highPhishing
AgentTesla - Multi-Stage JScript Dropper with Process Hollowing
PublishedMarch 12, 2026
phishingagentteslacredential-theftc2aptspearphishing
Executive Summary
This sample is a 4-stage AgentTesla delivery chain, first seen 2026-03-12, distributed via spear-phishing email attachment disguised as a purchase order ("new order WKB25050933.js"). The initial payload is a heavily obfuscated JScript file (1.3 MB) that leverages Windows Script Host (WScript) to drop and execute a multi-stage PowerShell framework. The PowerShell chain performs rotational XOR decryption to unpack a process-hollowing loader (.NET assembly DEV.dll) that injects the final AgentTesla payload into a suspended Aspnet_compiler.exe process. AgentTesla operates as a credential stealer and keylogger, exfiltrating captured data via SMTP to attacker-controlled infrastructure hosted in Ukraine (mail.cottondreams.org / 31.222.235.198). The threat actor uses kc@cottondreams.org as the collection inbox with email subjects formatted as PW_%USERNAME%/%COMPUTERNAME%.
Sample Metadata
| Field | Value |
|---|---|
| SHA256 | fd1099c9c63990a00e80267f40e581c6caf3d17b378d11238cd0651e1a539bbc |
| MD5 | 3db3441ad26bdcc182b5cbc75c435e34 |
| SHA1 | a5b826d450a054b6b539ace0b396d452c8a7bb6a |
| File Type | JScript / ASCII text (WSH) |
| File Size | 1,343,384 bytes |
| First Seen | 2026-03-12 15:46:32 UTC |
| VT Detections | 24 / 76 |
| VT Families | JS:Trojan.Cryxos, JS/TrojanDropper.Agent.QAW, JS.Muldrop.1170 |
| Reporter | abuse_ch |
| Filename | new order WKB25050933.js (spear-phishing lure) |
Embedded / Extracted Artifacts
| Artifact | SHA256 | MD5 | Description |
|---|---|---|---|
| Stage 2 PS1 | (decoded) | — | PowerShell XOR decryption framework |
DEV.dll (injector) | 195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447 | 061c1eed62c8326f2c8052851090f33d | .NET process-hollowing loader |
| AgentTesla PE | af5f53021774cf410f7cc1be223f3dd88e3c6439cfa384bb64ed749c7e5390c7 | 71d57788cede0516516dae01575e2331 | Final payload, 61/76 VT detections |
Static Analysis
Stage 1 — JScript Dropper
Obfuscation technique: Array-based string obfuscation (obfuscator.io-style). All string literals are stored in a single large array (AR) at the end of the file; individual lookup functions (j6, j7, ...) resolve strings at runtime by index with a shuffle rotation. The entire file is a single line (no newline terminators), making naive static analysis difficult.
Key identified strings (pre-deobfuscation):
powershell/NoProfile/-NonInteractive/-ExecutionPolicy Bypass/-WindowStyle HiddenWScript.Shell/ActiveXObject/Scripting.FileSystemObject/ADODB.StreamVBScript.RegExp/CreateShortcut/BuildPath/FolderExistsHKCU\Software\Microsoft\Windows\CurrentVersion\Run(persistence)%TEMP%/Startup/.ps1/.exe/.lnkRegWrite/REG_SZ/Sleep/ExecQuerywinmgmts:\\.\root\cimv2/SELECT * FROM Win32_Process
Execution flow:
- Initializes
ActiveXObject("Scripting.Dictionary")as a guard / check mechanism - Reads
strBase— the base64-encoded PS1 payload stored inline - Calls
ExecutePayload(strBase):- Writes decoded PS1 to
%TEMP%\<random>.ps1via ADODB.Stream - Launches PowerShell with
-NoProfile -NonInteractive -ExecutionPolicy Bypass -WindowStyle Hidden -File <script.ps1> - Creates
HKCU\Software\Microsoft\Windows\CurrentVersion\Runregistry key (persistence) - Creates
.lnkshortcut in%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup - Polls WMI
Win32_Processto detect if process is still running
- Writes decoded PS1 to
- Calls
WScript.Quit(0)on success,WScript.Quit(1)on failure
Stage 2 — PowerShell XOR Decryption Framework
The PS1 script embedded in Stage 1 implements a "Multi-Stage Rotational XOR Decryption Framework":
$securecontainer = @' <-- ~977 KB base64-encoded ciphertext
'@
$encryptionrotational = @'
3XYCCTEt60DUL2jelep0KcaEzw9zykf2Ax8fYHmPCAA=
'@
Decryption algorithm (custom rotational XOR):
for ($i = 0; $i -lt $cipher.Length; $i++) {
$keyPos = ($i + $rotTracker) % $key.Length
$result[$i] = $cipher[$i] -bxor $key[$keyPos]
$rotTracker = ($rotTracker + $key[$keyPos]) % 7
}
Decryption key (base64): 3XYCCTEt60DUL2jelep0KcaEzw9zykf2Ax8fYHmPCAA=
Key (hex): dd760209312deb40d42f68de95ea7429c684cf0f73ca47f6031f1f60798f0800
Stage 5 uses three execution pathways with fallback: Invoke-Expression, dot-sourcing, and [ScriptBlock]::Create().Invoke().
