Static analysis of agent tesla - 1

Identified obfuscated strings

From these, we have identified that it uses obfuscation and also uses DigiCert i.e Digital Certificates As we have understood, it is compiled using C# or .Net. So, we have used DNSpy which is a reverse engineering tool.

On static analysis of the malware, 1st Stage Malware (use of LoadLibraryA and GetProcAddress )

From this, we can say that Malware uses LoadLibraryA and GetProcAddress where LoadLibraryA are responsible for for loading a module specified as parameter into the address space of the calling process. In conjunction with that, GetProcAddress retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). Here, it also performs String Replacement/Obfuscation.

DYNAMIC ANALYSIS OF 1st Stage So, we perform Dynamic Analysis by execution. In this case, we have initially disabled the network interface and identified the following:

From this, we have understood that if Internet or network interface is disabled, it results in Connection Error or Fatal Error and it retries continuously to connect to the network. So, we have created a dummy XAMPP Server where we have added the pastebin and hastebin IP address to the localhost to have a fake network available.

Wireshark: Malware trying to access hastebin and digicert at 127.0.0.1 as we have modified the host’s file Also, Task Manager Identified that the malware is running. Malware trying to access mscore.dll,machine config and other HKLM registers. Malware working under Explorer.exe and having multiple child processes running. From this dynamic analysis, we have identified that as soon as malware executes, it looks to connect with HasteBin/PastePin where it will try to download additional downloader files which is necessary for Stage 2 malware and it is trying to disable AMSI.dll

Hence, the main payload code contains an obfuscated first stage PE dll file where char “@” is added for “000” at multiple locations. This helps Agent Tesla evade signature-based detection.This module is called “representative”, which is a dotnet compiled dll module. After de-obfuscation, the main payload loads this first stage dll module in memory.

Agent Tesla uses a steganography technique, where an image contains an embedded PE file. This resource image is used by the first stage dll module to extract the second stage dll module.

decryption routines are then carried out on collected data to generate the second stage module named “CF_Secretaria.In this decryption routine, K1 points to the decryption key and P1 points to data collected from the “ApplicationTru” bitmap.

The first stage dll module loads this “CF_Secretaria” in memory, and then it transfers control to it by calling “CallByName” function

The second stage dll is heavily obfuscated with a utf8 encoding function name to make analysis difficult “ResourceManager” is created to read its resource “bcf6M”. This resource data contains an encrypted PE file which is the final payload. On the collected resource data, an initial XOR operation is carried out with the key “PnltzRBT” Initial decryption logic is the same as is used for the second stage dll module extraction… but with a different key. After initial decryption routines, further decryption is carried out where data is decrypted with a 16 bytes XOR key. This key is present at the start of the previously decrypted buffer. After this decryption, the malware delivers the final payload. After performing a process hollowing into the current process, it starts stealing computer information.

Agent Tesla collects information like computer name, TCP hostname, DNS client, domain, and more

The malware contains a predefined list of browsers, and it checks for their presence on the system If these browser directories are found, it collects a list of all the files and folders present in them. Then it checks for the “User data” directory and, if found, next checks for the “Login Data” file that contains mail ids and password information of stored profiles. Fig. 13 shows code checking for the presence of browsers information. Agent Tesla also checks for browser cookies and collects information about them. Fig. 14 shows profile collected information for the Edge browser. The sample also has capabilities to capture keystrokes shows the code that can be used in Keylogging. It can also steal clipboard data Agent Tesla also has the capability to capture a screenshot and send it in jpeg format. As can be seen in the code, the collected image is encoded and then converted to base64 format. Further, it also steals FTP credentials and sends them through the STOR method, It searches for the “Open-VPN” “config” directory to steal credentials of it,check for the NordVPN configuration and steal its credentials, It can search for “recentservers.xml” of FileZilla to get information about recent FTP server connections, steals information such as IMAP Password, POP3 Password, HTTP Password, and SMTP Password. For this, it checks Microsoft Outlook registry entries.

The sample encrypts data before communicating with its command & control server and uses the TOR client for keeping its communication and connection anonymous. It may download the TOR client from the TOR website. Stolen data is then exfiltrated over SMTP The email subject line contains the combination of OS and Computer name, and the body contains system information along with the stolen credential information.

For persistence, the sample drops its copy at c:\ %insfolder%%insname% and creates a run entry