highPhishing

AgentTesla NSIS Dropper Unmasked: Fake Danish Certificate, AES-Encrypted Payload, and a Live FTP Drop Server with 60+ Stolen Credentials

PublishedMarch 12, 2026

Threat Actors:ProfileAssessment

phishingagentteslacredential-theftc2aptspearphishing

TL;DR: A fresh AgentTesla infostealer sample uses a multi-layered NSIS dropper signed with a fabricated self-signed certificate stuffed with Danish-language nonsense strings to bypass Authenticode checks. The dropper unpacks through three LZMA compression stages and 859KB of AES-encrypted overlay data before injecting a .NET payload via process hollowing. Sandbox analysis revealed the variant exfiltrates stolen credentials over FTP -- not the typical SMTP channel -- to an OVH-hosted drop server at ftp.holzbrenzii[.]com, where we identified one confirmed real-world victim and approximately 60 harvested account credentials. The self-signed certificate was created 20 days before distribution, and consistent Danish vocabulary across every obfuscation layer points to a native Danish-speaking operator.

The Dropper: An NSIS Installer With a Fake Identity

The sample arrived as a 1.19 MB PE32 executable -- an NSIS (Nullsoft Scriptable Install System) v3.01 installer carrying a digitally signed Authenticode certificate. But the signature is a fabrication.

Property	Value
SHA-256	`976d47936868a8baa50f82d8d3e338c12d227c3ae32193c9ec999a05048ede91`
SHA-1	`3ea8a70a178f1a11be2866140ec8c4a7d68dc18d`
MD5	`38b54d5f56ade68d752ffbef7b1a8df5`
File Size	1,243,096 bytes (1.19 MB)
Type	PE32 executable (GUI) Intel 80386, NSIS Installer
NSIS Version	3.01
Overall Entropy	7.7334
First Seen	2026-03-09 (MalwareBazaar, OTX)

The certificate details tell the story immediately. This is not a stolen code signing certificate from a legitimate vendor -- it is a self-signed RSA 4096-bit certificate created on February 17, 2026, exactly 20 days before the sample appeared in the wild.

Certificate Field	Value
Subject CN	Shellers
Subject O	Shellers
Subject OU	Civilstandsbetegnelsen Andalusiske
Subject Email	Betnksom@Sideformatets[.]Sp
Issuer	SELF-SIGNED (Subject = Issuer)
Serial	`72:0F:4E:4F:78:69:B1:8D:50:C2:D4:98:82:29:29:FF:1D:64:B5:7E`
Valid	2026-02-17 to 2027-02-17
Key	RSA 4096-bit, SHA-256
SKI	`D2:93:55:B1:BF:5A:F2:5D:BB:C0:9A:0E:9C:23:07:A6:EE:FA:2C:D1`

The purpose is straightforward: many automated security controls check whether a binary is signed but do not validate the trust chain. A self-signed certificate with a plausible-looking organization name passes the "is it signed?" gate without requiring a compromised legitimate certificate. The certificate was never submitted to Certificate Transparency logs (not found on crt.sh), as expected for self-signed certs.

The Danish Connection

Every obfuscation string in this sample -- certificate fields, NSIS directory names, script variable names -- uses obscure Danish vocabulary. These are not machine-translated fragments. They are grammatically correct Danish words in proper inflected forms: genitives, definite plurals, compound nouns.

String	Danish Translation	Where Found
Civilstandsbetegnelsen	Marital status designation	Certificate OU
Andalusiske	Andalusian (adjective)	Certificate OU
Betnksom	Truncation of "Betaenksom" (thoughtful)	Certificate email
Sideformatets	The page format's (genitive)	Certificate email domain
Mellemfrekvens	Intermediate frequency	NSIS directory
Kortblgemodtagere	Shortwave receivers	NSIS directory
dannelsestrinnets	The education level's	NSIS variable
handelsvirksomhedens	The business enterprise's	NSIS variable
kbstadsboer	City dweller	NSIS variable
Kogerierne	The cookeries	NSIS directory
skidtfisken	The dirty fish	NSIS variable

This level of linguistic consistency across all obfuscation layers -- the certificate, the file system paths, the NSIS script internals -- suggests a native or near-native Danish speaker. The choice of "Shellers" as the organization name (English, possibly referencing shellcode) is the only non-Danish string in the entire obfuscation scheme.

