mrobson
Staff
Staff

Introduction

Agent Tesla is .NET based spyware that has been a consistent feature of the global threat landscape for a number of years. Agent Tesla is commercially available software that various threat actors can purchase on a monthly or yearly license. Agent Tesla is most commonly observed being employed as part of phishing campaigns. Given the creators of the Agent Tesla software market the tool freely, numerous actors employ the tool, majority being financially motivated cybercrime groups.

 

Agent Tesla contains a large volume of post-exploitation capabilities, mostly focused on collection. Agent Tesla has been observed being deployed with capabilities that support; collecting password stored in browsers, dumping windows credentials, taking screenshots, setting up key loggers, stealing files and dumping VPN credentials. The tool continues to be adapted by the creators to subvert security software and is flexible in its deployment. Given the variety of actors employing the tool and the flexibility of the tool there are numerous infection chains associated with the use of Agent Tesla. In this article we will look more closely at a phishing email containing an Agent Tesla payload that was collected in a FortiGuard honeypot. Through this analysis we will demonstrate how FortiEDR protects against initial infection and post-exploitation activity associated with the use of Agent Tesla.

 

Attack Chain

mrobson_0-1661773949520.png

Figure 1. Attack chain associated with Agent Tesla attack detected by FortiGuard Responder team.

 

Initial Access

The initial access method in this case was a phishing email sent to a FortiGuard email honeypot. The email with subject ‘Purchase Order 20/07/2022’ references a procurement order and includes a volume image attachment titled ‘Re_01373.img’. Figure 2 below contains a screenshot of the original phishing email.

 

mrobson_1-1661774096531.png

Figure 2. Content of the phishing email received by FortiGuard Responder team

 

OSINT research into the email sender indicates that both the sender ‘Lawrence Vallen’ and the company ‘Ozarkwaters – Olympias Group’ are likely fake, setup to make the phish more realistic. This can be important to investigate when analyzing phishing emails as often adversaries will attempt to impersonate real people and companies to build legitimacy or they may use compromised email accounts to ensure their phishing campaigns don’t get filtered out through email domain filtering.

The attached img file is an image file that when opened on a Windows operating system will be mounted as a drive. To the user this is automatic and on double clicking will open a file explorer like the user had simply opened a folder. The use of attached image files such as .img and .iso files is a well-known technique for phishing email attachments that has seen a resurgence in recent months being adopted as part of Qakbot, Gamarredon and Bumblebee campaigns. This technique is chosen as many mail servers or sandboxes are configured to analyze Office documents and executable documents but may skip image files and their contents. This increases the chances of payloads getting to their intended victim.

Within the image included in the analyzed email is a single executable ‘Re_01373.exe’. As seen in Figure 3 below, the executable has the Microsoft OneNote logo likely to build legitimacy and further entice the user that the attachment is legitimate although file product information references ‘MalwareBytes’. The use of icon from lesser known Microsoft Office applications like Microsoft Access and Microsoft OneNote with metadata matching Malwarebytes Assistant appears to be a common TTP employed as part of recent Agent Tesla deployment chains. Threat hunting for similar samples in VT with these characteristics still yields good returns.

 

mrobson_2-1661774124626.png

Figure 3. The ‘Re_01373.exe’ executable has the Office OneNote logo and mismatched MalwareBytes product information/metadata.

 

Analyzing Agent Tesla Payload

This first executable (Re_01373.exe) is the first stage loader for the Agent Tesla payload. This executable is a .NET binary containing a number of embedded features that support the later in-memory execution and on-disk persistence of the Agent Tesla payload. This executable is tracked as ‘Agent.MPA!tr.dldr’ by FortiGuard Labs. The executables code is obfuscated with multiple layers of dynamic methods, obscure classes and indirect execution through event handlers. Some of these features can be seen in Figure 4 below.

 

mrobson_3-1661774149772.png

Figure 4. A screenshot of some of the ‘Re_01373.exe’ code showing indicators of obfuscation. Analysis performed using dnspy[1].

 

We can deobfuscate this .NET using de4dot[2] which changes the structure of the code significantly, making it much easier to understand as shown in Figure 5 below. The first highlighted area indicates the entry point for the executable and the second highlighted area indicates a reference to a function that will be referenced further along the analysis.

 

mrobson_4-1661774181235.png

Figure 5. Once deobfuscated the code is much simpler to understand, we can see the entry point main function (Class1.Class1()) defines and creates an instance of an EventHandler object and then calls another custom method. Taken from within the ‘Re_01373.exe’ deobfuscated code.

 

Analyzing the code further we identify can identify a method (Class1.gform0_0.method_3()) that loads an assembly as shown in Figure 6 below. Analysis of the methods called as part of this Assembly.Load function call points us at another method (Class2.smethod_0()) that contains a large byte array and what appears to be a decryption function. This decryption function looks to use a hardcoded XOR decryption key on the elements of the byte array. The use of a hardcoded XOR key employed in this manner for the first stage loader is consistent with previous Agent Tesla campaigns. A screenshot of this hardcoded key can be seen in Figure 7 below.

 

mrobson_5-1661774263279.png

Figure 6. Method called from the entry point function that loads an assembly. This should result in a library load event that we can track through FortiEDR threat hunting. Taken from within the ‘Re_01373.exe’ deobfuscated code.

 

mrobson_6-1661774273507.png

Figure 7. The first highlighted box identifies the hardcoded XOR decryption key for the contents of the byte array depicted in the second highlighted box, from within the ‘Re_01373.exe’ deobfuscated code.

 

Dumping the decrypted array gives us another obfuscated .NET executable, this time a dll called ‘Bwwkqoglhjvu.dll’. Analysis of this dll identifies that it does not have an entry point but internal references in the deobfuscated ‘Re_01373.exe’ executable point us at the ‘Pdqvzvtrzdvdprhnbl’ function in the ‘Qfsofhe’ class. Analysis of this method identifies a second byte array as shown below in Figure 8.

 

mrobson_7-1661774321300.png

Figure 8. Another large byte array contained in the embedded ‘Bwwkqoglhjvu.dll’ library that will be reflectively loaded then executed by the ‘Re_01373.exe’ file on execution.

 

Extracting this byte array reveals a json object that appears to contain the configuration options for the embedded Agent Tesla agent. Included within the contents of this array are references to a large byte array that, based on the surrounding code, will be written to a file called ‘Vorccyusxcsdymdtirskoddeinfo.exe’.

 

The ‘Vorccyusxcsdymdtirskoddeinfo.exe’ executable has an anomalous logo and no product information as show below in Figure 9 but is another .NET binary. Another interesting characteristic of this executable is the file creation time is ‘2067-06-11 07:00:48 UTC’ which further questions the legitimacy of the file.

 

mrobson_8-1661774359476.png

Figure 9. The logo and product information for the ‘Vorccyusxcsdymdtirskoddeinfo.exe’ executable dropped by the first stage loader ‘Re_01373.exe’.

 

On analysis the ‘Vorccyusxcsdymdtirskoddeinfo.exe’ executable is a simple in-memory loader for a secondary dll (‘Ugewvhy.dll’) embedded as a resource within the file. The executable has two main classes; Program and Altho. The Program class contains three functions; Main(), Read() and Write(). The executable’s Program.Main function calls the Program.Read function which instantiates an instance of the Altho class which extracts the extracts the dll from the internal Ugewvhy resource and converts it to a memory stream to be loaded by the Program.Write function. The screenshots in Figures 10 and 11 below demonstrate key code features associated with this functionality. The embedded dll ‘Ugewvhy.dll’ is another heavily obfuscated .NET executable that has similar obfuscation characteristics to the ‘Bwwkqoglhjvu.dll’

 

mrobson_9-1661774474747.png

 Figure 10. This screenshot shows the entry point code for the ‘Vorccyusxcsdymdtirskoddeinfo.exe’ executable. Note the three functions Main(), Read() and Write(). Analysis performed using dnspy[3].

 

mrobson_10-1661774518122.png

 Figure 11. This screenshot shows the Altho class from the ‘Vorccyusxcsdymdtirskoddeinfo.exe’ executable that is called as part of the executables Read() function highlighted above. Analysis performed using dnspy[4].

 

Analyzing Payload Behavior

On first execution the Re_01373.exe binary loads two dlls into memory reflectively (in-memory only) generating a number of security events. The two dlls it loads are the ‘Bwwkqoglhjvu.dll’ expected from above and ‘Newsoft.json. This anomalous loading behavior of a suspicious executable (Bwwkqoglhjvu.dll) triggers an ‘Unconfirmed Executable’ event as shown below in Figure 12.

 

mrobson_11-1661774569603.png

Figure 12. ‘Unconfirmed Executable’ security event related to the ‘Bwwkqoglhjvu.dll’ dll being loaded reflectively into the Re_01373.exe process.

 

The other loaded dll (Newtonsoft.Json.dll) is a legitimate dll so does not trigger the ‘Unconfirmed Executable’ rule but the anomalous in-memory load behavior triggers a security event, given the Re_01373.exe process is already considered suspicious. This legitimate dll supports json functionality for .NET executables and is used to support obfuscation within the malicious ‘Bwwkqoglhjvu.dll’ file. Figure 13 below shows the related FortiEDR security event.

 

mrobson_12-1661774592457.png

Figure 13. FortiEDR is able to detect anomalous/suspicious executables even if they are only memory resident and created at runtime by malware as shown above for the Bwwkqoglhjvu.dll and Newsoft.json.dll libraries.

 

Following these library loads the executable checks whether AppLocker is employed in the targeted environment. This checks are a native part of Windows 10 and work by dynamically creating a PowerShell script, in this case with a base64 encoded ‘Start-Sleep –Seconds 10’ command, that is then executed. If the script executes successfully this indicated that constrained mode in PowerShell is not active and PowerShell is not protected by AppLocker. FortiEDR detects this anomalous PowerShell event and the base64 encoded PowerShell command associated with these AppLocker checks as shown below in Figure 14.

 

mrobson_13-1661774627538.png

Figure 14. FortiEDR detects the creation of an anomalous PowerShell process by the suspicious Re_01373.exe executable.

 

Following the PowerShell sleep process, the first stage loader creates and executes the ‘Vorccyusxcsdymdtirskoddeinfo.exe’ executable in the ‘<UserPath>\AppData\Local\Temp\’ directory. This file is flagged by FortiGuard Labs as ‘Kryptik.AFJO!tr (Trojanmalware)’[5]. FortiEDR detects the malicious Re_01373.exe process attempting to execute ‘Vorccyusxcsdymdtirskoddeinfo.exe’. In ‘Prevention’ mode FortiEDR would prevent attempts to execute this file prior to execution ending the infection chain.

 

mrobson_14-1661774642308.png

Figure 15. Malicious file detected event related pre-execution detection of the ‘Vorccyusxcsdymdtirskoddeinfo.exe’ file, dropped to the temp directory by the Re_01373.exe file on execution.

 

Once the ‘Vorccyusxcsdymdtirskoddeinfo.exe’ has been copied by the ‘Re_01373.exe’ process an instance is then spawned. As expected based on the above analysis of the executable’s code, this child process reflectively loads and executes the internal resource ‘Ugewvhy.dll’. This behavior is detected by FortiEDR as in-memory execution and is flagged as malicious due to the ‘Unconfirmed Executable – Executable File Failed Verification Test’ within the default Execution Prevention policy. Figure 16 below shows the generated security event.

 

mrobson_15-1661774662792.png

Figure 16. FortiEDR security event generated following in-memory execution of the ‘Ugewvhy.dll’ within the ‘Vorccyusxcsdymdtirskoddeinfo.exe’ process.

 

The first stage loader (Re_01373.exe) then spawns a child process of the .NET Framework installation utility called ‘InstallUtil.exe’. This is a signed Microsoft executable used to support installation of .NET dependencies. In this case the process is started in a suspended state, then hollowed and injected with additional code. This is likely for Defense Evasion as the binary is signed and expected behavior when spawned by a .NET executable like the first stage loader. FortiEDR detects this process hollowing behavior and the executable injected into the hollowed process as shown in Figure 17 below.

 

mrobson_16-1661774684045.png

Figure 17. FortiEDR security event generated as a result of service access for the WMI service from injected/hollowed InstallUtil.exe.

 

The injected executable can be extracted directly through FortiEDR using the retrieve memory function in the forensics tab. Analysis of the retrieved executable reveals that it is another .NET executable. This is the main Agent Tesla agent that features code used to start a key logger, take screenshots, extract passwords, download and execute additional payloads and connect to C2 some of which can be observed in Figure 18 and 19 below.

 

mrobson_17-1661774702550.png

Figure 18. Screenshot function within the Agent Tesla agent code injected into the hollowed InstallUtil.exe process.

 

mrobson_18-1661774719273.png

Figure 19. Reference to the MapVirtualKey function within user32.dll often used to setup keylogger functionality

 

Once injected into the InstallUtil.exe process the Agent Tesla agent creates a copy of itself at (<UserPath>\AppData\Local\Temp\excel\) with the name ‘excel.exe’. At the same time a corresponding run key is added to the ‘HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ registry key. This will ensure that payload is re-run when the user logs back in to the infected endpoint (T1547.001: Registry Run Keys/Startup Folder). The excel.exe file has its last modification time modified to ‘2017-5-9 21:08:17’ a rollback of over 5 years from its original modification time and also has its last write time modified to ‘2016-7-14 21:43:42’, a rollback of over 6 years. Figures 20 and 21 show FortiEDR Threat Hunting events for each of these behaviors. Note: The excel.exe file is marked as a ‘hidden’ and ‘system’ file so will not be viewable through file explorer.

 

mrobson_19-1661774766618.png

Figure 20. FortiEDR File Create event for the file ‘excel.exe’ created by the injected InstallUtil.exe process.

 

mrobson_20-1661774774907.png

Figure 21. FortiEDR registry Value Set event for creation of a run key corresponding to the recently created ‘excel.exe’ file. Registry modification was performed by the injected InstallUtil.exe process (hosting Agent Tesla agent).

 

During this activity the ‘Re_01373.exe’ process also creates a copy of itself with the name ‘Zwbhuz.exe’ at the path ‘<UserPath>\APPDATA\Ehpcm\Zwbhuz.exe’ and creates another run key for this copied file. Again this is to support persistence.

 

At this stage of the execution, the Agent Tesla agent reaches out to external C2 at IP ‘193.233.187[.]19’. This attempt to connect to C2 is detected and blocked by FortiEDR through the ‘Suspicious Application – Connection Attempt from a Suspicious Application’ rule that forms part of the Exfiltration Prevention policy. Figure 22 below shows this security event.

 

mrobson_21-1661774809978.png

Figure 22. FortiEDR security event related to C2 connection from Agent Tesla agent injected into hollowed InstallUtil.exe process.

 

This IP is classified as malicious through FortiGuard Threat Intel feeds and has been linked to previous Agent Tesla and Nanocore RAT activity. Figure 23 below shows some information related to previously reported activity available through FortiGuard Central Threat System (CTS).

 

mrobson_22-1661774821332.png

Figure 23. Fortinet CTS information related to this C2 IP associated with the above analyzed Agent Tesla activity.

 

Analysis of the injected Agent Tesla agent identified indicators of keylogger functionality, some of which can be seen in Figure 19 above. Executing the sample in dnSpy and subverting the anti-debugger features allowed us to properly enable this functionality. As can be seen from in the screenshot below (Figure 24), FortiEDR detects and mitigates keylogging functionality.

 

mrobson_23-1661774840824.png

Figure 24. FortiEDR security event created following detection of keylogging functionality from the injected Agent Tesla agent. Note the execution chain is different from previous events as this sample was executed through dnSpy.

 

Threat Hunting

The following query will identify process creation events associated with unsigned .NET executables running from mounted drives. This query works as Windows will mount .iso and .img files as removable drives by default. Whilst all executables related to this current Agent Tesla campaign fit into this category it should be noted that this may detect other anomalous .NET executables. False positives may occur with this query if the use of unsigned .NET executables is part of standard business processes (this is unlikely).

 

Type:"Process Creation" AND Target.Process.File.VolumeType:"Removable" AND Target.Process.File.Type:".NET Executable" AND Target.Process.File.Signed: "false"

 

 

The following query will identify file creation events for .exe and .dll files created by unsigned .NET executables running from mounted drives. Again, whilst all executables related to this current Agent Tesla campaign fit into this category it should be noted that this may detect other anomalous .NET executables. False positives may occur with this query if the use of unsigned .NET executables is part of standard business processes (this is unlikely).

 

Type:"File Create" AND Source.Process.File.VolumeType:"Removable" AND Source.Process.File.Type:".NET Executable" AND Source.Process.File.Signed:"false" AND Target.File.Ext:("exe" OR "dll")

 

 

The following query will return file creation events for executables (.exe and .dll) files created in the temp directory by unsigned executables. This will detect the creation of a number of files related to the above Agent Tesla activity but will also detect other anomalous file creation events. The use of the temp directory for staging malicious files is very common and with adequate tuning this is an effective way of identifying potentially malicious files as they are created and prior to execution.

 

Type:"File Create" AND Source.Process.File.Signed:"false" AND Target.File.Ext:("exe" OR "dll") AND Target.File.Path:"\\AppData\\Local\\Temp\\*"

 

 

The following query will identify process creation event for InstallUtil.exe when the parent process is unsigned. This will detect process creation events for the InstallUtil.exe process that is hollowed and injected with the main Agent Tesla agent from the above analysis. Whilst this query may introduce false positives in environments where .NET executables are employed as part of business functions, and may identify non Agent Tesla malicious activity, all returned events should be investigated.

 

Type:"Process Creation" AND Source.Process.File.Signed:"false"  AND Target.Process.Name:"InstallUtil.exe"

 

 

The following query will identify reflective loading of libraries and executables with no corresponding file on disk. Whilst this technique is not specific to just Agent Tesla activity this query will identify the loading of the ‘Bwwkqoglhjvu.dll’ and ‘Newtonsoft.Json.dll’ libraries into the Re_01373.exe process and the loading of the ‘Ugewvhy.dll’ library into the Vorccyusxcsdymdtirskoddeinfo.exe process outlined above.

 

Category:"Process" AND Target.Executable.File.VolumeType:("Unknown") AND Source.Process.File.Signed:("false")

 

 

The following query will identify registry modification events (Value Set and Value Created events) where the created entry is in the AppData directory. This will not detect only Agent Tesla activity but will detect any anomalous run key generation. This query has been refined to remove a significant false positive related to Microsoft Teams behavior. To reduce the scope of this query to focus on Agent Tesla activity as outlined in this article the Registry.Data:("*\\AppData\\*") component of the query can be replaced with Registry.Data:("*\\AppData\\Local\\Temp\\excel\\*" OR "*\\AppData\\Roaming\\Ehpcm\\*") although this may reduce the utility of the query to detect newer variants.

 

Type:("Value Set" OR "Value Created") AND Registry.Path: ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") AND Registry.Data:("*\\AppData\\*") NOT (Registry.Name:"com.squirrel.teams.teams" AND Source.Process.Name:"teams.exe" AND Source.Process.File.Signed:"true" AND Source.Process.File.ProductName:"Microsoft Teams")

 

 

The following query will identify file creation events for files named ‘excel.exe’ written to the users ‘AppData\Local\Temp’ directory. This matches observed Agent Tesla behavior. Low false positive rate but may have limited ability to detect future campaigns.

