TROJAN AGENT TESLA – MALWARE ANALYSIS

-



Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25
Family : Agent Tesla
Signature: Microsoft Visual C# v7.0/ Basic.NET
Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe
Blg9_30032020_81
VirusTotal score:
Blg9_30032020_82
Malware behavior:
  • Steal browser information (URL, Usernames, Passwords)
  • Steal passwords for email clients.
  • Steal FTP Clients
  • Steal download manager passwords.
  • Collect OS and hardware information.

Browser Information:
When I debug the malware executable, Initially it creates a SQLite database to store collected information from victims machine.
Below are the tables getting created.
Blg9_30032020_26
Blg9_30032020_83
Blg9_30032020_28
Tables created:
  • meta
  • logins
  • sqlite_sequence
  • stats
  • compromised_credentials
found it collected browsers data (Google chrome), that includes accessed URLs and related usernames and passwords.
Blg9_30032020_29
database table logins stores all browser related information. Below are the table columns.
Blg9_30032020_30
Blg9_30032020_47
Apart from this, malware also look for all different types of browsers to steal data from it.
It look for below browsers:
  • Opera Browser
  • Yandex Browser
  • 360 Browser
  • Iridium Browser
  • Comodo Dragon
  • Cool Novo
  • Chromium
  • Torch Browser
  • 7Star
  • Amigo
  • Brave
  • CentBrowser
  • Chedot
  • Coccoc
  • Elements Browser
  • Epic Privacy
  • Kometa
  • Orbitum
  • Sputnik
  • Uran
  • Vivaldi
  • Citrio
  • Liebao Browser
  • Sleipnir 6
  • QIP Surf
  • Coowon
Blg9_30032020_11
Below screenshot taken while debugging malware.
Blg9_30032020_50
Malware also look for below email clients. I haven’t install any of them on my machine during analyzing this.
Email Clients:
  • Outlook
  • Thunderbird
  • Foxmail
  • Opera Mail
  • Pocomail
  • Claws-mail
  • Postbox
Blg9_30032020_12
Blg9_30032020_84
FTP Clients:
Malware grabs credentials from FTP clients as well. Below list.
  • FileZilla
  • Core FTP
  • SmartFTP
  • FTPGetter
  • FlashFXP
Blg9_30032020_76
Blg9_30032020_75
It also makes FTP web request. (Remote Server couldn’t find)
Blg9_30032020_90
Blg9_30032020_91
It uses smtp client to send information over the network using port 587 which indicates sending data from smtp client to a particular smtp Server through mail attachments.
Blg9_30032020_85
Blg9_30032020_86
Malware executable also make HTTPWebRequest which must be downloading SMTP client to transfer data to remote SMTP server.
Blg9_30032020_89
unfortunately, it didn’t make any connection to any remote server address.
Summary:
  • Steal Browser Information including urls, usernames and passwords.
  • Steal email client credentials.
  • Steal credentials of FTP servers.
  • Computer information.

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

Excel 4.0 macro Trojan Downloader

-
Image
Hash: 89e62ec08b0b6065134c67937bae76ccd70163770fd6992574e41b9c82c3cf1c Sample Download Link:  beta.VirusBay.io Application Name: Microsoft Excel File Type: xls VirusTotal Score: 29/60 I came across this sample on VirusBay.io. I downloaded this malicious excel file on my VM for malware analysis. OLEVBA.py First thing I did analysis of VBA macro source code in excel file using OLETools. Command >  OLEVBA.py -a The result shows, macro will auto execute on opening file and it may run executable file may be using shell command and will download a file from remote server. The executable file name is  FBpKzqF.exe Document Property: XLM macro has been used in this file which is hidden. Steps To Make Macros Sheet Visible Step 1 I enabled it by right click on the spreadsheet which is open in Excel and selected Unhide… And then a popup shows the name of spreadsheet I will select to unhide. Here name of sheet is  SODXOFScMLy . Step 2 Along with this need to unblock the excel ...
Lire la suite

{ FIT-HACK#2017 } - Binary 100 - Random

-
Image
Binary 100 - Random Pour ce challenge on a un binaire (ELF 64). On essaie de l'exécuter une première fois, et on voit qu'il y a 10 round, et on suppose qu'à chaque round on doit trouver le nombre aléatoire. On utilise alors GDB pour comprendre le fonctionnement du programme: On peut voir que valeur que l'on entre est comparée à l'instruction qui se trouve à l'adresse 0x0000000000400783 (main+134): On met alors un breakpoint à cette instruction, on démarre le programme et on entre une valeur au hasard. Arrivé au breakpoint, on affiche la valeur en $rbp-0x88 : Pour être sur que la valeur généré par le programme est bien aléatoire, on lance le programme, on entre la même valeur que précédemment et on regarde la valeur en $rbp-0x88 : La valeur est la même! On met alors la valeur dans la variable EAX et on continue le programme. On affiche de nouveaux la valeur de $rbp-0x88 et on l'assigne à EAX. On effectue ces actions pour les 10 rounds e...
Lire la suite