Dissecting Agent Tesla: Unveiling Threat Vectors and Defense Mechanisms
Executive Summary
Agent Tesla is a Remote Access Trojan (RAT) malware written in .NET. Threat actors and APT groups use this kind of malware because of its wide stealing and evasion operations. The first Agent Tesla emerged in 2014 and got the right attention because of its ability to steal sensitive information from the victims’ endpoints, browsers data, DB data, FTP data, VPN data, capture screenshots, etc. This kind of malware spreads through email attachments. These days, in 2024, there is an increase in the use of the Agent Tesla malware by threat actors. This reason is Agent Tesla is being offered as Malware as a Service (MaaS) on the Dark Net.
This malware analysis report on the AgentTesla malware will reveal its insights, characteristics, and operations. The malware was delivered to a client via an email attachment named “Purchase Inquiry.gz”. The analysis involves a comprehensive examination of the malware’s multi-stage execution process, payloads, and specific types of targeted data.
Technical Details
File Name: Purchase Inquiry.bat
File Type: Batch
Size: 4KB
MD5: 380c9e85f6960add801843076c33ec3b
SHA256: d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277
AgentTesla Execution Diagram
First Stage Analysis
The first stage of the Agent Tesla is a Batch file, which contains two parts. In the first part, the file runs a WSF script that is attached to the batch file. Once the WSF script is executed, the Batch file deletes itself.
The WSF script is written in JavaScript and embedded within the batch file. It is executed by the cscript command. The script is obfuscated, making it difficult to read and understand the first stage’s code. This is a common technique used by malware authors to evade detection and analysis. After the de-obfuscation process, the script executes a PowerShell payload, which is also obfuscated.
After running the script, two processes were launched: the cscript process, which executes the WSF script, and the PowerShell process, which runs the payload.
The PowerShell payload sets the system’s security protocol to TLS 1.2 and loads the Microsoft.VisualBasic assembly. The script then repeatedly pings Google until an internet connection is detected. Upon connection, it creates a new WebClient object to download and execute a script from https://didaktik-labor.de/mx1.jpg.
Second Stage Analysis
The second stage of AgentTesla consists of another PowerShell script with three different obfuscated payloads.
The first payload, stored in the u8yee variable, contains an obfuscated payload where the script substitutes the ‘A’ character with ‘00’.
After replacing the ‘A’ character with ‘00’ in the payload, we can understand that the first payload is coded in binary.
It is a PowerShell function that is responsible for decompressing the other two payloads that exist in the second stage using Gzip.
The first payload decompresses the second and third payloads using Gzip. The second payload is stored in the variable y74gh00rffd and contains an obfuscated payload in which the script replaces the ‘EV’ characters with ‘0x’. This suggests that the second payload is in hexadecimal format.
After decompressing the second payload, the script produces a DLL file.
The eSQy variable contains an obfuscated payload, in which the script replaces the ‘EV’ characters with ‘0x’. This suggests that the third payload is in hexadecimal format, also.
After decompressing the third payload, the script produces an EXE file. The file is written in .NET and runs on a 32-bit architecture.
After decompressing the script and dropping the DLL and EXE files, it extracts the Black function from the toooyou module in the DLL file and then uses the InstallUtil tool to execute the EXE file.
The Black function executes code using the calli instruction, repeatedly calling a method until a certain condition is met. This is part of a larger obfuscated malware process that decompresses, drops, and executes malicious payloads (EXE and DLL files) on the target system. In conjunction with the rest of the script, this function’s purpose is to evade detection and execute malicious binaries and operations. Furthermore, the Black function gets two variables as values; the first value that the function gets is the InstallUtil.exe, and the second value is the eSQy variable, which executes the EXE file.
Dissecting the Agent Tesla
After the first and second stages are successfully executed, the second stage drops two files: a DLL file and an EXE file. The EXE file is the Agent Tesla malware.
At the beginning of the malware debugging, the malware configures the ServicePointManager to allow HTTPS connections using SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 protocols.
After the malware sets up the HTTPS connections, it prepares the execution process by ensuring that only one copy of the current process is running and terminating any other copies of the same process. It does this by comparing the process IDs of all running copies of the process and terminating those with different IDs from the current process.
The malware checks for the %appdata%\Roaming path in the endpoint in the StartupDirectoryPath variable for dropping the gnxLZ.exe file.
Then, the malware enumerates the username and the hostname of the current endpoint.
