Malware Analysis Interesting .NET malware disassembly

T

throwaway1934

New Member
Thread author
Jul 29, 2020
2
I'm having a hard time figuring out how to understand this interesting .NET malware that should be affiliated with Agent Tesla malware family.
From ANY.RUN, there are a lot of interesting behaviours and registry modification that I'd like to take a look and better understand it so I can write a final report on it.

The problem is that the main executable that should be the dropper, it seems to have 0 functionalities such as file creation, registry modification and so on.
It has no malicious code (imo) and has nothing to do with the final dropped service that it should create.

I'd appreciate any inputs that you guys can give me :)

MD5: 1a25e75693b99ad09e55aea29c6f2775
AnyRun: malware.exe (MD5: 1A25E75693B99AD09E55AEA29C6F2775) - Interactive analysis - ANY.RUN
 
  • Like
Reactions: ForgottenSeer 89360, Mercenary, Stopspying and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
The initial malware (malware.exe) drops two files: &startupname&.exe (internal name BSCPQ.exe) and tmp1F0.tmp (XML script). It also adds the scheduled task to execute the script tmp1F0.tmp . This script executes &startupname&.exe (probably Agent Teslka malware).

The malware.exe uses also the legal system file RegSvcs.exe which spawns Reg.exe (also legal) to make persistence via "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" and run the executable oPLNOE.exe from the user profile. The oPLNOE.exe is a copy of RegSvcs.exe.
If I correctly remember the RegSvcs.exe is a target of shellcode injection in Agent Tesla malware.
 
Last edited:
  • Like
  • +Reputation
Reactions: ForgottenSeer 89360, CyberPanther, Mercenary and 5 others
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Ah, I see why you are confused about the .NET file. It has a card playing game as a disguise.

There is one thing that I learned will save you a lot of work in malware analysis. Before you open any file in a debugger or decompiler, check the strings with Sysinternals strings.exe. If you find interesting ones, check the area around those strings in a hex editor. If the file is not too big, use the hex editor to scroll through the whole file at least once and skim interesting areas.

In this case, one string should immediately stand out:
lifeonquotes.png

You can already see that this is a .NET resource, because you can see the header of it right before the string starts. Now scroll down and you see that the string changes slightly:

lifeonquotes2.png

This is very indicative of data being XOR'ed using the key "Quotes_on_Life". The parts of the data that are zero bytes show the key and this probably contains lots of zero bytes.

Now if you open up dnSpy, you can check the resources.
Here is another thing you might want to remember, so you can recognize it if you see it:
resource.png

This is the typical look of an image that's actually code or encrypted data. It's anything but not an image and very typical for malware. This one is called cnJCh and right below is a resource called SAS which is the big Quotes_on_Life string.

Now you just need to find the location where these resources are obtained and what is done to them. .NET uses resource managers. Look for the resource manager for WinFormsFirstOne.Properties.Resources.resources. Right-click on the get method --> analyse. You will arrive at more getters that retrieve SAS and cnJCh from the resources and return back the string or the bitmap. Again right-click analyse on the get method for SAS, check what is calling the getter and you arrive here:

code.png

Now you will realize that my assumption of using XOR is wrong. In this case it's a base64 string, where all 'A's have been replaced by "Quotes_on_Life".
You can use notepad++ to decode this. ;)

What also might have caught your eye in a strings listing is the reversed "Invoke" and the "GetMethod" string you see in the code. It's very indicative of a packed .NET that executes the payload dynamically and doesn't want those method names to appear in the .NET symbol table. So the second way you could have found this location is searching for those strings.

This is actually an excellent example for a video tutorial. With your permission I would like to use this sample for it. Not sure when I have the time, but I will make note of it.
 
  • Like
  • +Reputation
Reactions: ForgottenSeer 89360, R2D2, CyberPanther and 11 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
If I would like to hide the shellcode in the malware, then the best method would be to use a large portion of suspicious & highly obfuscated "dead" code which does only innocent things. Some fragments could be the obfuscated bullshit which does not make any sense and might be executed only in the past (so it will not break anything now and in the future). It would be hard and time-consuming to find the right malicious code, especially when the malware does not trigger malicious actions in the VM or analyst's sandbox.:unsure:

Another problem can be with targetted malware which uses some already known information about the targetted system to create a private decryption key. This key is created on the fly on any machine, but will successfully decrypt the malicious code only on the right machine.:(

All of the above and some other more sophisticated methods are known for years. The malc0ders rarely use them because much simpler methods still work.
 
Last edited:
  • Like
Reactions: ForgottenSeer 89360, Stopspying, Protomartyr and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
Some interesting details of AgentTesla malware (April 2020):
www.fortinet.com

New Agent Tesla Variant Spreading by Phishing

Read this threat analysis from FortiGuard Labs to learn more about a new version of Agent Tesla. It examines how this variant spreads in the victim’s system, what data it steals from the victim’s d…
www.fortinet.com www.fortinet.com
mrt4ntr4.github.io

How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I

mrt4ntr4.github.io mrt4ntr4.github.io

It seems that this malware (initial executable) can be decrypted by using the unpac.me online service:

unpacme.png

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
 
  • Like
Reactions: ForgottenSeer 89360, Stopspying, Protomartyr and 2 others
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
I finally made the video for this sample :p :)
Btw, I could decompile the third executable just fine. Didn't try to deobfuscate, though.
malwaretips.com

App Review - Malware Analysis - Simple Habits to Stop Going Down the Rabbit Hole

To summarize: Don't dive immediately into code, create an overview first. To do so: always extract strings (IDA strings tab is no replacement) always check file in a hex editor use visualization for large files to find interesting areas use automated analysis reports along the way make notes...
malwaretips.com malwaretips.com
 
  • Like
  • +Reputation
Reactions: ForgottenSeer 89360, dfirsec, Protomartyr and 4 others

Similar threads

silversurfer
    • Like
    • +Reputation
Malware News New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks
Replies
1
Views
1,139
Security News
kamiloxf
K
Shadowra
    • +Reputation
    • Like
    • Thanks
App Review DeepInstinct Endpoint Security v5
Replies
10
Views
614
Video Reviews - Security and Privacy
ShenguiTurmi
ShenguiTurmi
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Malwarebytes Premium Anti-Malware v5
Replies
5
Views
993
Video Reviews - Security and Privacy
anirbandutta01
anirbandutta01

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top