Attack Chain: Four Layers Deep

Email (likely) --> Attachment (.exe with icon disguise)
                         |
                   NSIS Installer v3.01
                   (Signed with fake cert)
                         |
                   LZMA Decompression
                   (3 blocks + 9 data blocks)
                         |
              +----------+-----------+
              |          |           |
         NSIS Header  System.dll  Solid Data
         (21.5 KB)   (11.7 KB)   (261 KB)
              |          |           |
              |    Shellcode via    Encrypted
              |    Call export     overlay data
              |          |        (859 KB, AES)
              |          |           |
              +-----> VirtualAlloc/VirtualProtect
                         |
                   Decrypt .NET payload
                         |
                   Process Hollowing/Injection
                         |
                   AgentTesla .NET RAT
                         |
              +----------+-----------+----------+
              |          |           |          |
         Keylogging  Screenshot  Clipboard  Browser
                     Capture    Monitor    Credential
                                           Theft
                         |
                   FTP Exfiltration
                   (holzbrenzii[.]com)

Layer 1: NSIS Archive Unpacking

The NSIS installer contains a precisely structured archive with three LZMA-compressed blocks and nine additional data blocks:

Component	Compressed	Decompressed	Purpose
LZMA Block 1	~4,652 B	21,546 B	NSIS script opcodes
LZMA Block 2	~6,240 B	11,776 B	System.dll plugin
LZMA Block 3 (solid)	93 B	261,500 B	Dropped data files
Data Block 4	348,264 B	11,197,029 B	Uninitialized memory
Data Block 5	10,607 B	10,747 B	Encrypted data (entropy 7.94)
PE Certificate	5,008 B	--	Self-signed Authenticode cert

Layer 2: NSIS Script Orchestration

The decompressed 21,546-byte NSIS script writes obfuscated data files to directories with Danish-language names, then loads the standard NSIS System plugin (System.dll) and invokes its Call export. The script drops files into paths like:

\amphithuron\Boggruppers0.sexe
\Fejlmargener\loger.daexe
\Ambulante188\Aeroenterectasia84.zifgdp
\behovsbestemt\georginas.dasbin
\Carrow\Blomkaalene\Bonaparte.txt
\Konvojs\Sagomraaderne.isani
\Forslow253.lnk

Note the scrambled file extensions (.sexe, .daexe, .zifgdp) -- a simple anti-scanning technique to prevent file type detection by extension. The Forslow253.lnk shortcut file serves as a persistence mechanism alongside the Software\Trx registry key.

Layer 3: Shellcode Execution via System.dll

System.dll is the legitimate NSIS System plugin (SHA-256: ca30ce8031701a98f423dd3fbed220ba64f5a6636e5a3d4732d659edfedc5f8f). It exports Alloc, Call, Copy, Free, Int64Op, Store, and StrAlloc. The Call export allows the NSIS script to invoke arbitrary function pointers -- in this case, position-independent shellcode that:

Calls VirtualAlloc to allocate executable memory
Calls VirtualProtect to set the correct memory permissions
Decrypts the AES-encrypted overlay data into the allocated region

Layer 4: AES-Encrypted Payload

The 859,343-byte overlay data region is the crown jewel. Its entropy of 7.9998 (out of a theoretical maximum of 8.0) confirms block cipher encryption -- the byte frequency distribution is flat at approximately 0.4% per byte value with maximum deviation under 0.01%. This conclusively rules out XOR or other simple encoding schemes and is consistent with AES-256-CBC, matching the CheckPoint-documented NSIS packer family that uses RC4 or AES with keys derived from NSIS script data.

