjectCOM ObjectUsed for file operations
Microsoft.XMLDOMCOM ObjectUsed for base64 decoding via nodeTypedValue

Campaign Context and Attribution

Threat Family: AgentTesla (also detected as JS:Trojan.Cryxos by BitDefender/ESET engine family)

Campaign Pattern:

  • Filename follows a RFQ (Request For Quotation) social engineering lure pattern common in Business Email Compromise (BEC) and supply-chain fraud campaigns
  • The format RFQ No XXXXXXXXXX RGXXX.JS has been observed in multiple AgentTesla campaigns targeting manufacturing, logistics, and procurement staff
  • The obfuscation technique using VBEOISTOWR as a variable/marker name combined with Unicode bloat padding is consistent with a known JS dropper builder/crypter used by multiple AgentTesla distributors

AgentTesla Attribution:

  • AgentTesla is a commodity RAT/stealer sold as Malware-as-a-Service (MaaS)
  • No specific threat actor attribution can be made from this sample alone
  • The dropper is consistent with the Cryxos crypter family used in widespread AgentTesla distribution campaigns circa 2024-2026
  • VT detection Fortinet: JS/Formbook.PYN!tr suggests this dropper may serve multiple payload types in different campaigns

Detection Landscape at First Submission:

  • 20/76 AV engines detected on 2026-03-12
  • Key detections: BitDefender/ESET/ALYac (JS:Trojan.Cryxos.15869), Kaspersky (HEUR:Trojan.Script.Generic), Symantec (Trojan.Gen.NPE), McAfee (Trojan:Script/ObfuJS.PH), Fortinet (JS/Formbook.PYN!tr)

Detection Recommendations

Email Gateway

  • Block or quarantine all .JS / .JSE / .VBS / .VBE attachments
  • Apply deep-inspection scanning for JavaScript files embedded in ZIP/RAR archives
  • Flag emails containing "RFQ", "Purchase Order", "Invoice" subject lines with script attachments
  • Block emails with script-type MIME attachments (application/javascript, text/javascript)

Endpoint

  • Restrict wscript.exe and cscript.exe execution via Windows Group Policy or AppLocker
  • Enable PowerShell Constrained Language Mode and Script Block Logging
  • Monitor for ADODB.Stream writes to C:\Users\Public\
  • Monitor HKCU\Software\Microsoft\Windows\CurrentVersion\Run for new values containing script paths
  • Alert on PowerShell executing iex([Text.Encoding]::Unicode.GetString... pattern

Network

  • Deploy Suricata rules to detect PowerShell IEX patterns in process command lines (via EDR)
  • Monitor outbound SMTP/FTP connections from workstations
  • Alert on HTTP POST requests with large binary bodies from workstations (AgentTesla C2)

YARA / Signature

  • Detect the VBEOISTOWR marker string in JavaScript files
  • Detect files with high line-count ratio of identical lines (>99% duplicate lines)
  • Detect ADODB.Stream + WScript.Shell + SaveToFile co-occurrence in JS files
Share