[MALSPAM] Deep analysis of new Agent Tesla campaign with AutoIT dropper

The 29th of February 2020, thanks to our Malware Intelligence Platform, we found a new, strange, malspam campaign with, as target, the sales office of an important company. The email was the following:

Figure 1: Malspam email

The attachment of this malspam email wasn’t the usual Microsoft Office dropper with macros, but a simple .bat dropper that did nothing but download and run the real AutoIT malware from this domain: hxxp://www.bitsandbytes.net.in/bobbbb.exe

The downloaded bobbbb.exe is an AutoIT executable that contains an Agent Tesla payload.

AutoIT Dropper Deobfuscation

AutoIT is a scripting language for Windows, really used to create malware because of his high-level abstraction and his low rate of antivirus detection. Fortunately, it’s compilation process is easy to invert, with tools like Exe2Aut, that returns an almost perfect AutoIT source code. However, the code is, really often, highly obfuscated, then difficult to understand.

As you can see in figure 3, all strings are encrypted by one or more levels of obfuscation. Fortunately all those decryption functions return a string, and since we can modify the source code, I modified those functions directly in the program to write to a file the result of the decryption. After that, with a simple python script a subsituted in the source code the decrypted strings to obtain something more readable.

In Figure 2 you can see the main function of this executable:

Main Function
Figure 2: Main function deobfuscated

The $payload variable contains the shellcode of Agent Tesla malware as reversed string ( it ends with “x0” ). This payload is decrypted and injected in the RegAsm.exe process.

Next I will explain the details of this process.

Extraction of payload

To extract the payload of Agent Tesla, we have to analyze in detail what the program does with the $payload variable. In Figure 3-4, you can see the AllocatePayload () function before and after the deobfuscation:

Figure 3: Obfuscated function
Figure 4: Deobfuscated function

In this function we can see another shellcode that I called $rc4decryptor. Indeed it’s clear what the dropper does:

FileWrite (“decrypted_payload.bin”, $decrypted_payload)

Otherwise we can put a breakpoint to the end of the RC4 decryption stub, and dump the decrypted memory (but after that you need to rebuild the corrupted PE Header).

The InjectToProcess() function (Figure 5) allocates memory for another strange shellcode, built, again, concatenating strings. Then calls that shellcode with RegAsm.exe and the decrypted payload of Agent Tesla as parameters. That shellcode simply injects the payload in the process.

Figure 5: Injection Function

Agent Tesla Payload

Agent Tesla is a .Net based malware that steals passwords, keystrokes and other sensible information, then sends it to a remote c&c server, through HTTP/SMTP protocols. I will not go deep in this analysis, because a lot of articles have already analyzed this kind of malware. Through a dynamic analysis, we can easily see that it try to access to all browser’s files that stores passwords (Figure 6), and opens a TCP connection with this AWS c&c:


Figure 6: Dynamic Analysis

Strings decryption

Analyzing the extracted payload with dnSPY, we can see another obfuscated code. What we want to retrieve are the SMTP credentials, that are hardcoded in the extracted payload (figure below). All strings are decrypted by Module.\u205f () function.

In this function (last figure) the parameter A_0 is an integer that identify the string to decrypt. It is used only at line 18055, then I decided to put a breakpoint at line 18056 and modify manually the value of num3 variable in memory, setting the indexes corresponding to the SMTP credentials (this process, because unfortunately during debugging, I can’t reach the SMTP stub….).

Username index: 602112 -> 0x00093000 -> contact@euramtec.pw

Password index: 602240 -> 0x00093080 -> ***

SMTP host index: 602368 -> 0x00093100 -> “us2.smtp.mailhostbox.com”

Then, this is how the emails with stolen data arrive to the malware owner:

Other useful resources


rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora