Agent Tesla - Malware Analysis Lab

14 minute read

Technical Analysis of Agent Tesla

Overview (AI generated from video):


The video script discusses the analysis of a malware binary known as Agent Tesla. The script covers the obfuscation and protections involved in the binary, as well as the process of unpacking and extracting information from it. The script also explores the capabilities and behavior of Agent Tesla, including its keylogging and information stealing functionalities. Highlights


0:46 ⏱️ The binary was initially unidentified but has now been categorized as Agent Tesla.
2:14 ⏱️ The binary is unpacked using UPX and identified as an AutoIT binary.
4:12 ⏱️ The binary contains resources that provide information about its origin and file locations.
5:48 ⏱️ Dynamic analysis reveals the binary’s injected processes and imported APIs.
9:10 ⏱️ Memory dump analysis identifies shell codes, PE files, and hooks associated with the binary.
12:03 ⏱️ Decompiled code reveals keylogging and information stealing functionalities.
16:15 ⏱️ Anti-analysis and anti-virtualization checks are performed by the malware.

Key Insights

🔍 The initial unidentified state of the malware highlights the need for continuous threat intelligence and analysis to stay ahead of evolving threats.
📦 The unpacking process using UPX and AutoIT extraction tools showcases common techniques used to analyze packed and obfuscated binaries.
🖥️ The presence of injected processes, imported APIs, and memory artifacts point to the persistence and stealth mechanisms employed by Agent Tesla.
🕵️ Decompiling the binary provides valuable insights into the malware’s functionalities and the specific targets it aims to exploit.
🛡️ The anti-analysis and anti-virtualization checks indicate the malware’s efforts to evade detection and hinder reverse engineering.
💻 The malware’s focus on keylogging and information stealing highlights the growing threat of credential theft and data exfiltration.
🌐 The use of external APIs, such as the Telegram API and public IP address services, demonstrates the malware’s ability to communicate with external servers and control infrastructure.

Transcript (AI generated from video):

