[Mal Series #9] C# AgentTesla Infostealer

Infostealer with 3 layers of obfuscation and few anti-analysis techniques implemented which is capable to steal various information from the victim by sending all the collected information via SMTP.

Name of the stagers:
1. lbIDo (Contains encrypted stager for payload 2 & 3)
2. AndroidStudio (Decrypt the payload 3)
3. Lazarus (Contain few anti-analysis techniques before dropping the final payload)
4. NRMOeaUVVkwIAtJShsOH (Final AgentTesla payload)

All the stagers/payload found in agent tesla

In order to debug into Stage 2, need to pause and place breakpoint at end of Thread Sleep function then keep Step Over it.


Few Anti-Analysis techniques can be found here.

Spawn itself and use Process Hollowing techinque to inject the final payload.

Use de4dot to decrypt all the strings in the final payload by calling the specific decryption function. Explaination Here :)

de4dot <file> --strtyp emulate --strtok 6000002

6000002 (in hex) is the string decryption function

String decrypted sample can be found in the last section of the report.

Agent Tesla the InfoStealer

Time, User, CPU, RAM, Computer Name, OSFullName

Snippet of the stealer code

Steal Credentials from these application

Opera, Comodo, Google Chrome, CocCoc, Chedot, Elements Browser, Liebao, QIP Surf, Orbitum, Sputnik, CentBrowser, Amigo, SRWare Iron, Torch, Brave, Iridium, CoolNovo, 7Star, Epic Privacy Browser, 360 Chrome, Yandex, QQBrowser, UCBrowser, Kometa, Sleipnir 6, Citrio, Coowon, uCozMedia, Vivaldi, CyberFox, IceCat, PaleMoon, Falkon Browser, Flock Browser, WaterFox, BlackHawk

CoreFTP, SmartFTP, WS_FTP, FileZilla, cftp, FTPCommander, FTPGetter, WinScp 2, FlashFXP, FTP Navigator

IncrediMail, Eudora, Postbox, ClawsMail, ThunderBird, TheBat, Outlook, OperaMail, Pocomail, Foxmail, Psi+

Paltalk Pidgin, Trillian

DynDNS,Vitalwerks, OpenVPN-GUI, OpenVPN



The malware is using SMTP/FTP/WebPanel to exfiltrate the stolen data.

Snippet of the exfiltration code
Suspicious URI hmmm…
Seems like it is a unused feature

Other capabilities

Possible Windows API to capture screenshot









Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec