The Spy Within: A Close Encounter with Agent Tesla Malware
The analyzed sample is part of the notorious malware family known as 'Agent Tesla,' classified as a Remote Access Trojan (RAT). This particular variant, encapsulated in a compiled .exe file, unfolds a complex web of functions and methods designed to gather sensitive data from the infected device.
Throughout the static analysis, we will delve into the intricate layers of this malware, unraveling its inner workings by examining the functions and Windows API calls it employs. From harvesting credentials to executing keylogging and screen capture techniques, this malware exhibits a diverse range of capabilities.
The sample has been download from Malware Bazaar (password: infected).
| Algorithm | Hash |
|---|---|
| SHA256 hash: | afc29232c4989587db2c54b7c9f145fd0d73537e045ece15338582ede5389fce |
| SHA3-384 hash: | 0458ef60fbd120a4611a24c5483038cb3cbf14e2aa30773a10450e423be94a08b35ef8e155624fb5bdd004b89eb2bdf1 |
| SHA1 hash: | 4ed317a0661c31766048fb6859f55c9646bb3534 |
| MD5 hash: | 6c00dff27e7b9281f4aa295b522b1e4d |
| humanhash: | march-mountain-spring-golf |
| File name: | file |
Analysis
Our initial assessment starts with Detect-it-easy, a tool which we can use to confirm if the sample uses any packers.
Identifying Windows API calls:
Using PE-Studio we look into the Windows DLL files which the malware is using. This helps identify the malicious Windows API keys used by malware families and understand the functionality on a higher level.
Going through the section headers we get a clear picture of how the Windows API keys are used for different type of functionalities. We also see how the malware is using hooks to inject into different processes to capture and compare data.
The malware goes through a discovery stage where it identifies current windows processes and threads that are active.
Further investigation reveals the use of functions such as "GetKeyState" and "GetKeyboardLayout," indicating potential keylogging methods.
Understanding Functions with DNSpy:
Looking into the malware's code using DNSpy, we can see that the sample is using various methods which have been named randomly.
Checking the method "ywmj8cFn", we can see it using multiple functions which use the same type of code to go through the operating system information like username, filename, windows version, active processes and many more. The method is continuously running through the system and identifying if any information being discover is new.
From function "mTn", we can see the malware navigating through directories, potentially indicating attempts to locate specific files or resources.
The method "kBCu3Hs" maybe a potential function for data exfiltration. From this method we can try and understand how the malware may attempt to transfer sensitive information. The method being applied here is attaching a file to an email and exfiltrating data via email. Dynamic analysis should shed more light on this function.
Other functionalities include the malware's efforts to identify current processes and threads.
We also identify that the malware is doing screen captures.
Conclusion
The Agent Tesla malware is a smart computer bug. It tries to hide/sneak into your computer, and steal your information without you noticing.