Trojan Agent Tesla – Malware Analysis

Malware Analysis
1

Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25

Family : Agent Tesla

Downloaded Sample Link: Click here

Signature: Microsoft Visual C# v7.0/ Basic.NET

Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe

Blg9_30032020_81

VirusTotal score:

Blg9_30032020_82
Blg9_30032020_82860×165

Malware behavior:

  • Steal browser information (URL, Usernames, Passwords)
  • Steal passwords for email clients.
  • Steal FTP Clients
  • Steal download manager passwords.
  • Collect OS and hardware information.

 

Browser Information:

When I debug the malware executable, Initially it creates a SQLite database to store collected information from victims machine.

Below are the tables getting created.

Blg9_30032020_26
Blg9_30032020_26860×211

Blg9_30032020_83
Blg9_30032020_83860×154

Blg9_30032020_28
Blg9_30032020_28860×325

Tables created:

  • meta
  • logins
  • sqlite_sequence
  • stats
  • compromised_credentials

found it collected browsers data (Google chrome), that includes accessed URLs and related usernames and passwords.

Blg9_30032020_29
Blg9_30032020_29860×507

database table logins stores all browser related information. Below are the table columns.

Blg9_30032020_30
Blg9_30032020_30765×545

Blg9_30032020_47
Blg9_30032020_47860×727

Apart from this, malware also look for all different types of browsers to steal data from it.

It look for below browsers:

  • Opera Browser
  • Yandex Browser
  • 360 Browser
  • Iridium Browser
  • Comodo Dragon
  • Cool Novo
  • Chromium
  • Torch Browser
  • 7Star
  • Amigo
  • Brave
  • CentBrowser
  • Chedot
  • Coccoc
  • Elements Browser
  • Epic Privacy
  • Kometa
  • Orbitum
  • Sputnik
  • Uran
  • Vivaldi
  • Citrio
  • Liebao Browser
  • Sleipnir 6
  • QIP Surf
  • Coowon

Blg9_30032020_11
Blg9_30032020_11860×454

Below screenshot taken while debugging malware.

Blg9_30032020_50
Blg9_30032020_50860×452

Malware also look for below email clients. I haven’t install any of them on my machine during analyzing this.

Email Clients:

  • Outlook
  • Thunderbird
  • Foxmail
  • Opera Mail
  • Pocomail
  • Claws-mail
  • Postbox

Blg9_30032020_12
Blg9_30032020_12860×182

Blg9_30032020_84
Blg9_30032020_84860×66

FTP Clients:

Malware grabs credentials from FTP clients as well. Below list.

  • FileZilla
  • Core FTP
  • SmartFTP
  • FTPGetter
  • FlashFXP

Blg9_30032020_76
Blg9_30032020_76860×101

Blg9_30032020_75
Blg9_30032020_75860×22

It also makes FTP web request. (Remote Server couldn’t find)

Blg9_30032020_90
Blg9_30032020_90816×177

Blg9_30032020_91
Blg9_30032020_91860×80

It uses smtp client to send information over the network using port 587 which indicates sending data from smtp client to a particular smtp Server through mail attachments.

Blg9_30032020_85
Blg9_30032020_85860×621

Blg9_30032020_86
Blg9_30032020_86860×764

Malware executable also make HTTPWebRequest which must be downloading SMTP client to transfer data to remote SMTP server.

Blg9_30032020_89
Blg9_30032020_89732×478

unfortunately, it didn’t make any connection to any remote server address.

Summery:

  • Steal Browser Information including urls, usernames and passwords.
  • Steal email client credentials.
  • Steal credentials of FTP servers.
  • Computer information.

 

Thank you.

 

Article Link: https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/