Scribd
Upload
22 views17 pages

AgentTesla Report

AgentTesla is a .Net-based Remote Access Trojan (RAT) and data stealer used for gaining initial access, often as Malware-As-A-Service (MaaS). It records keyboard input, takes screenshots, collects system information, and executes remote commands, while disguising itself as a PDF file. The report includes technical analysis through static and dynamic methods, revealing its capabilities in spying and information gathering, including keylogging and credential theft.

Uploaded by

Nguyen Phuong Nam (K18 HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views17 pages

AgentTesla Report

AgentTesla is a .Net-based Remote Access Trojan (RAT) and data stealer used for gaining initial access, often as Malware-As-A-Service (MaaS). It records keyboard input, takes screenshots, collects system information, and executes remote commands, while disguising itself as a PDF file. The report includes technical analysis through static and dynamic methods, revealing its capabilities in spying and information gathering, including keylogging and credential theft.

Uploaded by

Nguyen Phuong Nam (K18 HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

AgentTesla Report

1. INTRODUCTION
What is Agent Tesla.

Agent Tesla is a .Net-based Remote Access Trojan (RAT) and data stealer for
gaining inital access that is often used for Malware-As-A-Service (MaaS).
Main function: recording keyboard input, taking screenshot, collecting system
information, executing remote commands.

2. TECHNICAL ANALYSIS
Analyze sample: MalwareBazaar | AgentTesla File name: DHL008976.exe
SHA256:
e17062f3e40417b32b67892e68cd134a6b5ea179e75182749ced9249fe04
9fa4

2.1 Static Analysis

File Properties
The malware disguise as an PDF file by using a PDF icon. Its original
name is “flexuosely.exe”, which is documented as an AgentTesla malware
name on UnpacMe.

Unpacking
Check this file with Detect It Easy, we can see this exe file is packed with
UPX

Unpacking using “upx -d” command

Before unpacking
After unpacking
Check it again with Detect It Easy, now it is formated with AutoIt
To see what this AutoIt script doing, we using the tool name AutoIt
Extractor. We got 4 file after extracted.

 AUTOIT NO CMDEXECUTE (EmptyFile)

 AUTOIT SCRIPT

 ageless

 brawlys

2.2 Dynamic Analysis


Process Monitor
After running, AgentTesla having about 1247 operation. And
there are evidence of VNC spying and information gathering.
RegShot
To make it simple for analyze, we can use RegShot to look for
any change in Register.
Dumping payload from memory and decompile
To get the payload of this malware, the easiest way is dumping
its process straight from the memory. This malware can
recognize if it’s running on a virtual machine and kill its process
but it stil has a little delay so either we can run it in a dummy
real machine or on a virtual machine then dump it really quick
from the memory before it stops.

To dump the payload from memory, we can use pe-sieve:


After dumping, we can check it with Detect It Easy again:

Since it’s .NET, we will use DnSpy to decompile it, after open
the dumped exe file in DnSpy, we can check the payload of this
malware:

On first glance, the malware checks for system informations:


We can also see the VM checking, anti-debugging and antivirus
checking codes:
note: these DLLs are DLLs belongs to antivirus or sanboxing
softwares.

We can see this malware setings and the Telegram API it used
to send your information:
There are evidence of screen-logging and key-logging and
more:
This malware also gather your username and passwords on
websites and browsers, view your emails and your app data
files:
Some of the apps this malware specifically targets:

3. REFERENCES
RAT Remote Access Trojan
Remote access trojans (RATs) are malware designed to allow
an attacker to remotely control an infected computer. Once the
RAT is running on a compromised system, the attacker can
send commands to it and receive data back in response.

Malware-As-A-Service (MaaS).
Malware-as-a-Service (MaaS) is a business model under which
cybercriminals provide access to malicious software and related
infrastructure for a fee. In other word this is malware for rent.

AutoIt

AutoIt is a free programming language for Microsoft. This


language was primarily intended to create automation scripts
(sometimes called macros) for Microsoft Windows programs.
This language can simulated keystrokes, mouse movement and
window/control manipulation in order to automate tasks.