 

Type:("File Create") AND Target.File.Path:"*\\AppData\\Local\\Temp*" AND Target.File.Name:"excel.exe"

 

 

The following query will identify process creation events where the target process name is ‘excel.exe’, ‘winword.exe’ or ‘powerpnt.exe’ where the process is not signed and the process path is a user’s Temp directory. The Agent Tesla sample analyzed above dropped a file called ‘excel.exe’ and setup persistence through a run key that referenced this file. The query has been extended to include the other two main Microsoft Office executables that are often targeted with this type of filename masquerading to attempt to extend the life of this query. High confidence indicator for suspicious activity.

 

Type:"Process Creation" AND Target.Process.File.Signed:"false" AND Target.Process.File.Path:"*\\AppData\\Local\\Temp\\*" AND Target.Process.Name:("excel.exe" OR "winword.exe" OR "powerpnt.exe")

 

 

The following query will detect network socket connection events to known Agent Tesla C2. This query has been enriched with additional FortiGuard Threat Intelligence to attempt to cover all C2 IPs linked to recent Agent Tesla campaigns. Note that queries such as this that employ atomic indicators (like IP addresses) have a limited effective lifespan.

 

Type:"Socket Connect" AND RemoteIP:("141.98.6.75" OR "107.182.129.59" OR "208.67.106.111" OR "193.233.187.19" OR "155.94.209.50" OR "155.94.209.50" OR "39.42.100.247" OR "42.201.155.21" OR "42.201.155.40" OR "42.201.155.42" OR "64.188.20.198" OR "64.188.21.227" OR "64.188.27.104" OR "72.11.143.47" OR "72.255.43.102" OR "103.133.105.61" OR "103.153.77.98" OR "119.152.145.113" OR "119.152.151.69" OR "69.174.99.181:80" OR "78.138.105.142")

 

 

Conclusion

Agent Tesla is a common feature of the global threat landscape due to its easy accessibility, modular design and high volume of effective defensive evasion features. This article has highlighted some of the characteristics of this malware family and how FortiEDR is able to detect and mitigate the various stages of its installation and execution. The FortiEDR coverage of this malware family is solid with multiple rules across multiple security policies offering a clear layered approach to protection.

 

FortiEDR Threat Hunting provides even greater opportunities to detect activity related to execution of Agent Tesla as shown but the Threat Hunting queries provided above. Based on indicators within the detected Agent Tesla sample the FortiGuard Responder Intel team has provided a list of newer Agent Tesla samples that share characteristics with the sample analyzed above. For completeness IOCs associated with the original sample analyzed above, and the pivoted samples are provided below.

 

MITRE Mappings

TA0002 – Execution

 Technique ID

Technique Description

Observed Activity

T1129

Shared Modules

Agent Tesla uses module sharing between execution of the main ‘Re_01373.exe’ and ‘Vorccyusxcsdymdtirskoddeinfo.exe’ processes and their various injected assemblies.

 

TA0003 – Persistence

 Technique ID

Technique Description

Observed Activity

T1547.001

Registry Run Keys / Startup Folder

Agent Tesla installs two run keys, one for a copy of ‘Re_01373.exe’ at path ‘%APPDATA%\Ehpcm\Zwbhuz.exe’ and another for a copy of the injected Agent Tesla agent at path ‘%APPDATA%\Local\Temp\excel\excel.exe’.

 

 

TA0005 – Defense Evasion

 Technique ID

Technique Description

Observed Activity

T1027

Obfuscated Files or Information

Agent Tesla payload analyzed above includes multiple layers of obfuscation including encrypted content.

 

 Technique ID

Technique Description

Observed Activity

T1036

Masquerading

Agent Tesla payload copies the metadata of the legitimate MalwareBytes Assistant executable. Once executed a copy of the decoded Agent Tesla agent is created in the users temp directory with the name ‘excel.exe’ to match Microsoft Excel.

 

 Technique ID

Technique Description

Observed Activity

T1055.012

Process Injection: Process Hollowing

Agent Tesla spawns an instance of the legitimate InstallUtil.exe executable in suspended mode and hollows it to inject the final Agent Tesla agent payload.

