Malware Analysis:
Agent Tesla

Le Lab Gatewatcher D

What is Agent Tesla?


Agent Tesla is a .NET-based Trojan and credential-stealing malware that first appeared in 2014. This malware family gained significant momentum during the 2020 pandemic.

This software is sold for just a few dozen dollars, with support provided by its creators.

Most of the time, the attack vector is a targeted malicious email, often sent from a compromised account. This email contains either an attachment or a link that downloads the malware onto the victim’s computer. Office documents have been widely used, sometimes exploiting vulnerabilities such as CVE-2017-11882 and CVE-2017-8570.

Agent Tesla has evolved over the years to become a fully-fledged credential stealer. It continues to be widely used and remains a major concern for businesses.

Here, we present an analysis of a malware sample collected by Gatewatcher’s Threat Intelligence team, LastInfoSec, on Wednesday, 12/01/2022: a .NET-packed Agent Tesla Trojan, originally obtained on Discord from the following link:

https://cdn.discordapp.com/attachments/912530426499825698/930269593509974076/AWD_Notification_of_shipment_983567419.pdf.7z

This article provides a general overview of the sample.

Analysis of the Packer


The packer is composed of three nested files, in addition to the final payload. All successive payloads from the packer are 32-bit .NET 4.0 DLLs, stored in PE resources as PNG images or base64 text.

The first two binaries (the main executable and PrivateBinPath.dll) contain a very small amount of malicious code. Most of the code is sourced from legitimate software and GitHub repositories and has been heavily obfuscated. Two PNG images are used to store the DLL, both encrypted with simple XOR loops. The third file (UI.dll) handles certain malicious functions: persistence, sandbox and VM detection, and injection of the final payload into a legitimate process.

Payload Analysis


We analyzed the full execution flow of the payload.

This payload is primarily a credential stealer. It can retrieve credentials from a long list of software, including:

  • Web Browsers (48 different ones): Opera, Firefox, Chrome, Yandex, Iridium, Chromium, Torch Browser, Chedot, Elements Browser, IceCat, Waterfox, and others.
  • FTP Clients: FTP Navigator, Core FTP, WinSCP, Ipswitch FTP, FileZilla, SmartFTP, FTPGetter.
  • VNC Clients: RealVNC, TightVNC, cFTP.
  • Email Clients: Opera Mail, Thunderbird, Claws Mail, IncrediMail, Postbox, MailBird, Outlook, Foxmail, Pocomail.
  • Databases: MySQL Workbench.
  • VPNs: NordVPN, OpenVPN.
  • Windows Credential Vaults.

It can also copy files from browsers (such as SQLite cookie databases), can be configured to act as a keylogger, and can send screenshots back to its operator. A remote code execution function is also present, but it was disabled in all the samples we encountered.

 

Four methods can be configured to exfiltrate information:

  • SMTP: An email account sends an email to itself.
  • FTP: Files are uploaded to a remote server.
  • HTTP: Uses a multipart POST request to send a file (similar to FTP).
  • HTTP/TOR: This method can be configured to download and use TOR as a local proxy. The HTTP request itself includes an additional layer of encryption (TripleDES).

 

 

Author: Jérémy Beaume