[Mal Series #9] C# AgentTesla Infostealer

Infostealer with 3 layers of obfuscation and few anti-analysis techniques implemented which is capable to steal various information from the victim by sending all the collected information via SMTP.

Name of the stagers:
1. lbIDo (Contains encrypted stager for payload 2 & 3)
2. AndroidStudio (Decrypt the payload 3)
3. Lazarus (Contain few anti-analysis techniques before dropping the final payload)
4. NRMOeaUVVkwIAtJShsOH (Final AgentTesla payload)

All the stagers/payload found in agent tesla

Stage 1 Decryption Routine

In order to debug into Stage 2, need to pause and place breakpoint at end of Thread Sleep function then keep Step Over it.

Zzz

Stage 2 Decryption Routine

Stage 3

Few Anti-Analysis techniques can be found here.

Spawn itself and use Process Hollowing techinque to inject the final payload.

Use de4dot to decrypt all the strings in the final payload by calling the specific decryption function. Explaination Here :)

de4dot <file> --strtyp emulate --strtok 6000002

6000002 (in hex) is the string decryption function

String decrypted sample can be found in the last section of the report.

Agent Tesla the InfoStealer

Collect user system data

Time, User, CPU, RAM, Computer Name, OSFullName

Snippet of the stealer code

Steal Credentials from these application

Browsers (User Data / Cookies)

Opera, Comodo, Google Chrome, CocCoc, Chedot, Elements Browser, Liebao, QIP Surf, Orbitum, Sputnik, CentBrowser, Amigo, SRWare Iron, Torch, Brave, Iridium, CoolNovo, 7Star, Epic Privacy Browser, 360 Chrome, Yandex, QQBrowser, UCBrowser, Kometa, Sleipnir 6, Citrio, Coowon, uCozMedia, Vivaldi, CyberFox, IceCat, PaleMoon, Falkon Browser, Flock Browser, WaterFox, BlackHawk

FTP

CoreFTP, SmartFTP, WS_FTP, FileZilla, cftp, FTPCommander, FTPGetter, WinScp 2, FlashFXP, FTP Navigator

Email

IncrediMail, Eudora, Postbox, ClawsMail, ThunderBird, TheBat, Outlook, OperaMail, Pocomail, Foxmail, Psi+

Chatting & Messenging Apps

Paltalk Pidgin, Trillian

DNS & VPN services

DynDNS,Vitalwerks, OpenVPN-GUI, OpenVPN

Other

JDownloader

Exfiltration

The malware is using SMTP/FTP/WebPanel to exfiltrate the stolen data.

Attacker SMTP credentials

Snippet of the exfiltration code

Suspicious webpanel

Suspicious URI hmmm…

Suspicious FTP connection

Seems like it is a unused feature

Other capabilities

Capture screenshot & keylogging

Possible Windows API to capture screenshot

Persistance

Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WNRUXJ

Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\WNRUXJ

%TEMP%\\tmpG[0–9]{3}

Samples

Initial untouched sample

bec429a1f10445fa8aba7dc9a4103bbae69d5470c514221a0a87e6b9262ccc6a

Decrypted string stager 3

92706098e99425954f93c869d7e9856f294ee02d0a041814af4a072501826c85

Decrypted final payload

a80621415e57889f49c7541e7361e6f4c0dd1b6a9df969d08ba4741a0de241e4

Similar sample analysis report

References

--

--

--

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Big Bear: Salmon Hunter Hack Free Resources Generator

Anonymous Turns to CultDAO for Support Against Unjust Government Actions

How to Use CoinsLoot Platform?

{UPDATE} Heart Box - physics puzzles Hack Free Resources Generator

Introducing Chorus One’s Delegator Protection Pool

Smart Home Security using IOT

Roadmap update : Future Features

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GhouLSec

GhouLSec

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

Hacking With PowerShell: Red Team

The shades of tunneling

Reverse Shell vs Bind Shell

Reverse Engineering with GHIDRA.