Malware Analysis Interesting .NET malware disassembly

throwaway1934 · Jul 29, 2020

I'm having a hard time figuring out how to understand this interesting .NET malware that should be affiliated with Agent Tesla malware family.
From ANY.RUN, there are a lot of interesting behaviours and registry modification that I'd like to take a look and better understand it so I can write a final report on it.

The problem is that the main executable that should be the dropper, it seems to have 0 functionalities such as file creation, registry modification and so on.
It has no malicious code (imo) and has nothing to do with the final dropped service that it should create.

I'd appreciate any inputs that you guys can give me

MD5: 1a25e75693b99ad09e55aea29c6f2775
AnyRun: malware.exe (MD5: 1A25E75693B99AD09E55AEA29C6F2775) - Interactive analysis - ANY.RUN

Andy Ful · Jul 29, 2020

The initial malware (malware.exe) drops two files: &startupname&.exe (internal name BSCPQ.exe) and tmp1F0.tmp (XML script). It also adds the scheduled task to execute the script tmp1F0.tmp . This script executes &startupname&.exe (probably Agent Teslka malware).

The malware.exe uses also the legal system file RegSvcs.exe which spawns Reg.exe (also legal) to make persistence via "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" and run the executable oPLNOE.exe from the user profile. The oPLNOE.exe is a copy of RegSvcs.exe.
If I correctly remember the RegSvcs.exe is a target of shellcode injection in Agent Tesla malware.

struppigel · Jul 30, 2020

Ah, I see why you are confused about the .NET file. It has a card playing game as a disguise.

There is one thing that I learned will save you a lot of work in malware analysis. Before you open any file in a debugger or decompiler, check the strings with Sysinternals strings.exe. If you find interesting ones, check the area around those strings in a hex editor. If the file is not too big, use the hex editor to scroll through the whole file at least once and skim interesting areas.

In this case, one string should immediately stand out:

You can already see that this is a .NET resource, because you can see the header of it right before the string starts. Now scroll down and you see that the string changes slightly:

This is very indicative of data being XOR'ed using the key "Quotes_on_Life". The parts of the data that are zero bytes show the key and this probably contains lots of zero bytes.

Now if you open up dnSpy, you can check the resources.
Here is another thing you might want to remember, so you can recognize it if you see it:

This is the typical look of an image that's actually code or encrypted data. It's anything but not an image and very typical for malware. This one is called cnJCh and right below is a resource called SAS which is the big Quotes_on_Life string.

Now you just need to find the location where these resources are obtained and what is done to them. .NET uses resource managers. Look for the resource manager for WinFormsFirstOne.Properties.Resources.resources. Right-click on the get method --> analyse. You will arrive at more getters that retrieve SAS and cnJCh from the resources and return back the string or the bitmap. Again right-click analyse on the get method for SAS, check what is calling the getter and you arrive here:

Now you will realize that my assumption of using XOR is wrong. In this case it's a base64 string, where all 'A's have been replaced by "Quotes_on_Life".
You can use notepad++ to decode this.

What also might have caught your eye in a strings listing is the reversed "Invoke" and the "GetMethod" string you see in the code. It's very indicative of a packed .NET that executes the payload dynamically and doesn't want those method names to appear in the .NET symbol table. So the second way you could have found this location is searching for those strings.

This is actually an excellent example for a video tutorial. With your permission I would like to use this sample for it. Not sure when I have the time, but I will make note of it.

Andy Ful · Jul 30, 2020

Here is another analysis:

CAPE Sandbox

www.capesandbox.com

Andy Ful · Jul 31, 2020

If I would like to hide the shellcode in the malware, then the best method would be to use a large portion of suspicious & highly obfuscated "dead" code which does only innocent things. Some fragments could be the obfuscated bullshit which does not make any sense and might be executed only in the past (so it will not break anything now and in the future). It would be hard and time-consuming to find the right malicious code, especially when the malware does not trigger malicious actions in the VM or analyst's sandbox.

Another problem can be with targetted malware which uses some already known information about the targetted system to create a private decryption key. This key is created on the fly on any machine, but will successfully decrypt the malicious code only on the right machine.

All of the above and some other more sophisticated methods are known for years. The malc0ders rarely use them because much simpler methods still work.

Andy Ful · Jul 31, 2020

Some interesting details of AgentTesla malware (April 2020):

New Agent Tesla Variant Spreading by Phishing

Read this threat analysis from FortiGuard Labs to learn more about a new version of Agent Tesla. It examines how this variant spreads in the victim’s system, what data it steals from the victim’s d…

www.fortinet.com

How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I

If you’d read my previous articles I assured that I’ll be releasing some article every week but now that seems nearly impossible due to some time constraints. I would have shared some things from my

mrt4ntr4.github.io

It seems that this malware (initial executable) can be decrypted by using the unpac.me online service:

VirusTotal

www.virustotal.com

VirusTotal

www.virustotal.com

VirusTotal

www.virustotal.com

throwaway1934 · Aug 2, 2020

Thanks for all your replies guys, I kept pushing and managed to find the last executable that should be the juiciest one but failed since I had no idea how to proceed.
Here is the report I wrote: Agent Tesla

@struppigel Go ahead, I found it on malshare and thought it would have been easy to reverse for a beginner, guess I was wrong ahah

Gonbei · Aug 29, 2020

That’s a very nice report.
I'm also in trouble because I can't decompile the third executable with dnspy.
I wonder if there is a good way to do so.

struppigel · Oct 20, 2020

I finally made the video for this sample

Btw, I could decompile the third executable just fine. Didn't try to deobfuscate, though.

App Review - Malware Analysis - Simple Habits to Stop Going Down the Rabbit Hole

To summarize: Don't dive immediately into code, create an overview first. To do so: always extract strings (IDA strings tab is no replacement) always check file in a hex editor use visualization for large files to find interesting areas use automated analysis reports along the way make notes...

malwaretips.com

Search

Malware Analysis Interesting .NET malware disassembly

throwaway1934

New Member

Andy Ful

From Hard_Configurator Tools

struppigel

Super Moderator

Andy Ful

From Hard_Configurator Tools

CAPE Sandbox

Andy Ful

From Hard_Configurator Tools

Andy Ful

From Hard_Configurator Tools

New Agent Tesla Variant Spreading by Phishing

How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I

VirusTotal

VirusTotal

VirusTotal

throwaway1934

New Member

Gonbei

New Member

struppigel

Super Moderator

App Review - Malware Analysis - Simple Habits to Stop Going Down the Rabbit Hole

Similar threads