[Mal Series #9] C# AgentTesla Infostealer

Infostealer with 3 layers of obfuscation and few anti-analysis techniques implemented which is capable to steal various information from the victim by sending all the collected information via SMTP.

Name of the stagers:
1. lbIDo (Contains encrypted stager for payload 2 & 3)
2. AndroidStudio (Decrypt the payload 3)
3. Lazarus (Contain few anti-analysis techniques before dropping the final payload)
4. NRMOeaUVVkwIAtJShsOH (Final AgentTesla payload)

All the stagers/payload found in agent tesla

In order to debug into Stage 2, need to pause and place breakpoint at end of Thread Sleep function then keep Step Over it.

Zzz

Few Anti-Analysis techniques can be found here.

Spawn itself and use Process Hollowing techinque to inject the final payload.

Use de4dot to decrypt all the strings in the final payload by calling the specific decryption function. Explaination Here :)

de4dot <file> --strtyp emulate --strtok 6000002

6000002 (in hex) is the string decryption function

String decrypted sample can be found in the last section of the report.

Agent Tesla the InfoStealer

Time, User, CPU, RAM, Computer Name, OSFullName

Snippet of the stealer code

Steal Credentials from these application

Opera, Comodo, Google Chrome, CocCoc, Chedot, Elements Browser, Liebao, QIP Surf, Orbitum, Sputnik, CentBrowser, Amigo, SRWare Iron, Torch, Brave, Iridium, CoolNovo, 7Star, Epic Privacy Browser, 360 Chrome, Yandex, QQBrowser, UCBrowser, Kometa, Sleipnir 6, Citrio, Coowon, uCozMedia, Vivaldi, CyberFox, IceCat, PaleMoon, Falkon Browser, Flock Browser, WaterFox, BlackHawk

CoreFTP, SmartFTP, WS_FTP, FileZilla, cftp, FTPCommander, FTPGetter, WinScp 2, FlashFXP, FTP Navigator

IncrediMail, Eudora, Postbox, ClawsMail, ThunderBird, TheBat, Outlook, OperaMail, Pocomail, Foxmail, Psi+

Paltalk Pidgin, Trillian

DynDNS,Vitalwerks, OpenVPN-GUI, OpenVPN

JDownloader

Exfiltration

The malware is using SMTP/FTP/WebPanel to exfiltrate the stolen data.

Snippet of the exfiltration code
Suspicious URI hmmm…
Seems like it is a unused feature

Other capabilities

Possible Windows API to capture screenshot

Persistance

Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WNRUXJ

Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\WNRUXJ

%TEMP%\\tmpG[0–9]{3}

Samples

bec429a1f10445fa8aba7dc9a4103bbae69d5470c514221a0a87e6b9262ccc6a

92706098e99425954f93c869d7e9856f294ee02d0a041814af4a072501826c85

a80621415e57889f49c7541e7361e6f4c0dd1b6a9df969d08ba4741a0de241e4

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec