Malware Analysis Part 3. Agent Tesla
Agent Tesla is a famous and longstanding InfoStealer that is sold on underground forums as Malware-As-A-Service.
The sample come from Malware Baazar.
SHA256 :
ff487e2ea6195cc78c6c3f1d9d23aae0902eec37964143cf85cd425252a0072b
We can use CFFExplorer to view information about assembly that we have to analyze.
Now we know that the assembly is written in .NET so we can use DNSpy to analyze them.
We see that this assembly use Reflective PE Loader to inject assembly into memory. We can try to get the second assembly using the amazing unpac.me site. On Unpac site we can see that the malware inject a second stager , now we can download the second stager and analyze it.
We see on site that the malware was build in .NET so we can open it in DNSpy.
We see at first look that the malware is heavly obfuscated.
Now we can use de4dot(https://github.com/ViRb3/de4dot-cex) tool to deobfuscate it.
At first look we can see that the malware has capabilities to steal credential from System , Browsers , VPN Softwares, Discord Tokens, Mail Softwares and also has Keylogger Capabilities.
领英推荐
If we look further we can see that the malware use FTP to exfiltrate data from Endpoints.
Now we can try to find the malware configuration. Since we know that malware use FTP to exfiltrate data we can search string regardless to FTP. After a while we found the malware configuration.
We can try to login on this FTP servers to view if it is alive and maybe find potential victims that malware already compromised.
We can see that on this FTP servers are some .HTML files that contains crendential from victims. Fortunately there is a few files and some of them is belongs to SandBoxes services.
Now we can write a yara rule to staticatly detect samples like this. We can use strings from sysinternals to find interesting string that we can use in our rule.
We can check if the rule is triggered.
We can see that our rule is working.
Happy Analysis !