AUTOIT SCRIPT file

#NoTrayIcon
#AutoIt3Wrapper_Run_Au3Stripper=y
#AutoIt3Wrapper_Au3Stripper_Parameters=/mo
$d30xb5bdb3l = 0xaf
$v31n4pwat9 = 0x141
$d323rzl4u = 0x343
$x33tao = 0x3e0
$y34donk = 0x42
$e35rye5 = 0x64
$o36xf = 0x12f
$d37iwqejmuk = 0x2d5
$d38dc7uakk = 0x116
$b39havi = 0x215
$w3130bnpq = 0x224
$v31n4pwat9 = 0x13dc6
$v31n4pwat9 = 0xec03
$d323rzl4u = $o36xf
Func U30BS2()
TrayItemSetOnEvent(0xcf, "GKHHqcyjl")
StringInStr("lGXJkfMh", $d30xb5bdb3l, 0x3b0, 0x198, 0x2f1)
WinGetTitle("sRRzL", "wCl9B")
IniReadSectionNames($w3130bnpq)
MouseGetPos()
For $y3137nmmvebr = 0x3a To 0x8
For $y3137nmmvebr = 0x0 To 0x13
If $v31n4pwat9 <> $v31n4pwat9 Then
$d38dc7uakk = 0x9019
GUICtrlDelete(0xea)
Else
$d38dc7uakk = 0x6236
GUICtrlSetDefColor(0x237)
EndIf
InetGetSize("hFhS")
If $e35rye5 = $o36xf Then
$d323rzl4u = $w3130bnpq
MouseMove(0x159, 0x15d, 0xa6)
ElseIf Sin(0x263) > 0x4b Then
Sleep(0x26)
RegEnumKey("HiBdK7", 0x16)
WinGetText("TjVPXZVb", $x33tao)
AdlibUnRegister($o36xf)
Else
TrayCreateItem("V39vZLTyHq")
EndIf
For $y3137nmmvebr = 0x5c To 0x10
Next
$d323rzl4u = $x33tao

AgelessFile:

18 6E C7 42 55 36 52 42 5C 4C 59 32
B5 A9 44 34 F6 35 30 59 4F 55 34 57
02 56 36 52 42 58 4C 59 32 4A 56 44
34 4E 35 30 59 4F 55 34 57 42 56 36
52 42 58 4C 59 32 4A 56 44 34 4E 35
20 58 4F 55 3A 48 F8 58 36 E6 4B 95
6D E1 33 06 9B 65 60 26 5C 43 79 3F
27 5B 30 30 37 5B 72 21 39 22 37 5D
3E 76 26 51 6E 47 45 37 6F 3C 5A 77
06 19 65 72 2F 37 28 3C 1C 47 5B 4E
10 4E 35 30 59 4F 55 34 A9 55 86 EE
E8 34 E6 C7 E3 44 F4 DD FE 42 F0 BE
C1 57 F2 DF 84 21 FC DD C7 5C F9 D2
78 2F 8C C1 A7 4A 8E C4 9B 46 E7 C4
FA 3D ED C8 FD 40 EC C9 F7 45 E4 B8
E4 20 FA BF E1 3C 8B D3 DF 23 8A DC
E6 72 1B D9 FA 2E F2 D2 C3 44 E9 CE
87 38 8B BB E3 39 EA BF 84 34 E8 BD
D0 B4 EF C6 E2 44 F4 DD C6 C2 0F BE
8B 2F F1 DE B6 A1 FE DC 8D 24 FC D3
1E 30 51 22 EC 32 8A C5 35 30 59 4F
55 34 57 42 56 36 52 42 58 4C 59 32
4A 56 44 34 4E 35 30 59 1F 10 34 57
0E 57 33 52 67 BF 9E 3C 32 4A 56 44
34 4E 35 30 B9 4F 57 35 5C 43 58 13
52 84 58 4C 59 72 4E 56 44 34 4E 35
A6 41 4F 55 34 47 42 56 36 B2 42 58
4C 59 72 4A 56 54 34 4E 35 32 59 4F
53 34 57 42 56 36 52 42 5E 4C 59 32
4A 56 44 34 4E 65 35 59 4F 51 34 57
42 56 36 52 40 58 0C D9 32 4A 46 44
34 5E 35 30 59 4F 45 34 57 52 56 36
52 42 58 4C 49 32 4A 56 44 34 4E 35
30 59 4F 55 80 6E 43 56 4E 52 42 58
4C 29 33 4A 0E 86 37 4E 35 30 59 4F
55 34 57 42 56 36 52 42 58 4C 59 32
BrawlysFile:

53*125*58*58*61*103*106*104*61*54*106*104*104*104*53*55
*53*53*53*53*58*59*58*60*103*61*59*103*53*53*53*53*53*53
*59*59*61*62*57*58*61*57*103*62*59*58*53*53*53*53*53*53*
59*59*61*62*57*105*61*59*103*102*60*55*53*53*53*53*53*53
*59*59*61*62*58*58*61*61*103*61*59*106*53*53*53*53*53*53
*59*59*61*62*57*58*61*102*103*62*59*58*53*53*53*53*53*53
*59*59*61*62*57*105*61*104*103*102*59*104*53*53*53*53*53
*53*59*59*61*62*58*58*61*106*103*61*56*56*53*53*53*53*53
*53*59*59*61*62*57*58*62*53*103*62*56*55*53*53*53*53*53*
53*59*59*61*62*57*105*62*55*103*102*55*106

You might also like