Disrupting a phishing campaign

One of our clients recently received an email claiming an unpaid invoice required immediate action. The attachment was a RAR archive—an immediate red flag, especially as all recipients were undisclosed. Understandably, our client reached out to verify the legitimacy of the message.

Upon inspection, it was clear this was a phishing attempt. But what caught our attention was the fact that it had successfully bypassed the client’s mail filters. This warranted a deeper look into the attack chain and the threat actor’s tactics.

The Email

mail.webp

The attached RAR archive contained a single file: Unbezahlte Rechnung Nr.12417.wsf
This file, when opened, would be executed by wscript, the Windows Script Host, capable of executing javascript.

Upon inspecting the .wsf file, we found heavily obfuscated JavaScript.

rechnung.wsf.webp

After deobfuscating the script and decoding its string operations, it became evident that the malware leverages MSXML2.XMLHTTP via an ActiveXObject to download and execute a remote payload.

rechnung.wsf.deob1.webp rechnung.wsf.deob2.webp

Following the hardcoded URL, we discovered an open directory at:
http://176.65.134.79/HOST/SIR.ps1

webserver_autoindex.webp

Let’s take a closer look at the PowerShell payload: SIR.ps1.

SIR.ps1.webp

The script downloads an encrypted blob which, when base64-decoded, reveals a .NET binary.

SIR.ps1.payload.webp

This binary was packed using PROPacker, a known tool for obfuscation and anti-analysis.

SIR.ps1.payload.exe.webp

To unpack it, we bypassed anti-debugging by setting breakpoints on IsDebuggerPresent and WriteProcessMemory.

SIR.ps1.payload_bp.exe.webp

Once WriteProcessMemory was hit, we found a full PE binary in memory:

SIR.ps1.payload_bp_dec.exe.webp

AskaLoader: The Delivery Mechanism

The unpacked binary turned out to be AskaLoader, a malware loader that performs classic process hollowing.
It fetches encrypted PE payloads from a hardcoded server and injects them into legitimate processes.

aska_loader_aska_process_hollowing.webp aska_loader_aska_process_hollowing2.webp aska_loader_aska_process_hollowing3.webp

Its decryption routine is minimalistic—a simple XOR loop with a hardcoded 32-byte key.

aska_loader_aska_decrypt.webp

The loader embeds:

  • the decryption key,
  • the PE path,
  • and the download URL directly in the binary.
aska_loader1_000.webp aska_loader1.webp aska_loader3.webp

While effective, the loader is far from stealthy. It leaks the XOR key wherever the binary contains null bytes.
Most payloads have a null-filled tail section, which reveals the repeating XOR pattern used for decryption.

sirdeee_xor.webp

Using this technique, we decrypted all payloads on the actor’s server:

  • sirdeee.aska
  • big77777.aska
  • BAGSNAKE.aska
  • k2.aska
  • kentt.aska

The AskaLoader source code was even found publicly on GitHub: https://github.com/Tetedu27/AskaLoader

sirdeee.aska – Credential Harvesting via SMTP

This decrypted payload contains an instance of Agent Tesla, a known infostealer and RAT.

If the client had opened the initial .wsf, this payload would have been executed—stealing credentials and sending them via SMTP.

sir_mail.webp

Interestingly, the actor used two email accounts on the same server—one for sending and one for receiving credentials.

We discovered an open cPanel interface for the domain and reset the password, effectively halting data exfiltration from this sample.

big77777.aska – Credential Exfiltration via FTP

Another Agent Tesla variant, this sample uploads stolen credentials to a remote FTP server.

big_ftp.webp ftp.webp

We accessed the server and deleted all stored credentials, disrupting another part of the campaign.

BAGSNAKE.aska – Obfuscated Exfiltration Configuration

This sample also uses SMTP for credential theft, but the configuration is encrypted.

The decryption logic:

  • computes an MD5 hash of a hardcoded string,
  • takes the first 8 bytes as the DES key,
  • and decrypts strings in ECB mode.
bagsnake_des_enc_strings.webp bagsnake_decryption_routine.webp

We extracted the following credentials:

  • Sender: info@alnozha-qa.com (likely a compromised account)
  • Receiver: armkmc2016@gmail.com (possibly a disposable Gmail account)

kentt_dec.aska & k2_dec.aska – REMCOS RAT

Two payloads turned out to be REMCOS, a commercially sold remote access trojan.
They were configured with the following settings:

Description Value
License Serial 0D65ED8B19C4A976605F04835079F278
ID 1 Rmc-GV2YHK
ID 2 Rmc-068YU6
C2 Server Address 196.251.116.245:2721

Recommendations

The malicious infrastructure, including the server at 176.65.134.79, remains active.
The threat actor is still serving payloads and may continue campaigns using similar TTPs.

