Agent Tesla

Introduction

Agent Telsa is a spyware, keylogger and information stealer Trojan written in C# that has been active since 2014 as a MaaS (Malware as a Service).
Commonly distributed via emails, the attacker intends to lure the victim into opening the attachment.
Once macros have been enabled, the malware will simply drop an executable and execute itself.

In Agent Tesla, we can identify 5 different stages:

  1. Malicious document via spear-phishing
  2. Initial executable dropped by the macros
  3. Extracting the second executable
  4. Extracting the third and last executable
  5. Communicate via SMTP over port 587 with the C2

After dropping the initial executable, only the final one will be malicious and, if my guesses are right, the main purpose was to make the malware analyst job much more difficult.
Last but not least, different anti-debugging and obfuscation techniques have been used to evade antiviruses and beginner analysts.

Behavioral analysis

I always start with a quick behavioral analysis on the sample so I can better understand how the malware operates, creates and injects.
My first fear was that Any-Run would not have been able to execute it since it’s a commercial malware and most likely they could contain anti-vm and anti-sandbox checks but, luckily for me, it ran perfectly.

For anyone interested, here is the link to the scan where you can download the sample and see the report by yourself.

Process graph

Pretty straight forward and nothing else to add; the malware maintains persistency by adding a new task to the Task Scheduler and by modifying the Registry.

Any Run process tree

An XML configuration file for the task has been created into C:\Users\admin\AppData\Local\Temp\ by executing schtask.exe from the command line and supplying the following string: /Create /TN "Updates\&startupname&" /XML "C:\Users\admin\AppData\Local\Temp\tmp1F0.tmp

Process tree

The malicious code injects itself into RegSvcs.exe (a standard executable by default on Windows machines that loads assemblies), and constantly sends SMPT packets to mail.stankovic.hr.

C&C communication with data exfiltration

We can see that personal information gets transmitted over port 587 to the C2 and by a quick search on Fortinet’s report, additional software are targetted such as web browsers, email clients, VPNs, FTP clients and download managers.

In order to execute the malicious executable upon reboots, a key has been added to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key pointing to C:\Users\admin\AppData\Roaming\oPLNOE\oPLNOE.exe, our malicious executable.

Analysing the first executable

This executable (BSCPQ.exe) will be the main container for all the other malicious activities that it will perform.

Why did I call it a container?
There are a lot of functions and at first glance and it appears to be a UNO card game with multiplayer capabilities.

UNO card game

After checking again the strings of the executable, I stumbled upon an incredibly long string that had no reason to be in a UNO match.

Strange big string used later on

Now I started getting more excited because I also find the same reference inside the decompiled game and even something else:

Strange looking strings here too
Resources loaded

And if you’re careful enough, you can see that the string Ir that it’s equal to cnJCh, that value points exactly to the bitmap that will definitely contain data or even additional malicious code.

We should also note that the long string we saw before has a name: SAS.

There are 3 functions that works with these variables and data:

Decoding the large string into a new executable
  1. The first method is the constructor that will call the Rate method and passing an array of object that contains exactly 3 values: Castle.Ir, Castle.Iq and WinFormsFirstOne.
  2. The second method will reverse a string.
  3. The third method will replace all the occurrences of Quotes_on_Life with the character A from the SAS variable, reverse it and decode it from base64.

And if we debug the executable and place a breakpoint to read the byte array value, we can see a new executable:

New executable

To make the next executable analysis easier, I managed to write all the bytes to file (later on I learned that I could just dump the value from a variable to file by right-clicking it).

Stupid way to dump the executable

Analysing the second executable

The second executable is called sparta.dll and it’s loaded in the same memory as the first executable.

As you can clearly see, a more interesting obfuscation technique has been applied to those methods in order to make the analyst cry when analysing them but, luckily, that was not the case.

New dumped executable

The analysis was pretty straightforward and wasn’t even difficult since it had the same behavior of the first executable:

  1. Extract the malicious code from somewhere
  2. Load the assembly code into the memory
  3. Execute it

After spotting some bitmap manipulation methods, I realised that we have a bitmap from the first executable and to not waste too much time analysing useless code, I simply dumped the final assembly.

Decoding method
Dumping another executable

Analysing the third executable

The final executable was IMPOSSIBLE for me to debug, decrypt, analyse and even for dnSpy to decompile it.

After using de4dot on the new executable
No idea

I managed to use de4dot to get rid of those stupid Unicode characters methods but it was not worth it.

Patching the code would have resulted in many compilation errors because of it and neither debugging was possible because of those damned anti-debug threads running and checking.

And to make it more difficult, ConfuserEx has been used to protect the final executable from analysts.

Conclusion

I managed to learn interesting things but failed at the same time to fully analyse the sample through dnSpy.

I have no idea how to proceed and de-obfuscate it so I’ll end this post here by doing a little summary of what the final executable does when launching it on Any-Run.

  1. The dropper gets distributed via phishing attacks (based on Fortinet’s Report).
  2. It loads another executable in the dropper’s memory.
  3. The second executable loads a third heavily obfuscated one that would result in the final one.
  4. This executable will be placed in %APPDATA\Roaming\oPLNOE% and set the registry key Run to this path, achieving persistence upon reboots.
  5. The third executable can transfer sensitive information such as credentials, keyloggers, running programs and files via SMTP on port 587.
  6. It disables the task manager by doing REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f from the CLI.

Artifacts & IOCs

Persistence

KeyValue
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunC:\Users\User\AppData\Roaming\oPLNOE\oPLNOE.ex
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr

BSCPQ.exe (initial dropper)

HashValue
MD51a25e75693b99ad09e55aea29c6f2775
SHA1127c636848aff40eb37c0bdb325ec7d1c4c3bfca
SHA256c2bc9f2091a56e2d7045ddc273ba91462252f51baec6e6e62f6d0a08735564dd

regsvcs.exe & oPLNOE.exe (malicious executable)

HashValue
MD519855c0dc5bec9fdf925307c57f9f5fc
SHA1d2d0c486bc5422d4e7602ce349af2f00de7a2685
SHA256c09191a1a46b7bfa82e381c5a0cc5fae83787d63f550a8bd6beaf33cc5c0c344
DomainIP
mail[.]stankovic[.]hr89.201.175.36

Leave a Reply

Your email address will not be published. Required fields are marked *