Stage 3 — PowerShell Injector Loader
The decrypted (~720 KB) PowerShell script:
Invoke-AssemblyExecution— Reflectively loads a .NET assembly from a byte array using[System.Reflection.Assembly]::Load(), then invokes a static method via reflection.Test-ProcessAbsence("Aspnet_compiler")— Returns true only ifAspnet_compileris NOT already running (anti-reinfection check).Start-MonitoringCycle— Infinite loop polling every 5 seconds. WhenAspnet_compileris absent:- Loads
DEV.dll(47 KB .NET DLL) from embedded base64 - Calls
DEV.DOWN.SHOOTwith arguments: target pathC:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exeand the AgentTesla payload bytes
- Loads
- Passes 240 KB AgentTesla PE as a raw byte array (
$ExecutionPayload)
Stage 4 — DEV.dll Process Hollowing Injector
| Field | Value |
|---|---|
| Type | PE32 .NET DLL (console) |
| Size | 47,104 bytes |
| Framework | .NET 4.5.1 |
| GUID | ef3c7d6a-da4e-4ac2-9b35-d57b6ca04251 |
| Namespace | DEV.DOWN |
| Entry method | SHOOT(string targetPath, byte[] shellcode) |
Capabilities (from strings):
- Dynamic API resolution:
LoadLibraryA/GetProcAddressfromkernel32 - Process creation parameters:
appName,cmdLine,creationFlags,startupInfo,processInfo - Memory manipulation:
processHandle,baseAddress,allocationType,protect,bytesWritten - Thread context:
threadHandle,contextData - Crypto:
AesCryptoServiceProvider,RijndaelManaged,MD5CryptoServiceProvider,RSACryptoServiceProvider - Resource loading:
GetManifestResourceStream
This implements classic process hollowing (T1055.012): creates a suspended Aspnet_compiler.exe, maps the AgentTesla PE into the process's virtual address space, adjusts the thread context entry point, and resumes execution.
