The original sample of AgentTesla: MD5: e7c0b04e6a639e611d8f97897fa62b63
[Github - Pass: infected]
[Hybrid-Analysis]
AgentTesla is .NET based keylogger, RAT and stealer readily available to actors. Logs keystrokes and the host's clipboard, extracts passwords and other information and beacons it back to the C2. More Info AgentTesla: [Malpedia - AgentTesla]
Video: [YouTube]
This part covers extraction of all stages during reversing original sample and obtaining final payload. Most of the video is about advanced usage of DnSpy like in memory patching obfuscated modules for deobfuscated which got loaded runtime as next stages. I will provide simple way how one can benefit from views like Call Stack, Memory View, Modules View, Locals etc.. In memory (during runtime) replacing obfuscated next stage modules for deobfuscated ones is one of the trick which will be shown. Many tricks how one can interact with .NET assembly via Powershell will be introduced (Loading .NET assembly, Invoking methods (even private), patching methods, getting assembly field values etc..). The biggest advantage all of this is that we will have all execution process under control.
In the picture below we can see decoding routines which are used for dynamically loading stage1 module via reflection.
Below is Powershell oneliner [Download Here] which is used for manual decoding stage1 module. All steps are explained in video.
As we are already using reflection in powershell we do not have to implement manually decoding routines and we can invoke these decoding routine directly from assembly. One problem could be that deobfuscation methods are defined as “private”. There are more workaround for this. One is to patch original assembly with tools like DnSpy, CFF Explorer or Cerbero Suite.
Patching method flag “Private” to “public” in DnSpy:
Patching method flag “Private” to “public” in CFF Explorer:
Patching method flag “Private” to “public” in Cerbero Suite:
Comparing deobfuscation methods Invoking (patched original_sample “private” flag
to “public” vs NOT patched).
Powershell script [Download Here]
We can also do the stage1 decoding fully manually in python [Download Here]:
Another workaround is that we can actually invoke methods defined as "private" also even if attribute "[assembly: DisablePrivateReflection]" is used without assembly patching. The key is in specifying “System.Reflection.BindingFlags”. You can see example Assembly “MyLIB.dll” [Download Here] and Powershell script [Download Here]:
Video: [YouTube]
In this video, we will be reversing final stage payload. We will perform full
deobfuscation using tool de4dot, manual string decoding via Powershell and
Python. [Final_Payload - Pass: infected]
FTP services credentials
CCa 30 different web browsers (logins/pass, cookies,..)
Using DPAPI decryption
Windows credentials
Mail clients credentials
VPN clients credentials
Chat clients credentials
VNC programs credentials
Only 1 instance running
Set files as hidden and system
Persistence:
"Software\Microsoft\Windows\CurrentVersion\Run"
"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run"
Using "hxxps://api.ipify.org" to get public IP
Downloading and running files from hxxp://CsQCyR.com - not active anymore
PC name, processor, RAM, Newtork adapter, others...
Uninstalling itself
Deleting ADS (Zone identifier)
Taking screenshots
Keylogging
Using COM objects as wscript.shell
Socket communication
Web communication
Getting clipboard data
Tor browser client
Exfiltrating stolen information to compromised mail account:
mail:"j.rodarte@moseg.com.mx"
Powershell string decoding script via Methods Invoke [Download Here]
Powershell string decoding script via Getting Byte Field - Invoking cctor [Download Here]
Python string decoding script [Download Here]
Python MD Token generation script [Download Here]
DnSpy - https://github.com/dnSpy/dnSpy
CFF Explorer – https://ntcore.com/?page_id=388
Cerbero Suite - https://cerbero.io/
De4dot - https://github.com/de4dot/de4dot
ILSpy - https://github.com/icsharpcode/ILSpy
Karsten Hahn (@struppigel) - Understanding .NET Streams and Metadata:
https://youtu.be/RkqW5S_e8AU
Alexandre Borges (@ale_sp_brazil) - .NET MALWARE THREAT: INTERNALS AND REVERSING:
http://www.blackstormsecurity.com/docs/ALEXANDREBORGES_DEFCON_2019.pdf
https://youtu.be/UB3pVTO5izU
Pavel Yosifovich (@zodiacon) - Windows 10 internals for .NET developers:
https://youtu.be/h6BXMcRqYhA