Campaign Analysis: Multi-stage delivery of Agent Tesla

    Tuesday, July 15, 2025 In: Threat Research Print

    Date: 07/15/2025

    Severity: Medium

    Summary

    This report analyzes a complex phishing campaign that uses multi-stage, modular techniques to deliver high-risk malware, specifically the credential-stealer Agent Tesla. Compressed email attachments contain layered droppers that deploy the malware by injecting it into trusted system processes, evading detection. The campaign leverages publicly hosted payloads and "living-off-the-land" tactics, posing serious risks to data security, regulatory compliance, and operational integrity.

    Indicators of Compromise (IOC) List 

    Url/Domain

    files.catbox.moe

    ftp.jeepcommerce.rs

    ip-api.com

    https://files.catbox.moe/rv94w8.ps1

    ftp://ftp.jeepcommerce.rs

    IP Address

    195.252.110.253

    208.95.112.1

    Hash

    00dda3183f4cf850a07f31c776d306438b7ea408e7fb0fc2f3bdd6866e362ac5

    f4625b34ba131cafe5ac4081d3f1477838afc16fedc384aea4b785832bcdbfdd

    75ec2397a2bbde443f46a1a4922f424431256492741ca567d0aae702e3beadec

    550f191396c9c2cbf09784f60faab836d4d1796c39d053d0a379afaca05f8ee8

    e7d1cbef16204c787ae22237a41d91e6a519b745a928d0c1839dfca32cc99100

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "ftp://ftp.jeepcommerce.rs" or siteurl like "ftp://ftp.jeepcommerce.rs" or url like "ftp://ftp.jeepcommerce.rs" or domainname like "ip-api.com" or siteurl like "ip-api.com" or url like "ip-api.com" or domainname like "https://files.catbox.moe/rv94w8.ps1" or siteurl like "https://files.catbox.moe/rv94w8.ps1" or url like "https://files.catbox.moe/rv94w8.ps1" or domainname like "ftp.jeepcommerce.rs" or siteurl like "ftp.jeepcommerce.rs" or url like "ftp.jeepcommerce.rs" or domainname like "files.catbox.moe" or siteurl like "files.catbox.moe" or url like "files.catbox.moe"

    Detection Query 2 : 

    dstipaddress IN ("195.252.110.253","208.95.112.1") or srcipaddress IN ("195.252.110.253","208.95.112.1")

    Detection Query 3 : 

    sha256hash IN ("550f191396c9c2cbf09784f60faab836d4d1796c39d053d0a379afaca05f8ee8","00dda3183f4cf850a07f31c776d306438b7ea408e7fb0fc2f3bdd6866e362ac5","f4625b34ba131cafe5ac4081d3f1477838afc16fedc384aea4b785832bcdbfdd","75ec2397a2bbde443f46a1a4922f424431256492741ca567d0aae702e3beadec","e7d1cbef16204c787ae22237a41d91e6a519b745a928d0c1839dfca32cc99100")

    Reference:    

    https://medium.com/@devkotasuprim832/campaign-analysis-multi-stage-delivery-of-agent-tesla-7396e8d35666


    Tags

    MalwareAgent TeslaPhishingcredential stealers

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.