Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion

Agent Tesla was delivered via a VBS that runs obfuscated PowerShell to download an image containing steganographically hidden base64 data; this decodes to a .NET DLL that fetches and decodes a final payload, performs process injection into the legitimate RegAsm.exe process, and steals browser and mail-client data for exfiltration via SMTP. The analysis includes IoCs (file hashes and C2 URL/IP), detailed API-level injection steps, and notes on obfuscation and evasion techniques.