Stage 5 — AgentTesla Payload
| Field | Value |
|---|---|
| Type | PE32 .NET EXE (GUI) |
| Size | 240,128 bytes |
| Sections | .text (entropy 5.01), .rsrc, .reloc |
| Import | mscoree.dll!_CorExeMain |
| VT Detections | 61 / 76 |
| VT Family Tags | AgentTesla, AgentTesla2, StealerGeneric, KeyloggerGeneric |
Identified capability strings:
SmtpSSL,SmtpSender,SmtpReceiver,SmtpServer,SmtpPort,SmtpAttach,SmtpClientKeylogText,KeyloggerInterval,EnableKeylogger,_keyLoggerEnableClipboardLogger,_clipboardHook,ChangeClipboardChain,SetClipboardViewerMozillaBrowserList,ChromiumBrowserList— browser credential harvestingTripleDESCryptoServiceProvider— config decryptionBCryptOpenAlgorithmProvider,BCryptImportKey— key importMailMessage,MailAddress,System.Net.Mail— email exfiltrationCopyFromScreen— screenshot capability_wsftpkey— WS_FTP credential theftpasswordVaultPtr— Windows Credential Manager accessDomainPassword— domain credential access
Behavioral Analysis
Based on sandbox analysis (C2AE) and static string inspection:
| Action | Detail |
|---|---|
| Process hollowing | Injects into C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe |
| Persistence (registry) | HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
| Persistence (startup) | .lnk shortcut in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup |
| Temp file drop | .ps1 file written to %TEMP% via ADODB.Stream |
| Keylogging | Continuous keyboard hook, buffered keystroke capture |
| Clipboard monitoring | SetClipboardViewer hook chain |
| Screenshot capture | CopyFromScreen at configurable interval |
| Browser credentials | Chromium-based, Firefox, WS_FTP, Windows Credential Manager |
| SMTP exfiltration | Port 587 / STARTTLS to mail.cottondreams.org |
| Email subject | PW_%USERNAME%/%COMPUTERNAME% |
| SMTP from | mail@cottondreams.org |
| SMTP to (collector) | kc@cottondreams.org |
Network Indicators
| Type | Value | Port/Protocol | Notes |
|---|---|---|---|
| C2 Domain | mail.cottondreams.org | 587/SMTP STARTTLS | Exfiltration server |
| C2 IP | 31.222.235.198 | — | Resolves to mail.cottondreams.org |
| Collector email | kc@cottondreams.org | SMTP | Threat actor inbox |
| Sender email | mail@cottondreams.org | SMTP | Spoofed/configured sender |
Infrastructure details (Shodan, 2026-03-12):
- Country: Ukraine (Kyiv)
- ISP: NETH LLC
- ASN: AS202302
- Mail server: Exim 4.95 on Ubuntu 22.04
- IMAP/POP3: Dovecot
- Web: nginx/1.28.0 on ports 80, 443, 7777, 8888
- FTP: ProFTPD (Debian)
- SSH: OpenSSH 8.9p1 Ubuntu
- Open ports: 21, 22, 25, 80, 110, 143, 443, 465, 587, 993, 995, 7777, 8888
- Registrar: NameCheap, Inc. (Cloudflare DNS)
- First TLS cert: 2024-03-24 (Let's Encrypt)
MITRE ATT&CK TTPs
| ID | Tactic | Technique | Evidence |
|---|---|---|---|
| T1566.001 | Initial Access | Phishing: Spearphishing Attachment | Filename new order WKB25050933.js |
| T1059.007 | Execution | Command and Scripting Interpreter: JavaScript | JScript via WScript.exe |
| T1059.001 | Execution | Command and Scripting Interpreter: PowerShell | PowerShell -ExecutionPolicy Bypass |
| T1027 | Defense Evasion | Obfuscated Files or Information | Array-based string obfuscation |
| T1027.010 | Defense Evasion | Command Obfuscation | Hex-indexed string array |
| T1140 | Defense Evasion | Deobfuscate/Decode Files or Information | Base64 + rotational XOR decryption |
| T1620 | Defense Evasion | Reflective Code Loading | [Assembly]::Load() in-memory |
| T1055.012 | Defense Evasion / Privilege Escalation | Process Injection: Process Hollowing | DEV.dll → Aspnet_compiler.exe |
| T1036.003 | Defense Evasion | Masquerading: Rename System Utilities | Hollowing legitimate .NET tool |
| T1547.001 | Persistence | Boot or Logon Autostart Execution: Registry Run Keys | HKCU...\Run |
| T1547.001 | Persistence | Boot or Logon Autostart Execution: Startup Folder | .lnk in Startup |
| T1056.001 | Collection | Input Capture: Keylogging | _keyLogger, EnableKeylogger |
| T1115 | Collection | Clipboard Data | SetClipboardViewer, _clipboardHook |
| T1113 | Collection | Screen Capture | CopyFromScreen |
| T1555.003 | Credential Access | Credentials from Web Browsers | Chromium/Firefox/WS_FTP harvest |
| T1552.001 | Credential Access | Credentials In Files | Browser profile credential extraction |
| T1555 | Credential Access | Credentials from Password Stores | Windows Credential Manager |
| T1071.003 | Command and Control | Application Layer Protocol: Mail Protocols | SMTP on port 587 |
| T1041 | Exfiltration | Exfiltration Over C2 Channel | Data emailed to kc@cottondreams.org |
| T1082 | Discovery | System Information Discovery | %USERNAME%, %COMPUTERNAME% in subject |
| T1057 | Discovery | Process Discovery | WMI Win32_Process polling |
| T1012 | Discovery | Query Registry | HKCU/HKLM registry access |
IOCs
File Hashes
| Type | Hash | Description |
|---|---|---|
| SHA256 | fd1099c9c63990a00e80267f40e581c6caf3d17b378d11238cd0651e1a539bbc | JS dropper (Stage 1) |
| MD5 | 3db3441ad26bdcc182b5cbc75c435e34 | JS dropper (Stage 1) |
| SHA1 | a5b826d450a054b6b539ace0b396d452c8a7bb6a | JS dropper (Stage 1) |
| SHA256 | af5f53021774cf410f7cc1be223f3dd88e3c6439cfa384bb64ed749c7e5390c7 | AgentTesla PE (Stage 5) |
| MD5 | 71d57788cede0516516dae01575e2331 | AgentTesla PE (Stage 5) |
| SHA256 | 195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447 | DEV.dll injector (Stage 4) |
| MD5 | 061c1eed62c8326f2c8052851090f33d | DEV.dll injector (Stage 4) |
Network IOCs
| Type | Value | Notes |
|---|---|---|
| Domain | cottondreams.org | Threat actor domain |
| Hostname | mail.cottondreams.org | SMTP C2 server |
| IP | 31.222.235.198 | C2 IP (Ukraine, NETH LLC, AS202302) |
kc@cottondreams.org | Attacker collection inbox | |
mail@cottondreams.org | Configured SMTP sender |
Host-Based IOCs
| Type | Value | Notes |
|---|---|---|
| Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Persistence key |
| Process | Aspnet_compiler.exe | Hollowed host process |
| File path | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe | Injection target |
| File path | %TEMP%\*.ps1 | Dropped PS1 loader |
| File path | %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk | Startup persistence |
| Mutex | (process name: Aspnet_compiler) | Anti-reinfection guard |
| SMTP Subject | PW_%USERNAME%/%COMPUTERNAME% | Exfiltration email subject |
Cryptographic Artifacts
| Type | Value | Notes |
|---|---|---|
| XOR Key (b64) | 3XYCCTEt60DUL2jelep0KcaEzw9zykf2Ax8fYHmPCAA= | Stage 2→3 decryption key |
| XOR Key (hex) | dd760209312deb40d42f68de95ea7429c684cf0f73ca47f6031f1f60798f0800 | Same key |
Campaign Context and Attribution
- Delivery lure: Purchase order theme (
new order WKB25050933.js) — common in AgentTesla campaigns targeting manufacturing, logistics, and procurement personnel - Infrastructure: Domain
cottondreams.orgregistered March 2024 via NameCheap, behind Cloudflare. Dedicated mail server running Exim 4.95 + Dovecot on a Ukrainian VPS (AS202302 NETH LLC) - Threat group: Unattributed; consistent with financially-motivated commodity malware operators
- Malware family: AgentTesla v2/v3 — widely sold/used infostealer; seen in thousands of campaigns since 2014
- Notable: The campaign uses a custom multi-stage XOR+base64 obfuscation and a bespoke process-hollowing .NET assembly (
DEV.dll) rather than the more common direct execution or RunPE patterns, suggesting moderate operator sophistication
Detection Recommendations
- Block execution of
.jsfiles via WScript/CScript via AppLocker or Software Restriction Policies - Alert on PowerShell launched with
-ExecutionPolicy Bypass -WindowStyle Hidden -NoProfilefrom WScript parent processes - Alert on
[Assembly]::Load()with large byte arrays in PowerShell (script block logging required) - Alert on
Aspnet_compiler.exespawned from non-standard parent processes (especially PowerShell) - Block SMTP connections to
31.222.235.198andmail.cottondreams.org - Block DNS resolution of
*.cottondreams.org - Enable PowerShell Script Block Logging (Event ID 4104) and Module Logging
- Enable Windows Defender Attack Surface Reduction (ASR) rules targeting script-based attacks
- Deploy YARA rules (see
yara_rules.yar) for endpoint scanning - Deploy Suricata rules (see
suricata.rules) for network detection