The Spy Within: A Close Encounter with Agent Tesla Malware

The Spy Within: A Close Encounter with Agent Tesla Malware

The analyzed sample is part of the notorious malware family known as 'Agent Tesla,' classified as a Remote Access Trojan (RAT). This particular variant, encapsulated in a compiled .exe file, unfolds a complex web of functions and methods designed to gather sensitive data from the infected device.

Throughout the static analysis, we will delve into the intricate layers of this malware, unraveling its inner workings by examining the functions and Windows API calls it employs. From harvesting credentials to executing keylogging and screen capture techniques, this malware exhibits a diverse range of capabilities.

The sample has been download from Malware Bazaar (password: infected).

Algorithm Hash
SHA256 hash: afc29232c4989587db2c54b7c9f145fd0d73537e045ece15338582ede5389fce
SHA3-384 hash: 0458ef60fbd120a4611a24c5483038cb3cbf14e2aa30773a10450e423be94a08b35ef8e155624fb5bdd004b89eb2bdf1
SHA1 hash: 4ed317a0661c31766048fb6859f55c9646bb3534
MD5 hash: 6c00dff27e7b9281f4aa295b522b1e4d
humanhash: march-mountain-spring-golf
File name: file

Analysis

Our initial assessment starts with Detect-it-easy, a tool which we can use to confirm if the sample uses any packers.

Identifying Windows API calls:

Using PE-Studio we look into the Windows DLL files which the malware is using. This helps identify the malicious Windows API keys used by malware families and understand the functionality on a higher level.

Going through the section headers we get a clear picture of how the Windows API keys are used for different type of functionalities. We also see how the malware is using hooks to inject into different processes to capture and compare data.

The malware goes through a discovery stage where it identifies current windows processes and threads that are active.

Further investigation reveals the use of functions such as "GetKeyState" and "GetKeyboardLayout," indicating potential keylogging methods.

Understanding Functions with DNSpy:

Looking into the malware's code using DNSpy, we can see that the sample is using various methods which have been named randomly.

Checking the method "ywmj8cFn", we can see it using multiple functions which use the same type of code to go through the operating system information like username, filename, windows version, active processes and many more. The method is continuously running through the system and identifying if any information being discover is new.

From function "mTn", we can see the malware navigating through directories, potentially indicating attempts to locate specific files or resources.

The method "kBCu3Hs" maybe a potential function for data exfiltration. From this method we can try and understand how the malware may attempt to transfer sensitive information. The method being applied here is attaching a file to an email and exfiltrating data via email. Dynamic analysis should shed more light on this function.

Other functionalities include the malware's efforts to identify current processes and threads.

We also identify that the malware is doing screen captures.

Conclusion

The Agent Tesla malware is a smart computer bug. It tries to hide/sneak into your computer, and steal your information without you noticing.