Agent Tesla — campaign of 20 May 2021
Agent Tesla
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as legitimate software on the dedicated website where this malware is sold.
The spyware is created using the .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients and FTP servers.
The malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.
SilverTerrier
SilverTerrier is a Nigerian threat group that has been active since 2014. SilverTerrier primarily targets organizations in high technology, higher education, and manufacturing.
In recent weeks we detected a new malware campaign containing Agent Tesla. Below is an analysis of the malware and the offensive infrastructure.
Sandbox analysis link: https://app.any.run/tasks/1f2f6acd-d1a7-4175-a06f-38524a5f9b0d/
Malware and offensive infrastructure analysis
Dynamic analysis
Process tree
Upon execution, the malware spawns two subprocesses:
- schtasks.exe
- RegSvcs.exe
The first is exploited to create scheduled tasks via the command:
“C:\Windows\System32\schtasks.exe” /Create /TN “Updates\ysZeGjU” /XML “C:\Users\admin\AppData\Local\Temp\tmp9D6C.tmp”
Persistence command
which launches the malware ysZeGjU.exe at each logon
The second sample is identified as Agent Tesla; through this process all malware activities are executed:
- Creation of registry keys
- Exfiltration of information from web browsers
- C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
- Exfiltration of user personal information
- C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Dropped files
During sample execution, unpacking and malware persistence occur. This process results in the creation of new files:
- C:\Users\admin\AppData\Roaming\NewApp\NewApp.exe
- C:\Users\admin\AppData\Roaming\ysZeGjU.exe
- C:\Users\admin\AppData\Local\Temp\tmpD59.tmp
The file ysZeGjU.exe is the actual malware that will be executed at each system startup to obtain remote and persistent access.
Registry keys created
These keys are created to achieve persistence on the system, enabling malware execution at each machine reboot.
- KEY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- NAME NewApp
- VALUE C:\Users\admin\AppData\Roaming\NewApp\NewApp.exe
- KEY KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
- NAME NewApp
- VALUE C:\Users\admin\AppData\Roaming\NewApp\NewApp.exe
Network activity
The malware contacts the C2 (command and control) server to which it transmits exfiltrated victim information and enables remote system control:
- Domain mail[.]tradzilanilaw[.]co[.]za
- IP 69[.]46[.]6[.]238
As illustrated in the figure below, the domain and IP contacted by the sample under analysis have been observed in use across additional malware campaigns and other specimens of the same family (Agent Tesla). Our Cyber Threat Intelligence infrastructure has tracked this infrastructure across multiple threat actors, indicating shared tooling or operational overlap within the Agent Tesla ecosystem.
Static Analysis
Through initial static analysis of the Agent Tesla initial sample, we extracted the following indicators of interest:
- md5 63CCA7B824B315FE272B8B4768CCB44E
- sha1 D3B145B0C415488815B430F71EA82BA8F4289F05
- sha256 46CE9BBD88955426CB51DB89E2767E46B5A1718B1D90407C5845B648EE8DC7C8
- first-bytes-hex 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00
- entry-point FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- file-version 0.8.0.0
- cpu 32-bit
- compiler-stamp 0x60A58B3F (Thu May 20 00:03:43 2021)
- code-page Unicode UTF-16, little endian
- CompanyName Fayva
- FileDescription wsManager
- InternalName 8MUWA2d1M.exe
- LegalCopyright Copyright © Fayva
- OriginalFilename 8MUWA2d1M.exe
- ProductName webshellManager
ysZeGjU.exe
- md5 63CCA7B824B315FE272B8B4768CCB44E
- sha1 D3B145B0C415488815B430F71EA82BA8F4289F05
- sha256 46CE9BBD88955426CB51DB89E2767E46B5A1718B1D90407C5845B648EE8DC7C8
- first-bytes-hex 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00
- imphash F34D5F2D4577ED6D9CEEC516C1F5A744
- entry-point FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- file-version 0.8.0.0
- description wsManager
- cpu 32-bit
- compiler-stamp 0x60A58B3F (Thu May 20 00:03:43 2021)
- CompanyName Fayva
- FileDescription wsManager
- FileVersion 0.8.0.0
- InternalName 8MUWA2d1M.exe
- LegalCopyright Copyright © Fayva
- OriginalFilename 8MUWA2d1M.exe
- ProductName webshellManager
NewApp.exe
- md5 0E06054BEB13192588E745EE63A84173
- sha1 30B7D4D1277BAFD04A83779FD566A1F834A8D113
- sha256 C5D6D56DED55FBD6C150EE3A0EB2E5671CAE83106BE2BE4D70CE50AA50BAB768
- first-bytes-hex 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00
- imphash F34D5F2D4577ED6D9CEEC516C1F5A744
- entry-point FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- file-version 4.7.3062.0 built by: NET472REL1
- description Microsoft .NET Services Installation Utility
- cpu 32-bit
- compiler-stamp 0x5AB95109 (Mon Mar 26 21:59:05 2018 )
- code-page Unicode UTF-16, little endian
- CompanyName Microsoft Corporation
- FileDescription Microsoft .NET Services Installation Utility
- InternalName RegSvcs.exe
- LegalCopyright © Microsoft Corporation. All rights reserved.
