![](\"https://i.imgur.com/layqnlg.png\")
Static analysis of agent tesla - 1
\n
Identified obfuscated strings
\n![](\"https://i.imgur.com/7pCSo8r.png\")
From these, we have identified that it uses obfuscation and also uses DigiCert i.e Digital Certificates As we have understood, it is compiled using C# or .Net. So, we have used DNSpy which is a reverse engineering tool.
\nOn static analysis of the malware, 1st Stage Malware (use of LoadLibraryA and GetProcAddress )\n![](\"https://i.imgur.com/i8MKvts.png\")
From this, we can say that Malware uses LoadLibraryA and GetProcAddress where LoadLibraryA are responsible for for loading a module specified as parameter into the address space of the calling process. In conjunction with that, GetProcAddress retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). Here, it also performs String Replacement/Obfuscation.
\nDYNAMIC ANALYSIS OF 1st Stage\nSo, we perform Dynamic Analysis by execution. In this case, we have initially disabled the network interface and identified the following:
\n![](\"https://i.imgur.com/YqLQj4r.png\")
From this, we have understood that if Internet or network interface is disabled, it results in Connection Error or Fatal Error and it retries continuously to connect to the network. So, we have created a dummy XAMPP Server where we have added the pastebin and hastebin IP address to the localhost to have a fake network available.\n![](\"https://i.imgur.com/zuzne8E.png\")
Wireshark: Malware trying to access hastebin and digicert at 127.0.0.1 as we have modified\nthe host’s file\nAlso, Task Manager Identified that the malware is running. Malware trying to access mscore.dll,machine config and other HKLM registers. Malware working under Explorer.exe and having multiple child processes running.\nFrom this dynamic analysis, we have identified that as soon as malware executes, it looks to connect with HasteBin/PastePin where it will try to download additional downloader files which is necessary for Stage 2 malware and it is trying to disable AMSI.dll
\nHence, the main payload code contains an obfuscated first stage PE dll file where char “@” is added for “000” at multiple locations. This helps Agent Tesla evade signature-based detection.This module is called “representative”, which is a dotnet compiled dll module. After de-obfuscation, the main payload loads this first stage dll module in memory.
\nAgent Tesla uses a steganography technique, where an image contains an embedded PE file. This resource image is used by the first stage dll module to extract the second stage dll module.
\ndecryption routines are then carried out on collected data to generate the second stage module named “CF_Secretaria.In this decryption routine, K1 points to the decryption key and P1 points to data collected from the “ApplicationTru” bitmap.
\nThe first stage dll module loads this “CF_Secretaria” in memory, and then it transfers control to it by calling “CallByName” function
\n![](\"https://i.imgur.com/BrLcxwa.png\")
\nThe second stage dll is heavily obfuscated with a utf8 encoding function name to make analysis difficult\n“ResourceManager” is created to read its resource “bcf6M”. This resource data contains an encrypted PE file which is the final payload. On the collected resource data, an initial XOR operation is carried out with the key “PnltzRBT”\n![](\"https://i.imgur.com/ZQU6Bw2.png\")
\nInitial decryption logic is the same as is used for the second stage dll module extraction… but with a different key. After initial decryption routines, further decryption is carried out where data is decrypted with a 16 bytes XOR key. This key is present at the start of the previously decrypted buffer. After this decryption, the malware delivers the final payload.\nAfter performing a process hollowing into the current process, it starts stealing computer information.
Agent Tesla collects information like computer name, TCP hostname, DNS client, domain, and more
\n![](\"https://i.imgur.com/GQ6nVoo.png\")
\nThe malware contains a predefined list of browsers, and it checks for their presence on the system\n![](\"https://i.imgur.com/2unIlC7.png\")
\nIf these browser directories are found, it collects a list of all the files and folders present in them. Then it checks for the “User data” directory and, if found, next checks for the “Login Data” file that contains mail ids and password information of stored profiles. Fig. 13 shows code checking for the presence of browsers information.\n![](\"https://i.imgur.com/yy2I8R2.jpg\")
\nAgent Tesla also checks for browser cookies and collects information about them. Fig. 14 shows profile collected information for the Edge browser.\nThe sample also has capabilities to capture keystrokes shows the code that can be used in Keylogging.\n![](\"https://i.imgur.com/gyRTxz5.png\")
\nIt can also steal clipboard data\n![](\"https://i.imgur.com/GVL0SyH.png\")
\nAgent Tesla also has the capability to capture a screenshot and send it in jpeg format. As can be seen in the code, the collected image is encoded and then converted to base64 format.\n![](\"https://i.imgur.com/2lHAHRg.png\")
\nFurther, it also steals FTP credentials and sends them through the STOR method, It searches for the “Open-VPN” “config” directory to steal credentials of it,check for the NordVPN configuration and steal its credentials, It can search for “recentservers.xml” of FileZilla to get information about recent FTP server connections, steals information such as IMAP Password, POP3 Password, HTTP Password, and SMTP Password. For this, it checks Microsoft Outlook registry entries.
The sample encrypts data before communicating with its command & control server and uses the TOR client for keeping its communication and connection anonymous. It may download the TOR client from the TOR website.\nStolen data is then exfiltrated over SMTP\nThe email subject line contains the combination of OS and Computer name, and the body contains system information along with the stolen credential information.
\nFor persistence, the sample drops its copy at c:\\ %insfolder%%insname% and creates a run entry
\n![](\"https://i.imgur.com/MnKNuOd.png\")