🥇 Defecit species: AgentTesla afferimus ad aquam mundam. Part 1

Nuper Europae fabrica fabricae electricae institutionis instrumenti Group-IB contactus contactus eius operarius litteras suspectas accepit cum malitioso adfectu in tabellario. Ilya Pomerantsev, analysis malware apud CERT Group-IB, accuratam analysin huius fasciculi perduxit, AgentTesla spyware ibi detexit et dixit quid a talibus malware et quomodo periculosum exspectet.

Cum hac posta seriem articulorum aperimus in quomodo tam potentialiter periculosa lima analyseris, et exspectamus curiosissima die 5 mensis Decembris pro libera interactive webinar thema "Malware Analysis: Analysis Verae Causae". Omnia singula sub incisa sunt.

Distributio mechanism

Scimus malware attigisse machinam victimae per emails hamatas. Litterae recipiens probabiliter BCCed erat.

Analysis capitis ostendit missorem epistolae fuisse spoofed. Re vera litterae sunt vps56[.]oneworldhosting[.]com.

In email affectum continet in archivo WinRar qoute_jpeg56a.r15 cum malitiosa exsecutabile QOUTE_JPEG56A.exe intus.

Malware ecosystem

Nunc videamus quid ecosystematum malware sub studio similis speciem praebeat. Figura infra ostendit structuram ac directiones commercii partium.

Nunc singula malware membra planius videamus.

Loader

Original file QOUTE_JPEG56A.exe digestus est AutoIt v3 script.

Obfuscator scriptor originalis, obfuscator cum similibus PElock AutoIT-Obfuscator indolem.
Deobfuscatio exercetur in tribus gradibus;

removere obfuscation Nam si
Primus gradus est scriptor fluxus imperium restituere. Imperium Flow adulatione est una ex communissimis modis ad applicationem binarii codicis ab analysis defendendi. Mutationes confundentes dramatically multiplicationem augent extrahendi et cognoscendi algorithmarum et structurarum notitiarum.
Row recuperatio
Duo munera ad chordarum encrypt:
- gdorizabegkvfca - Performat Base64-ut decoding
- xgacyukcyzxz - byte-byte XOR simplex chordae primae cum longitudine secundi
removere obfuscation BinaryToString и Judicium

Summa onus divisa in indicem reponitur Pelvis sectiones tabella resource.

Conglutinatio ordinis talis est: TIEQHCXWFG, IME, SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, HWJHO, AVZOUMVFRDWFLWU.

Quod WinAPI munus est ad extrahendum minutum notitia CryptDecryptet sessionis clavem generatam secundum valorem adhibetur ut clavem fZgFiZlJDxvuWatFRgRXZqmNCIyQgMYc.

Decrypted file exsecutabile mittitur ad munus initus RunPEqui peragit ProcessInject в RegAsm.exe per constructum-in- ShellCode (et ut RunPE ShellCode). Auctoritas ad usum fori Hispanici pertinet insensibilia [.] rete sub cognomine Wardow.

Notatu etiam dignum est, obfuscatorem obfuscatorem in una e filis huius fori In tecto cum similibus proprietatibus identified in sample analysis.

ipsum ShellCode satis simplex et allicit attentionem tantum mutuatam a caterva Piratica AnunakCarbanak. Munus api vocant hashing.

Scimus etiam de casuum usu Frenchy Shellcode uaria.
Praeter functiones descriptas, etiam munera inertes identificamur;

In fine operis processus manualis sit amet consequat
Restarting puer processus quando terminatur
bypass UAC
Salvis payload ad lima
Demonstratio fenestras modales
Expectans murem cursor situ ad mutationem
AntiVM and AntiSandbox
Exitium auto-
Elit payload a network

Scimus talem functionem typicam erga praesidem esse CypherITQuod videtur esse praen.

Principalis moduli of software

Deinde praecipuam malware modulum breviter describemus, et in secundo articulo fusius consideramus. In hoc casu applicatio est NET.

Per analysim obfuscatorem adhibitum deprehendimus ConfuserEX.

IELibrary.dll

Bibliotheca reponitur ut moduli principalis subsidii et notum plugin est AgentTesla, quae praebet functionality ad varias informationes ex Internet Explorer et Edge navigatoris extrahendi.

Agens Tesla est programmator speculativus modularis distributus utens malware ut servitii exemplar sub specie legitimi operis keylogger. Agens Tesla capax est documentorum usoris extrahere et transmittere ex navigatoribus, clientibus electronicis et clientibus FTP servo oppugnatoribus, notationes clipboard datas, et in tegumenti fabrica capiendi. In tempus elit nibh, in rutrum erat tincidunt ut.

Viscus punctum munus est GetSavedPasswords classis InternetExplorer.

In genere, signum exsecutionis linearis est neque ullum praesidium contra analysim continet. Tantum inane munus operam meretur GetSavedCookies. Videtur quod munus plugin dilatari putabatur, sed hoc numquam factum est.

Adiungens bootloader ad systema

Discamus quomodo bootloader rationi adnectitur. Specimen sub studio non ancoras, sed in similibus eventibus occurrit secundum propositum sequens;

in folder C:UsersPublica scriptum est creatus Visual Basic
Exemplum script:
Contenta oneratus fasciculi additamenta sunt charactere nullo et ad folder servata %Temp%
Clavis autoruna creatur in registro pro fasciculo scripto HKCUSoftwareMicrosoftWindowsCurrentVersionRun

Itaque, secundum eventus primae partis analyseos, nomina familiarum omnium membrorum malware sub studio constituere poteramus, infectio exemplaris resolvere ac etiam obiecta pro subscriptionibus scripto obtinere. Huius obiecti analysin nostram continuabimus in proximo articulo, ubi principale moduli accuratius inspiciemus AgentTesla. Non requiro!

Obiter omnes lectores ad liberam interactivum webinarem invitamus in themate "Analysis malware: analysis casuum realium", ubi auctor huius articuli, artifex CERT-GIB, primum scaenam demonstrabit. malware analysis - semi-automaticae involucrum exemplorum utens exemplo trium casuum realium minimorum ex usu, et interesse potes in analysi. Webinar aptus est peritis qui iam experientiam habent in scapis malignis resolvendis. Registration stricte a corporatum inscriptio: mandare. Te expectens!

yara

rule AgentTesla_clean{
meta:
    author = "Group-IB"
    file = "78566E3FC49C291CB117C3D955FA34B9A9F3EEFEFAE3DE3D0212432EB18D2EAD"
    scoring = 5
    family = "AgentTesla"
strings:
    $string_format_AT = {74 00 79 00 70 00 65 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 68 00 77 00 69 00 64 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 74 00 69 00 6D 00 65 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 63 00 6E 00 61 00 6D 00 65 00 3D 00 7B 00 33 00 7D 00 0D 00 0A 00 6C 00 6F 00 67 00 64 00 61 00 74 00 61 00 3D 00 7B 00 34 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 3D 00 7B 00 35 00 7D 00 0D 00 0A 00 69 00 70 00 61 00 64 00 64 00 3D 00 7B 00 36 00 7D 00 0D 00 0A 00 77 00 65 00 62 00 63 00 61 00 6D 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 37 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 38 00 7D 00 0D 00 0A 00 5B 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 73 00 5D 00}
    $web_panel_format_string = {63 00 6C 00 69 00 65 00 6E 00 74 00 5B 00 5D 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 6C 00 69 00 6E 00 6B 00 5B 00 5D 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 75 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 5B 00 5D 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 5B 00 5D 00 3D 00 7B 00 33 00 7D 00 00 15 55 00 52 00 4C 00 3A 00 20 00 20 00 20 00 20 00 20 00 20 00 00 15 55 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 3A 00 20 00 00 15 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 3A 00}
condition:
     all of them
}

rule  AgentTesla_obfuscated {
meta:
    author = "Group-IB"
    file = "41DC0D5459F25E2FDCF8797948A7B315D3CB075398D808D1772CACCC726AF6E9"
    scoring = 5
    family = "AgentTesla"
strings:
    $first_names = {61 66 6B 00 61 66 6D 00 61 66 6F 00 61 66 76 00 61 66 79 00 61 66 78 00 61 66 77 00 61 67 6A 00 61 67 6B 00 61 67 6C 00 61 67 70 00 61 67 72 00 61 67 73 00 61 67 75 00}
    $second_names = "IELibrary.resources"
condition:
     all of them
}

rule AgentTesla_module_for_IE{
meta:
    author = "Group-IB"
    file = "D55800A825792F55999ABDAD199DFA54F3184417215A298910F2C12CD9CC31EE"
    scoring = 5
    family = "AgentTesla_module_for_IE"
strings:
    $s0 = "ByteArrayToStructure" 
    $s1 = "CryptAcquireContext" 
    $s2 = "CryptCreateHash" 
    $s3 = "CryptDestroyHash" 
    $s4 = "CryptGetHashParam" 
    $s5 = "CryptHashData"
    $s6 = "CryptReleaseContext" 
    $s7 = "DecryptIePassword" 
    $s8 = "DoesURLMatchWithHash" 
    $s9 = "GetSavedCookies" 
    $s10 = "GetSavedPasswords" 
    $s11 = "GetURLHashString"  
condition:
     all of them
}

rule RunPE_shellcode {
meta:
    author = "Group-IB"
    file = "37A1961361073BEA6C6EACE6A8601F646C5B6ECD9D625E049AD02075BA996918"
    scoring = 5
    family = "RunPE_shellcode"
strings:
    $malcode = {
      C7 [2-5] EE 38 83 0C // mov     dword ptr [ebp-0A0h], 0C8338EEh
      C7 [2-5] 57 64 E1 01 // mov     dword ptr [ebp-9Ch], 1E16457h
      C7 [2-5] 18 E4 CA 08 // mov     dword ptr [ebp-98h], 8CAE418h
      C7 [2-5] E3 CA D8 03 // mov     dword ptr [ebp-94h], 3D8CAE3h
      C7 [2-5] 99 B0 48 06 // mov     dword ptr [ebp-90h], 648B099h
      C7 [2-5] 93 BA 94 03 // mov     dword ptr [ebp-8Ch], 394BA93h
      C7 [2-5] E4 C7 B9 04 // mov     dword ptr [ebp-88h], 4B9C7E4h
      C7 [2-5] E4 87 B8 04 // mov     dword ptr [ebp-84h], 4B887E4h
      C7 [2-5] A9 2D D7 01 // mov     dword ptr [ebp-80h], 1D72DA9h
      C7 [2-5] 05 D1 3D 0B // mov     dword ptr [ebp-7Ch], 0B3DD105h
      C7 [2-5] 44 27 23 0F // mov     dword ptr [ebp-78h], 0F232744h
      C7 [2-5] E8 6F 18 0D // mov     dword ptr [ebp-74h], 0D186FE8h
      }
condition:
    $malcode 
}

rule AgentTesla_AutoIT_module{
meta:
    author = "Group-IB"
    file = "49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08C05B5E3BD36FD52668D196AF"
    scoring = 5
    family = "AgentTesla"
strings:                                    
    $packedexeau = {55 ED F5 9F 92 03 04 44 7E 16 6D 1F 8C D7 38 E6 29 E4 C8 CF DA 2C C4 E1 F3 65 48 25 B8 93 9D 66 A4 AD 3C 39 50 00 B9 60 66 19 8D FC 20 0A A0 56 52 8B 9F 15 D7 62 30 0D 5C C3 24 FE F8 FC 39 08 DF 87 2A B2 1C E9 F7 06 A8 53 B2 69 C3 3C D4 5E D4 74 91 6E 9D 9A A0 96 FD DB 1F 5E 09 D7 0F 25 FB 46 4E 74 15 BB AB DB 17 EE E7 64 33 D6 79 02 E4 85 79 14 6B 59 F9 43 3C 81 68 A8 B5 32 BC E6}
condition:
     all of them
}

hashes

nomine	qoute_jpeg56a.r15
MD5	53BE8F9B978062D4411F71010F49209E
SHA1	A8C2765B3D655BA23886D663D22BDD8EF6E8E894
SHA256	2641DAFB452562A0A92631C2849B8B9CE880F0F8F 890E643316E9276156EDC8A
Type	Archive WinRAR
Size	823014

nomine	QOUTE_JPEG56A.exe
MD5	329F6769CF21B660D5C3F5048CE30F17
SHA1	8010CC2AF398F9F951555F7D481CE13DF60BBECF
SHA256	49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08 C05B5E3BD36FD52668D196AF
Type	PE (Compiled AutoIt Script)
Size	1327616
OriginalName	Unknown
DateStamp	15.07.2019
linker	Microsoft Linker (12.0) [EXE32]

MD5	C2743AEDDADACC012EF4A632598C00C0
SHA1	79B445DE923C92BF378B19D12A309C0E9C5851BF
SHA256	37A1961361073BEA6C6EACE6A8601F646C5B6ECD 9D625E049AD02075BA996918
Type	ShellCode
Size	1474

Source: www.habr.com

Turnout defecit: AgentTesla ad aquam mundam exponamus. Pars III