Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign

This report describes an Agent Tesla infostealer campaign that begins with a business-themed phishing email delivering a RAR with a JSE loader which fetches an encrypted PowerShell script; the chain uses in-memory .NET reflective loading and process hollowing of a legitimate Windows utility (aspnet_compiler.exe), performs virtualization/sandbox checks, and harvests browser cookies and credentials with exfiltration over SMTP. The analysis includes SHA256 hashes, a files.catbox.moe download URL, a C2 mail server domain, mapped MITRE ATT&CK techniques, and recommended Fortinet detections and mitigations.