Agent Tesla

Generic term for software that spies on a user via webcam, screenshots, stealing passwords or stealing files.

The most common spyware encountered is a Credential Stealer

Steal credentials via keyloggers, form grabbers, and digging through program files that store saved passwords (Browsers)

Form grabbers intercept traffic to login sites such as Facebook or Gmail, and intercept the credentials that are being sent over.

These information will be stored locally on the machine first before being exfiltrated to the C2 server

After unzipping the file, we get a swift.exe file.

When we open it with PEStudio, we see that it’s compiled with .NET

We open the binary in x32dbg and set a breakpoint on VirutalAlloc, VirtualProtect and CreateProcessInternalW.

For catching anti-debugs, we also set a breakpoint on IsDebuggerPresent

We disable some of the breakpoints, and only activate them after IsDebuggerPresent is called. This means that the virtual allocation that happens after is probably the malicious code unpacking itself, as opposed to other non-malware related activities.

Once we execute the binary and it hits the BP for IsDebuggerPresent, we change the value in eax to 0 to pass the check

After we pass the check, we enable the breakpoint of VirtualAlloc and follow the allocated memory in the dump to see the contents that the binary is writing.

We will still hit several .NET internal that call VirutalAlloc, and we have to step through multiple times to get the actual binary being unpacked in memory.

To make this process easier, we can disable the breakpoint for VirtualAlloc, and just set a breakpoint for VirtualProtect, which will change the RW permissions of a memory region. This is usually done after a shell code has been written to a memory region, and the binary wants to execute it.

However we seem to have missed the decryption of the payload, and instead hit the BP for CreateProcessInternalW, which is spawning a process in a suspended state from the 0x04 parameter that is being passed to the function. This likely means that code injection is going to take place in this suspended process.

The process that it’s spawning is RegSvcs.exe, and we can see it being spawned in ProcessHacker

Since we know that Process Injection is likely taking place, we set breakpoints on WriteProcessMemory and NtAllocateVirtualMemory.

When it hits the BP for WriteProcessMemory, we can observe the payload that it’s writing, and the address that it’s writing to.

From the debugger, its writing to offset 0x400000 and the buffer that’s holding the contents to be written is in 0x03A12F30, and it’s writing 0x200 bytes

We follow the buffer in dump at 0x03A12F30 and see the executable that is going to be injected

We dump out this binary and open it in PEStudio, and see that it’s also compiled with .NET

Looking at the strings in PEStudio, we see suspicious strings such as password and vault, which indicate that these are places that the malware is going to be searching for credentials to steal.

It also has strings for HttpWebRequest, which mean it’s likely going to intercept HTTP calls to websites such as facebook or gmail and steal passwords being sent over.

Since the data is only encrypted AFTER the call to setup the HTTP request, the malware thus has access to the raw strings and credentials.

This could also indicate that it’s going to exfiltrate data over HTTP to the C2 server.

MapVirtualKey and GetLastInputInfo indicate that there is a keylogger present as well.