This 2024 Fidelis paper analyzes a recent AgentTesla sample (qtz.exe), describing it as long-running .NET spyware (first seen in 2014) delivered through a heavily layered, modular packing chain designed to defeat analysis. The malware masquerades as a benign application, then unpacks multiple embedded assemblies (including via steganography inside an image resource), ultimately loading Tyrone.dll, which retrieves the final VB.NET payload and injects it into a suspended RegSvr32/RegSvcs process using process hollowing (MITRE T1055.012). Once running, AgentTesla performs anti-debugging and anti-VM checks, then steals credentials and profile data from up to 80 preconfigured clients (browsers, email, VNC, FTP/SSH tools, VPNs, Discord, and more) and exfiltrates results via SMTP over TLS. The re

Join for free to read