 

 Technique ID

Technique Description

Observed Activity

T1070.006

Indicator Removal on Host: Timestomp

Agent Tesla payload performs timestomping on the dropped ‘%APPDATA%\Local\Temp\excel\excel.exe’ and alters the modified and created times by 6+ years.

 

 Technique ID

Technique Description

Observed Activity

T1497.003

Virtualization/Sandbox Evasion: Time Based Evasion

Agent Tesla payloads employ time based sandbox evasion through long sleeps and the use of running timer checks.

 

 Technique ID

Technique Description

Observed Activity

T1564.005

Hide Artifacts: Hidden File System

Agent Tesla agent dropped to ‘%APPDATA%\Local\Temp\excel\excel.exe’ is marked with the hidden and system attributes which obscures them from file explorer.

 

TA0006 – Credential Access

 Technique ID

Technique Description

Observed Activity

T1003

OS Credential Dumping

Agent Tesla agent includes functionality to dump browser information, including stored credentials.

 

TA0007 – Discovery

 Technique ID

Technique Description

Observed Activity

T1057

Process Discovery

Agent Tesla dumps a list of running processes and send to C2 on execution.

 

TA0009 – Collection

 Technique ID

Technique Description

Observed Activity

T1005

Data from Local System

Agent Tesla’s main purpose is to perform collection of local data from a compromised endpoint.

 

 Technique ID

Technique Description

Observed Activity

T1056.001

Input Capture: Keylogging

Agent Tesla contains the functionality to implement a keylogger through MapVirtualKeys function within user32.dll (see Figure 19).

 

 Technique ID

Technique Description

Observed Activity

T0852

Screen Capture

Agent Tesla contains functionality to take screenshots of a compromised endpoint (see Figure 18).

 

 Technique ID

Technique Description

Observed Activity

T1115

Clipboard Data

Agent Tesla contains functionality to copy stored clipboard data.

 

 

IOCs

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

First Observed

C2 IP

141.98.6[.]75

IP Address

C2

Agent Tesla C2

2022-08-18

C2 IP

107.182.129[.]59

IP Address

C2

Agent Tesla C2

2022-07-25

C2 IP

208.67.106[.]111

IP Address

C2

Agent Tesla C2

2022-07-19

C2 IP

193.233.187[.]19

IP Address

C2

Agent Tesla C2

2022-07-18

C2 IP

155.94.209[.]50

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

155.94.209[.]50

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

39.42.100[.]247

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

42.201.155[.]21

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

42.201.155[.]40

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

42.201.155[.]42

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

64.188.20[.]198

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

64.188.21[.]227

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

64.188.27[.]104

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

72.11.143[.]47

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

72.255.43[.]102

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

103.133.105[.]61

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

103.153.77[.]98

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

119.152.145[.]113

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

119.152.151[.]69

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

69.174.99[.]181

IP Address

C2

Agent Tesla C2

2022-07-13

C2 IP

78.138.105[.]142

IP Address

C2

Agent Tesla C2

2022-07-13

Malicious URL

http[:]//193.233.187[.]19/bray/inc/38e70bdd9ec137.php

URL

C2

C2 URL

2022-07-18

Malicious Executable

77372e117d4822826689dc0506a07c2a92e9d1d6

SHA1 Hash

Installation

Agent Tesla Loader Executable

2022-07-20

Malicious Executable

0e4ea8b833f8076682878065c3b19b57049f65f2

SHA1 Hash

Installation

Agent Tesla Executable

2022-07-20

Malicious Executable

c43bf91d100a8186e4f740367ee0109200f8b53a

SHA1 Hash

Impact

Agent Tesla Agent

2022-07-20

 

 

[1] https://github.com/dnSpy/dnSpy

[2] https://github.com/de4dot/de4dot

[3] https://github.com/dnSpy/dnSpy

[4] https://github.com/dnSpy/dnSpy

[5] https://www.virustotal.com/gui/file/e2fbb61dd022fed587e3f7c4d577ae77bc7759bfb0238a5b7a117dfb5e33dc6c...

Contributors