[Mal Series #9] C# AgentTesla Infostealer

Infostealer with 3 layers of obfuscation and few anti-analysis techniques implemented which is capable to steal various information from the victim by sending all the collected information via SMTP.

Name of the stagers:
1. lbIDo (Contains encrypted stager for payload 2 & 3)
2. AndroidStudio (Decrypt the payload 3)
3. Lazarus (Contain few anti-analysis techniques before dropping the final payload)
4. NRMOeaUVVkwIAtJShsOH (Final AgentTesla payload)

All the stagers/payload found in agent tesla

Stage 1 Decryption Routine

In order to debug into Stage 2, need to pause and place breakpoint at end of Thread Sleep function then keep Step Over it.


Stage 2 Decryption Routine

Stage 3

Few Anti-Analysis techniques can be found here.

Spawn itself and use Process Hollowing techinque to inject the final payload.

Use de4dot to decrypt all the strings in the final payload by calling the specific decryption function. Explaination Here :)

de4dot <file> --strtyp emulate --strtok 6000002

6000002 (in hex) is the string decryption function

String decrypted sample can be found in the last section of the report.

Agent Tesla the InfoStealer

Collect user system data

Time, User, CPU, RAM, Computer Name, OSFullName

Snippet of the stealer code

Steal Credentials from these application

Browsers (User Data / Cookies)

Opera, Comodo, Google Chrome, CocCoc, Chedot, Elements Browser, Liebao, QIP Surf, Orbitum, Sputnik, CentBrowser, Amigo, SRWare Iron, Torch, Brave, Iridium, CoolNovo, 7Star, Epic Privacy Browser, 360 Chrome, Yandex, QQBrowser, UCBrowser, Kometa, Sleipnir 6, Citrio, Coowon, uCozMedia, Vivaldi, CyberFox, IceCat, PaleMoon, Falkon Browser, Flock Browser, WaterFox, BlackHawk


CoreFTP, SmartFTP, WS_FTP, FileZilla, cftp, FTPCommander, FTPGetter, WinScp 2, FlashFXP, FTP Navigator


IncrediMail, Eudora, Postbox, ClawsMail, ThunderBird, TheBat, Outlook, OperaMail, Pocomail, Foxmail, Psi+

Chatting & Messenging Apps

Paltalk Pidgin, Trillian

DNS & VPN services

DynDNS,Vitalwerks, OpenVPN-GUI, OpenVPN




The malware is using SMTP/FTP/WebPanel to exfiltrate the stolen data.

Attacker SMTP credentials

Snippet of the exfiltration code

Suspicious webpanel

Suspicious URI hmmm…

Suspicious FTP connection

Seems like it is a unused feature

Other capabilities

Capture screenshot & keylogging

Possible Windows API to capture screenshot






Initial untouched sample


Decrypted string stager 3


Decrypted final payload


Similar sample analysis report




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store