- OriginalFilename RegSvcs.exe
- ProductName Microsoft® .NET Framework
NewApp is identified as the Microsoft tool RegSvcs.exe, through which registry keys can be created.
tmpD59.tmp
- md5 C0089F5200712CEBEC6B695A682611B3
- sha1 F30A3BDACB50B9CA066EC23BAB70164025ADF439
- sha256 050749E86B5846DD70D4F2A8324B742C0F87109D7CDB356D33968AFDC57CED96
- first-bytes-hex 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54 46
- first-bytes-text < ? x m l v e r s i o n = ” 1 . 0 ” e n c o d i n g = ” U T F
File content excerpt:
<LogonTrigger>
<Enabled>true</Enabled>
<UserId>USER-PC\admin</UserId>
</LogonTrigger> <Command>C:\Users\admin\AppData\Roaming\ysZeGjU.exe</Command>
Employed as a persistence mechanism for the malware (ysZeGjU.exe) upon each logon of the affected user.
Additional IOCs correlated with Agent Tesla
- 69[.]46[.]6[.]238
- 192[.]185[.]226[.]148
- 198[.]154[.]240[.]47
- 166[.]62[.]27[.]182
- 192[.]168[.]100[.]167
- 69[.]16[.]231[.]57
- 103[.]14[.]20[.]94
- 198[.]54[.]115[.]249
- 204[.]11[.]56[.]48
- 199[.]188[.]206[.]58
- 198[.]49[.]72[.]29
- 63[.]247[.]140[.]70
- 198[.]54[.]115[.]130
- 198[.]54[.]116[.]236
- 209[.]99[.]40[.]222
- 207[.]174[.]214[.]206
- 78[.]198[.]121[.]158
- 104[.]194[.]10[.]93
- 68[.]65[.]123[.]141
- 185[.]61[.]153[.]106
- 193[.]239[.]84[.]207
List of hashes for Agent Tesla executable samples detected:
- 45c22ef191a04d054c8a9e4f873c8ccfe34527944da8c9f60dbb656c7a1dd30e
- 878a4f96c80d638d087347f2f4d9fd09df01b3bff20ce362c9fff16bca94e5bb
- 0fbeab0e8f28875b8961f590ff42267c3e21ce9ea587a02fb9573fdfe9c4fb3c
- 1137a5b1100685623a208af986d530c8f603f82e874721bdac8ce48488baf08e
- 595991e7a071216bcda0f04df68de57a54f8bd31197031b4b4d473675aa285f1
- f7ad9b234d31ce511b8b0915c52e8611b3a7667c71ed5ffd6cc26ce99d2ba5b4
- 46ce9bbd88955426cb51db89e2767e46b5a1718b1d90407c5845b648ee8dc7c8
- 46CE9BBD88955426CB51DB89E2767E46B5A1718B1D90407C5845B648EE8DC7C8
- 009865EA20036C19381086A91108D419A8294DF7CF4C1DF5919D9DA1D613F4AE
- 8C452BB85D7C88B9B0DD44023EC6F4D63ABD7E2AD66205B598B32A6D31F36888
- 47243E179BC23FE9057253F84684C37EBE99F2E70DA2E8236F56042E64C335B5
- 98377E01641DAD941B567A822A9F99C843CEFB38FE4B641D99CE0E83E3E0C498
- DDE9D304BD76E5070A8837EB4B8859B8CF73F5F97154EAC84F55859CCDF01758
- 824A19B9DC158B71EAFF47E2EE64688CFD315E493DF198FAB0166370488D9553
- 19AA079C6DE34EB550070AA69F98C741AEFD04D8B83B1C7E23BF89576BA1B69B
- BF046025515879E2A468B9FF5305EB34C927B6C3E6B1ADBE50277B24A255FC9F
- 456A91ABABAF84F414409B11CCD8C3707B4BB960FF1EA7C2C4D0994786C10523
- 5B8643A221D028761328525EC881250FB02840F97792557020A49A226D23E7E6
- 9692D3FCBE8181EB9B964C8CE0D960A3C3F64E84E231BAA607798971C744CDE8
- CC8712E3A1EF6A730A68805E62971D3DA99EFCBF120FB627D1C7315B3CA35F8B
- ED16AF86E5BA09E46175311CF0EB7E3E1684ABA68ED59BE8E7327B4A47245326
- 5753294933668F57E487079FFFF070BAF9D275E30798A5D9CF9D54EEFEC352C4
- 82F1CEE3C16BA6868870E1B45CCF5DFB126562A42F1B3EA0DA7122A965F5A400
- 34CD4FCF758566CCFD538E85988330EC7DB2C7823375448353DC7A8F9B4EB53B
- C218F628B56B2316CBE236C3A15EB3AA1D138CCD85FC5D5CE76CCAA61BF75032
- 0498C1E68E0FB59171E05BEE6AFDC6E4697F28FEC80BA0E9C70D4B5A7A6AD198
- 90EBC7865DF4E941AACD68DD89BEA0EFCD6A082CEBCBA405FE0400C39CACD21D
- C5712FAD8759DCBF70ADD6208D6E4824680DC6F452D1E63AC1F2FC1CA8B0F24F
- mail[.]tradzilanilaw[.]co[.]za
- webmail[.]mdist[.]us
- mail[.]axes[.]com[.]pe
- mail[.]vpb[.]pe
- api[.]ip[.]sb
- www[.]newcontemporaryartists[.]com
- joophesh[.]com
- outtlook[.]com
- www[.]adblockgenesis[.]com
- concordiaoperativo[.]com
- mail[.]aceconsulting[.]in
- smtp[.]syametal[.]com
- smtp[.]robotah[.]eu
- smtp[.]globaloffs-site[.]com
- smtp[.]kaeiser[.]com
- smtp[.]frtsolutinos[.]com
- smtp[.]ternptechindia[.]com
- esclavage-indemnites[.]fr
- smtp[.]freislandcampina[.]co
- smtp[.]sierametals[.]com
- smtp[.]nilkarnal[.]com