00:00:00	today I'm going to run through analysis of a malicious binary that I downloaded from malware Bazar and up until quite recently So within the last 24 hours or so this had no real indication of what malware it was uh but has now been categorized as agent Tesla so let's take a look at kind of the obfuscation and the protections involved in this binary that led to it not being identified straight away so I've got my particular sample here and it is a raar file that has been uploaded so I've gone ahead and
00:00:31	installed winra so I'm going to extract the files and we just going to dump them on disk now from here I want to take a look at what this actual binary is we can see that it is posing as a PDF document with the icon and it has aexe extension now it has the description infity with a company name of Capron a version of 7.7.2 point0 yeah let's take a look at what it is with Detective it easy so we can see it is packed using upx we should be able to unpack that quite simply and it seems to be an autoit based binary as well so
00:01:10	I'm just going to open up a command prompt and we're going to do upx we're going to do attack D and see if this works see if it uh has any kind of modifications to the upx packing that's going to make this fail and it doesn't it look like it worked straight away so we now have an unpacked upx binary on disk that we can begin to get a bit more information about so let's look at it with detected easy and you can see now it says that it is auto it binary and it doesn't say that it is packed with upx anymore so because it's an auto
00:01:45	it binary I'm going to use a tool called autoit extractor and what I'm going to do is locate the binary in question and we get a bit more information now so there are particular resources that are noted within this binary there is the no CMD execute and the interesting thing about this is that it actually gives a bit more context on the machine that created this particular autoit binary so if we look we've got C users administrator Auto itv3 and the temp file that was essentially compiled into this executable there is the autoit
00:02:17	script as well same kind of information but if we go down to agess and we go to braess now we can see a little bit more interesting components so on the D drive there is zamp there is HT docks and a bit more information tied to that okay so we do have a creation date time of a couple of days ago as well February the 18th and we have some resources that we could probably dump from this particular Auto it binary it does look like this script is what we have that's going to essentially run and no execute doesn't
00:02:49	seem to have anything in it all right so what we can do is we can save these particular resources for further analysis this one we could just call script this one we might call ageless and this one we might call Brawlers so we do have kind of all of this uh I don't even know exactly what it is in terms of autoit we do have a bin file and we do have the script here so this is essentially what's going to be run as soon as the particular executable is executed but I want to get a bit more of a high level idea of what it's doing
00:03:19	using PE studio so let's take a look at it and just get a bit more of an idea of maybe the capability of this particular binary so it does have this original internal name during development of flex us Le Flex I can't pronounce it Whatever It Is there is the autoit component here in the script that we can see and you can see the entropy levels are quite high in fact it is extremely high which shows that it's either encrypted or encoded whatever it may be we've already extracted it though so that's fine while
00:03:49	this is running I'm going to go ahead and open a tool that might be a little bit faster called PE bear and what I want to do is just get a bit of an idea on imported and exported apis so with the Imports there seems to be large number of dlls that are being used and perhaps there are so there is this virtual this open process this virtual Alec X this right process memory so immediately it looks like it's going to be doing some sort of injection how about we swap to Dynamic analysis for the time being and actually get a bit
00:04:20	more of an idea on what occurs when we run it let's fire up Rock one okay we want to add a filter for this particular executable name so we're going to copy this we're going to add that filter app it there we go so now we should only see events that are tied to that we'll just double check back in on P studio and yeah you can see that uh there's a lot more information coming through the Imports we could filter by technique and we can see okay there's process Discovery there's input capture and process injection like we saw before
00:04:57	so there's quite a large chance that this is injected into a particular process in which case that's what I'm looking for I don't care about some of the other stuff that's taking place I just want to know what's going to wind up in memory the end so let's execute this binary I've just gone ahead and run it we can see exactly what it's doing we can see it's running cool we're tracking it it looks like it is running it is sitting in memory at the moment it's likely injected into it we can see everything that it did with proon and we
00:05:26	can kind of just base it off of the 7,000 events I'm sure that's not going to be much to uh to look through interestingly this looks like it is opening up Ultra VNC uh or checking if it is present sorry so likely that is some sort of stealing credentials associated with ultra VNC it does look like there is looking for Discord as well so maybe this is a credential Harvester some sort of information stealer it's currently still running in memory so what I'm going to do is I'm going to come back and I'm going to open up P sa process we
00:06:03	are looking for is 2288 let's just see whether we find anything and we've found 11 suspicious components of that particular binary that's sitting in memory we've dumped it out so it says that there is six implanted shell codes and two implanted PE files and a few hooks that have gone on so that's interesting so what we can do now we can actually terminate this process terminate tree doesn't really matter it seems to be the only thing that started running yeah it seems kind of like okay it did start another child process of itself
00:06:35	probably to inject into but it looks like that was the only process that was running where something was sitting in memory so let's go back to our filter what I'm going to do is uh remove that so we get it all back see it is loading particular DLS yeah cool kind of looks like it's just trying to inject into that particular process memory so let's take a look at this binary now that we've dumped out a memory and pay no attention to the fact that I completely didn't monitor anything with API monitor
00:07:01	so let's take a look we dumped it uh to the same direction that we actually fired up PE from which is this particular directory looks like we've got two applications we do have this part of memory and we do have this part of memory one is slightly bigger than the other so yeah these executables we can look into further let's take a look at detected easy uh this looks like it's net now detected easy with this one this one looks like it's done possibly with C++ possibly with net or resource inside of it is
00:07:35	too little bit interesting let's open up DN spy and just see if we can actually decompile these two particular binaries so it looks like there's a couple here this seems to be a PE file defined but it doesn't seem to have any content noted so this is probably not of interest to us uh this one on the other hand does seem to have a particular class or multiple classes defined so we can actually go in and take a look at it and what it's doing so first thing I want to do is basically just go to the
00:08:02	entry point because this is a PE file and it looks like it does have stuff to do with network communication due to the TLs information being defined here let's go back anyway so we've got application run but we do have these other particular classes so this one is defined here this method is run here and it looks like there's a a lot more methods that are being executed in this particular function so there is this screen logger that's of interest to me and there is a method inside of that looks like it's got log timer sure so
00:08:36	there is also an a key logger here mentioned so naturally this is something okay so keyboard hook so there's probably some sort of key key logging going on through basically hooking and determining if any keys are pushed we've got uh set module window hook X and we do have the definitions here so this is is a good sign that there is some sort of key logging going on so this is to determine whether particular keys are down up or particular special keys are pressed on a keyboard and what they refer to and if we go down we can see
00:09:12	stuff like this key log text whoops I just clicked on that let's PIV it back ends with and then there's a break or a header so this looks like it's producing some sort of HTML nice format of the particular key logging that has gone on and you can see page up F5 F6 all these other things being defined here as well so we know this is a particular information stealer particular key logger and the overarching consensus is that this is a version of agent Tesla so if we were to let see copied you can see
00:09:46	copied text here as well so it probably has a nice little uh window and there's endless amounts of methods that we could actually dive into to essentially see what this is doing I do believe that it has some anti kind of VM checks anti analysis checks associated with it but because it is net and we've been able to deop scate and dump it directly from memory we can begin to analyze the methods however we see fit and for example if we look at this particular class here we can see mention of a chat
00:10:15	ID we can see kind of the text HTML that's been defined as well as a JPEG image likely that's been taken of the particular operating system in question and it seems to be using the telegram API to send this information off to a telegram channel in particular this telegram channel here via this bot ID and authentication material there is a chat ID mentioned here as well and this is where everything that's being stolen is being sent to there also seems to be a startup environment name here so we're
00:10:46	talking about the app data directory and there is a directory name of whatever that's called and there is a registry key name and startup installation name you can also see it does have a fortified user agent string so this is pretending that it is version 99 of Firefox that's being used to communicate on a Windows operating system specifically Windows 10 64bit and it is also using api. ipfi which is a legitimate public website that is used to get your publicly facing IP address kind of interesting so there
00:11:25	is the username SL Compu name which is being used to send off that particular information associated with a computer looks like there is even stuff to do with where assemblies will be executed and the startup full path as well so it does look like the startup directory path is being specified and maybe this is the configuration of agent Tesla so it didn't actually specify your startup directory and as a result it's not essentially setting up persistence in that particular way but we could also run a tool like Auto runs to see if it
00:11:56	has established persistence on the operating system as well doesn't seem like there is anything at the moment so it is quite possible that if it isn't able to communicate with its command and control server that it just doesn't establish any kind of persistence but I have no idea we know that it is a copy of agent Tesla based on hitara rules now and so we can understand what it is doing based on the behavior of agent Tesla and if we look at some other classes we can see obvious evidence that this is performing some sort of key
00:12:27	logging and stealing of passwords in this particular case it looks like it is stealing origin username and password maybe stuff from the Opera browser and local state so this is more possibly to do with Firefox or maybe this is still Opera I'm not 100% sure to be honest but stealing stuff from particular browsers seems to be the aim of the game here so there is login data here now as well and profile all these things are associated with browser credentials and cookies there is also these looks at particular
00:13:00	DS yeah so we've got Ki 360 sandbox sandboxy Avast antivirus Avast as a whole and kodo internet kind of commonly known dlls associated with those security products and there is looks here as well so you can see that it is checking to see if the manufacturer is the Microsoft Corporation and whether the particular model is noted as virtual so if this is operating in a virtual environment the same is mentioned here for stuff like VMware or virtual box so if it's operating in those particular things the malware wants to know about
00:13:36	it it is also looking at the video controllers to see if this contains VMware or virtual box as well so this definitely wants to know and then there's also this check remote debugger present so it definitely wants to do some sort of anti- debugging and anti anti virtualization checks to avoid detection on an endpoint but we know it is Agent Tesla so GG and uh that's it for today you can uh you can take a look at the in-depth functions of this at your own Leisure so let me know your thoughts comments
00:14:08	feelings anything else that you want to say in the uh comments section below and I'll catch you next [Music] time