We recommend:

  1. Blocking rarely-used script file types (.wsf, .js, etc.) at the email gateway level.
  2. Allow only known-good formats with clear business use (e.g., .pdf, .xlsx, .csv).
  3. Blacklisting the following IP addresses in your firewall or proxy configuration:
    • 176.65.134.79
    • 196.251.116.245

This case showcases how even basic malware with a poorly implemented encryption routine can bypass filters and execute in real-world environments.
Proactive analysis, combined with swift response, disrupted the attacker’s campaign and prevented credential leaks.

Stay tuned—we’ll continue to publish deep dives like this to help defenders stay one step ahead.

IOCs

Type Value Hash
IP 176.65.134.79
IP 196.251.116.245
Mail Address fabolous1@el-euphrates.com
Mail Address fabolous2@el-euphrates.com
Mail Address info@alnozha-qa.com
Mail Address armkmc2016@gmail.com
File BAGNEW.ps1 f987443f7e35591ac5cd2a93ffc06d690668ff9eb88c1efad52aeac63e05206e
File BIG7.ps1 2561aef4855dc12b49de9217c34c613ce9cd3767981685734a82692686dca3da
File BLACKSHEEP.ps1 d0627ab546aa43cb2c59b874b770cb50ab76456972002443533dadd3ba6ae43e
File DEVNEW.ps1 623a8527dff3a91af1f0335ebb43d8ac7254922f3668d719943cebfcd4ad3afb
File SIR.ps1 e49d0a3055c5d9925e567f67621174e0018a1967cdf6459f9c71bc7f911d87ed
File SIR.ps1_orig_payload.ps1 c9f9c84681ddb6f12dcd88f10c78c5c82e542479b2b2c43ae97f2f96d0aebd44
File SIR.ps1_payload.ps1 9cd95947c78703ed5d96f745e3cc9a60a69f8614e4febc4bf5405167553076ed
File big77777_dec.exe 68b776ca60c9848a723a563fc45eb1cbee960ae3c65aeebedf57c739efcdea66
File CZXCVTD.exe 6f3ee676d229cbe5bfa2d69a63513b3dc194f45f17f97e27f7c8fafb85e8cfdb
File sirdee_dec.exe d321111f5d086c69df7e89df2f8a55c72a87f7ed8f7af16a05fa15eefd1a8f88
File SIR.ps1_payload_bin.exe 65cbf454b210e3e6c21fc88c4dff7b3a95f11340bb81f9c99ab8eb8e0dc9215c
File SIR.ps1_unpacked_payload.exe 248b6f25de8fd957acb16522b49bd94803ec247898e499d82cf2c70bfea81cbb
File obfuscated (12).rar cc94ad95f5e47b754cb9e778a406b3ccaffa73455462fe01fcac0f930627177c
File obfuscated (13).rar 329742d838d0e8eec8eba55dcea47cdea89584cb65e33d607b024c7a1af5958d
File Unbezahlte Rechnung Nr.12417.rar d5979cd7a10d772f312a3e48a1b510b2eeabf30ea5a3d1060e1c9ca3116a6d0d
File Unbezahlte Rechnung Nr.12417.wsf 372a66e9873f9c2716a934cc65045b7b45d7c39d5e66f84c3be3a02e427c6805
File BAGSNAKE.aska d2b4186deef29efaa9820907e6a27247561bbcc04f98ce84dca1b1e941b1265c
File BAGSNAKE_dec.aska 08388aa7ea44bf96e37fe9848a086c48e7860935f30ed1718e46e427a8ceb3ad
File big77777.aska cab15f1001d279cc919673a82a82000460da02f62761d169cd93490c61b1de37
File k2.aska 9cf25a37a4ac164d8f7e04e0dad6a839cf7c177a6015e5aeb8b0f69fe99d8404
File k2_dec.aska 27238f0995e56e78966cad388cf9aa265ed88abeae4d1810c5feda6872cdab2d
File kentt.aska 15bd0089ffde74cbbe487864c250c33945e30846b91aa6f30fd7df2ed4002cd8
File kentt_dec.aska 47a20e33373e7be93b13e9b93423d34488e05544258bc06ac528c41292ca3741
File sirdeee.aska ef3cd00d1efd66f090543cbaf65c309cb31054fc0239d78615a37ce8a48ea1e4