The decrypted payload is a .NET AgentTesla binary that gets injected into a hollowed legitimate process via process hollowing (T1055.012).

Sandbox Confirmation: FTP Exfiltration, Not SMTP

Dynamic analysis in an ANY.RUN sandbox on March 9, 2026 revealed the actual exfiltration infrastructure. This variant breaks from the typical AgentTesla pattern of SMTP-based data theft -- it uses FTP.

Kill Chain (from PCAP)

NSIS dropper executes, shellcode decrypts .NET AgentTesla payload
Beacon to ip-api[.]com/line/?fields=hosting -- VM/sandbox environment detection
Download second stage from hxxp://109.248.151.219/rFqLwimx179.bin
Harvest saved credentials from Edge Chromium browser
Exfiltrate to ftp.holzbrenzii[.]com as HTML file (PW_<user>-<hostname>_<timestamp>.html)

Attacker Infrastructure

Asset	Value	Details
FTP Drop Server	`ftp.holzbrenzii[.]com`	`198.27.80.139` (OVH, shared cPanel)
FTP Username	`mmmm@holzbrenzii[.]com`	Embedded in payload
FTP Password	`@lilkooll123456`	Embedded in payload
FTP Software	Pure-FTPd [privsep] [TLS]
Second Stage URL	`hxxp://109.248.151.219/rFqLwimx179.bin`	SIA RixHost / DataClub, Latvia
IP Check	`ip-api[.]com/line/?fields=hosting`	Anti-sandbox gate

FTP Server Reconnaissance (Shodan)

The FTP drop server at 198.27.80.139 is a shared hosting environment with a wide attack surface:

Open Ports: 21, 80, 443, 465, 587, 2082, 2083, 2086, 2087, 2096, 52230
Services: Pure-FTPd, Exim 4.96.2, OpenResty/nginx 1.27.1.1, cPanel
Hostnames: ns519828.ip-198-27-80.net, 12333.com, apollo.hosterbox.com
Known CVEs: CVE-2023-51766, CVE-2025-67896, CVE-2024-39929, CVE-2025-30232

This is purpose-built attacker infrastructure, not a compromised legitimate server -- the domain holzbrenzii[.]com was registered specifically for this campaign.

Victim Impact

We identified one confirmed real-world victim on the FTP server -- a user in Germany, infected on the same day the sample was uploaded to MalwareBazaar. Approximately 60+ account credentials were harvested from the victim's Edge browser. A victim notification was sent via email on March 9, 2026.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Spearphishing Attachment	T1566.001	Likely email delivery of signed .exe
Execution	User Execution: Malicious File	T1204.002	NSIS installer execution
Execution	Native API	T1106	System.dll::Call to VirtualAlloc/VirtualProtect
Persistence	Registry Run Keys	T1547.001	`Software\Trx` registry key
Persistence	Shortcut Modification	T1547.009	`Forslow253.lnk`
Defense Evasion	Software Packing	T1027.002	NSIS packer with LZMA compression
Defense Evasion	Obfuscated Files	T1027	Multi-layer LZMA + AES encryption
Defense Evasion	Code Signing	T1553.002	Self-signed Authenticode certificate
Defense Evasion	Process Hollowing	T1055.012	.NET payload injected into hollowed process
Defense Evasion	Deobfuscate/Decode	T1140	Runtime AES decryption of payload
Credential Access	Keylogging	T1056.001	AgentTesla keylogger module
Credential Access	Web Browsers	T1555.003	Edge Chromium credential theft (confirmed)
Credential Access	OS Credential Dumping	T1003	WiFi/VPN credential extraction
Collection	Screen Capture	T1113	AgentTesla screenshot capability
Collection	Clipboard Data	T1115	AgentTesla clipboard monitor
Exfiltration	Alternative Protocol: FTP	T1048.003	FTP exfiltration to holzbrenzii[.]com
Discovery	System Information Discovery	T1082	ip-api.com hosting check

