throwaway1934

New Member
I'm having a hard time figuring out how to understand this interesting .NET malware that should be affiliated with Agent Tesla malware family.
From ANY.RUN, there are a lot of interesting behaviours and registry modification that I'd like to take a look and better understand it so I can write a final report on it.

The problem is that the main executable that should be the dropper, it seems to have 0 functionalities such as file creation, registry modification and so on.
It has no malicious code (imo) and has nothing to do with the final dropped service that it should create.

I'd appreciate any inputs that you guys can give me :)

MD5: 1a25e75693b99ad09e55aea29c6f2775
AnyRun: malware.exe (MD5: 1A25E75693B99AD09E55AEA29C6F2775) - Interactive analysis - ANY.RUN
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
The initial malware (malware.exe) drops two files: &startupname&.exe (internal name BSCPQ.exe) and tmp1F0.tmp (XML script). It also adds the scheduled task to execute the script tmp1F0.tmp . This script executes &startupname&.exe (probably Agent Teslka malware).

The malware.exe uses also the legal system file RegSvcs.exe which spawns Reg.exe (also legal) to make persistence via "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" and run the executable oPLNOE.exe from the user profile. The oPLNOE.exe is a copy of RegSvcs.exe.
If I correctly remember the RegSvcs.exe is a target of shellcode injection in Agent Tesla malware.
 
Last edited:

struppigel

Moderator
Verified
Staff member
Ah, I see why you are confused about the .NET file. It has a card playing game as a disguise.

There is one thing that I learned will save you a lot of work in malware analysis. Before you open any file in a debugger or decompiler, check the strings with Sysinternals strings.exe. If you find interesting ones, check the area around those strings in a hex editor. If the file is not too big, use the hex editor to scroll through the whole file at least once and skim interesting areas.

In this case, one string should immediately stand out:
lifeonquotes.png

You can already see that this is a .NET resource, because you can see the header of it right before the string starts. Now scroll down and you see that the string changes slightly:

lifeonquotes2.png

This is very indicative of data being XOR'ed using the key "Quotes_on_Life". The parts of the data that are zero bytes show the key and this probably contains lots of zero bytes.

Now if you open up dnSpy, you can check the resources.
Here is another thing you might want to remember, so you can recognize it if you see it:
resource.png

This is the typical look of an image that's actually code or encrypted data. It's anything but not an image and very typical for malware. This one is called cnJCh and right below is a resource called SAS which is the big Quotes_on_Life string.

Now you just need to find the location where these resources are obtained and what is done to them. .NET uses resource managers. Look for the resource manager for WinFormsFirstOne.Properties.Resources.resources. Right-click on the get method --> analyse. You will arrive at more getters that retrieve SAS and cnJCh from the resources and return back the string or the bitmap. Again right-click analyse on the get method for SAS, check what is calling the getter and you arrive here:

code.png

Now you will realize that my assumption of using XOR is wrong. In this case it's a base64 string, where all 'A's have been replaced by "Quotes_on_Life".
You can use notepad++ to decode this. ;)

What also might have caught your eye in a strings listing is the reversed "Invoke" and the "GetMethod" string you see in the code. It's very indicative of a packed .NET that executes the payload dynamically and doesn't want those method names to appear in the .NET symbol table. So the second way you could have found this location is searching for those strings.

This is actually an excellent example for a video tutorial. With your permission I would like to use this sample for it. Not sure when I have the time, but I will make note of it.
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
If I would like to hide the shellcode in the malware, then the best method would be to use a large portion of suspicious & highly obfuscated "dead" code which does only innocent things. Some fragments could be the obfuscated bullshit which does not make any sense and might be executed only in the past (so it will not break anything now and in the future). It would be hard and time-consuming to find the right malicious code, especially when the malware does not trigger malicious actions in the VM or analyst's sandbox.:unsure:

Another problem can be with targetted malware which uses some already known information about the targetted system to create a private decryption key. This key is created on the fly on any machine, but will successfully decrypt the malicious code only on the right machine.:(

All of the above and some other more sophisticated methods are known for years. The malc0ders rarely use them because much simpler methods still work.
 
Last edited:

Andy Ful

Level 60
Verified
Trusted
Content Creator
Some interesting details of AgentTesla malware (April 2020):

It seems that this malware (initial executable) can be decrypted by using the unpac.me online service:

unpacme.png

 
Top