Browsers
The malware targets specific browsers and steals data from them. The browsers’ paths are locations where these browsers typically store user data, such as cookies, browsing history, saved passwords, and other sensitive information. The malware steals data from the following browsers: SeaMonkey, K-Meleon, CyberFox, Thunderbird, PaleMoon, WaterFox, IceCat, IceDragon, BlackHawk, Postbox, Firefox, Flock, Comodo Dragon, Sputnik, Amigo, Opera, Yandex, Elements, Orbitum, CoolNovo, Coowon, 360 Browser, Chrome, Torch, QIP Surf, Coccoc, Chedot, Brave, CentBrowser, Edge, Vivaldi, Citrio, Iridium, 7Star, Epic, Kometa, Chromium, Liebao, Uran, UC Browser, Safari for Windows, QQBrowser, Falkon Browser, and Flock Browser.
Email Software
In addition, the malware is designed to target specific email software and extract sensitive data from them. The email software that the malware targets: Outlook, WindowsMail App, The Bat, Becky, IncrediMail, Eudora, ClawsMail, FoxMail, Opera Mail, PocoMail, eM Client, and Mailbird.
FTP Management Software
Additionally, the malware targets specific FTP management software and steals sensitive data from them. The malware steals data from the following FTP management software: FileZilla, WinSCP, CoreFTP, Flash FXP, FTP Navigator, SmartFTP, WS_FTP, FtpCommander, and FTPGetter.
VPN Software
Additionally, the malware targets specific VPN software and steals sensitive data from them. The malware steals data from the following VPN software: OpenVPN, NordVPN, and PrivateInternet Access.
Message Software
In addition, the malware targets specific Message software and steals sensitive data from them. The malware steals data from the following Message software: Discord, Trillian, and Psi/Psi+.
The malware gathers detailed system information, including the current time, computer name, operating system, username, RAM, CPU, and external IP address. Threat actors can utilize this information to profile victims, plan further attacks, or sell on dark net forums.
After stealing all the intended information, the malware organizes the data from the victim’s computer and then sends it to the attacker’s C2 server.
Then, the malware configures and opens an SMTP connection with the attacker’s SMTP mail server.
The attacker’s SMTP server information:
The malware connects to the SMTP server using port 587 to 94.237.43.240.
The SMTP connection packets in Wireshark:
The SMTP server’s IP address is 94.237.43.240. The first packet sent from the SMTP server indicates that it is hosted on the stablehost.com website.
The malware exfiltrates the data to the SMTP server over TLSv1.2 (HTTPS).
Conclusion
Agent Tesla is malware known for stealing sensitive and valuable data from various browsers, FTP management software, SQL management software, VPN software, and email applications. This kind of malware poses significant risks to individuals and organizations world-wide. The multi-stage obfuscation and evasion techniques highlight Agent Tesla’s advanced nature, necessitating advanced detection and response measures.
The threat actor targeted several individuals, and their sensitive data was stolen from their endpoints.
An example of a stolen data from a victim:
Indicators of Compromise (IoCs)
1. Purchase Inquiry.bat | 380c9e85f6960add801843076c33ec3b
2. mx1.jpg | 11d8ddcb74dd3c1c10dcf8e6df8e5af9
3. GC.dll | 416c046fdcf4625c189ec37230052b62
4. 2e8ecadb887cb758c0b0dcb79442d616
5. %appdata%\Roaming\gnxLZ.exe
6. https://didaktik-labor.de | 91.220.34.2
7. mail.knoow.net / knoow.net | 94.237.43.240
MITRE ATT&CK
Yara Rule
Yara Detection
Snort Rule
#AgentTesla Detection
alert tcp any any -> any 443 (msg:”Suspicious for Ingress Tool Transfer — Communication with didaktik-labor.de”; flow:to_server,established; content:”|64 69 64 61 6b 74 69 6b 2d 6c 61 62 6f 72 2e 64 65|”; sid:1000000;)
alert tcp any 587 -> any any (msg:”Data Exfiltration to AgentTesla C2 — Communication with ams.stablehost.com”; flow:to_client,established; content:”|61 6d 73 2e 73 74 61 62 6c 65 68 6f 73 74 2e 63 6f 6d|”; flowbits:set,ams_stablehost_com_detected; flowbits:noalert; sid:1000001;)
alert tcp any any -> any 587 (msg:”Data Exfiltration to AgentTesla C2 — Communication with mail.knoow.net and ams.stablehost.com”; flow:to_server,established; content:”|6d 61 69 6c 2e 6b 6e 6f 6f 77 2e 6e65 74|”; flowbits:isset,ams_stablehost_com_detected; sid:1000002;)
Snort Detection