Indicators of Compromise

File Indicators

Type	Value	Description
SHA-256	`976d47936868a8baa50f82d8d3e338c12d227c3ae32193c9ec999a05048ede91`	NSIS dropper
SHA-1	`3ea8a70a178f1a11be2866140ec8c4a7d68dc18d`	NSIS dropper
MD5	`38b54d5f56ade68d752ffbef7b1a8df5`	NSIS dropper
SHA-256	`ca30ce8031701a98f423dd3fbed220ba64f5a6636e5a3d4732d659edfedc5f8f`	System.dll (NSIS plugin)
SHA-256	`273e8392cc9d93c6e13b75a224e1bc236d8781613ba741281bd09586bbcb8371`	Encrypted main payload (206KB)
SHA-256	`63ad89b70aab6b7ff4078e74d98d8faff750f65e2b453e91b4106752502c1383`	Encrypted data block (10KB)

Network Indicators

198.27.80.139        # FTP drop server (OVH Canada)
109.248.151.219      # Second stage payload server (Latvia)
ftp.holzbrenzii[.]com   # Attacker-registered FTP drop domain
hxxp://109.248.151.219/rFqLwimx179.bin   # Second stage payload URL

Certificate Indicators

Serial:   72:0F:4E:4F:78:69:B1:8D:50:C2:D4:98:82:29:29:FF:1D:64:B5:7E
CN:       Shellers
Email:    Betnksom@Sideformatets[.]Sp
OU:       Civilstandsbetegnelsen Andalusiske
SKI:      D2:93:55:B1:BF:5A:F2:5D:BB:C0:9A:0E:9C:23:07:A6:EE:FA:2C:D1

Behavioral Indicators

Registry Key:   Software\Trx
File:           \Forslow253.lnk
Directory:      \amphithuron\Boggruppers0\
Directory:      \Carrow\Blomkaalene\Brushanes\
Directory:      \Fejlmargener\
FTP Credential: mmmm@holzbrenzii[.]com / @lilkooll123456

Detection Opportunities

YARA Rules

rule AgentTesla_NSIS_Dropper_Shellers_Cert {
    meta:
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        description = "AgentTesla NSIS dropper with Shellers self-signed certificate"
        hash = "976d47936868a8baa50f82d8d3e338c12d227c3ae32193c9ec999a05048ede91"
        tlp = "TLP:CLEAR"

    strings:
        $nsis_magic = { EF BE AD DE 4E 75 6C 6C 73 6F 66 74 49 6E 73 74 }
        $cert_cn = "Shellers" ascii wide
        $cert_email = "Betnksom@Sideformatets" ascii wide
        $cert_ou = "Civilstandsbetegnelsen" ascii wide
        $nsis_str1 = "Boggruppers0" ascii wide
        $nsis_str2 = "Mellemfrekvens151" ascii wide
        $nsis_str3 = "amphithuron" ascii wide
        $nsis_str4 = "Aeroenterectasia" ascii wide
        $reg_key = "Software\\Trx" ascii wide

    condition:
        uint16(0) == 0x5A4D and
        $nsis_magic and
        (2 of ($cert_*) or 3 of ($nsis_str*)) and
        filesize < 2MB
}

rule AgentTesla_NSIS_Danish_Obfuscation {
    meta:
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        description = "NSIS droppers using Danish-language obfuscation patterns"
        tlp = "TLP:CLEAR"

    strings:
        $danish1 = "Civilstandsbetegnelsen" ascii wide nocase
        $danish2 = "Sideformatets" ascii wide nocase
        $danish3 = "Mellemfrekvens" ascii wide nocase
        $danish4 = "Kortblgemodtagere" ascii wide nocase
        $danish5 = "dannelsestrinnets" ascii wide nocase
        $danish6 = "handelsvirksomhedens" ascii wide nocase
        $danish7 = "kbstadsboer" ascii wide nocase
        $nsis = "NullsoftInst" ascii
        $sysdll = "System.dll" ascii

    condition:
        uint16(0) == 0x5A4D and
        $nsis and $sysdll and
        3 of ($danish*)
}

Suricata Rules

# AgentTesla FTP Exfiltration to holzbrenzii drop server
alert ftp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"BREAKGLASS AgentTesla FTP Exfil - holzbrenzii Drop Server"; flow:established,to_server; content:"holzbrenzii"; nocase; classtype:trojan-activity; sid:2026030901; rev:1;)

# AgentTesla Credential File Upload Pattern
alert ftp-data $HOME_NET any -> $EXTERNAL_NET any (msg:"BREAKGLASS AgentTesla FTP Credential Dump - PW_ HTML Upload"; flow:established,to_server; content:"PW_"; content:".html"; classtype:trojan-activity; sid:2026030902; rev:1;)

# AgentTesla Second Stage Download from Latvian Server
alert http $HOME_NET any -> 109.248.151.219 any (msg:"BREAKGLASS AgentTesla Second Stage Download - rFqLwimx179.bin"; flow:established,to_server; content:"GET"; http_method; content:"/rFqLwimx179.bin"; http_uri; classtype:trojan-activity; sid:2026030903; rev:1;)

# AgentTesla VM Detection Beacon
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"BREAKGLASS AgentTesla Anti-Sandbox - ip-api Hosting Check"; flow:established,to_server; content:"ip-api.com"; http_host; content:"fields=hosting"; http_uri; classtype:trojan-activity; sid:2026030904; rev:1;)

Hunting Queries

Endpoint -- search for persistence artifacts:

Registry key: HKCU\Software\Trx OR HKLM\Software\Trx
File name: Forslow253.lnk
Directory names containing: amphithuron, Boggruppers, Carrow\Blomkaalene, Fejlmargener

Network -- search for FTP exfiltration pattern:

Outbound FTP connections (port 21) to 198.27.80.139
DNS queries for holzbrenzii[.]com
HTTP connections to 109.248.151.219
DNS queries for ip-api.com followed by FTP session within 60 seconds

Certificate -- search for self-signed Authenticode with these identifiers:

Certificate Subject containing "Shellers"
Certificate Subject containing "Sideformatets"
Certificate SKI: D2:93:55:B1:BF:5A:F2:5D:BB:C0:9A:0E:9C:23:07:A6:EE:FA:2C:D1

Attribution Assessment

Confidence: LOW
Language artifacts: Consistent native-level Danish vocabulary across all obfuscation layers
Motivation: Financial (AgentTesla is sold as Malware-as-a-Service)
Sophistication: MEDIUM -- uses established NSIS packer with multi-layer encryption and certificate evasion, but the packer is a known commodity toolkit
Operational timeline: 20-day window between certificate creation (Feb 17) and sample distribution (Mar 9)

The Danish vocabulary is the strongest attribution signal, but it could be a deliberate false flag. Without panel access, infrastructure pivot points, or OPSEC failures in the decrypted payload, attribution remains low-confidence.

Recommended Immediate Actions

Search all endpoints for SHA-256 976d47936868a8baa50f82d8d3e338c12d227c3ae32193c9ec999a05048ede91
Block 198.27.80.139 and 109.248.151.219 at the network perimeter
Block DNS resolution for holzbrenzii[.]com
Hunt for Software\Trx registry key across all Windows endpoints
Monitor outbound FTP (port 21) for credential dump patterns (PW_*.html)
Deploy the YARA and Suricata rules above to endpoint and network detection systems
Implement certificate validation policies that reject self-signed Authenticode binaries

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 1 real-world victim identified and notified. FTP drop server credentials recovered. 60+ stolen credentials observed. Classification: TLP:CLEAR