Joe Security's Blog
Dissecting Agent Tesla with Deep .NET Tracing
Published on: 08.01.2020
Today's malware, droppers and threats targeting Windows come in various "form-factors". They can be an obfuscated Javascript file, a malicious VBA Macro, a JAR payload, etc. In 2019 we have seen an increase of malware using the .NET Framework. Usually, malware or packers / crypters are written either in C Sharp or Visual Basic Net.
Joe Sandbox is the only malware analysis system using different technologies to analyze each format deeply. Over the last nine years we have developed these ten different technologies:
Our most recent addition is what we call Deep .NET tracing. .NET tracing captures all .NET API calls with arguments. To demonstrate the power of Deep .NET tracing we will dissect a recent Agent Tesla sample. Agent Tesla is a well known .NET based RAT and used by many threat actors. Most of the variants use multi-layer obfuscation to evade detection and hinder analysis.
Layers Layers Layers
The sample we are going to analyze has been found on VirusTotal (MD5: 03baf522fb9c86bd5512a0ee72457f86, File Name: MT ESSTAR V1911.exe). To enable Deep .NET tracing you have to tick the checkbox in the Code Analysis Section:
When the analysis is finished, you can download the trace files in the download section:
The trace files are available in two formats:
- Text, easily readable by analysts
- CSV, easily parsable by machines
Let's have a look at the text trace file. As we can see from the trace file MT ESSTAR V1911.exe - ,the initial file is a simple loader which loads an assembly named Model.exe from the resource section:
Next, the method set_sako is called in Model.exe:
You might now think and ask yourself, wouldn't it be nice to have Model.exe as a file? Well, we have good news, Deep .NET tracing extracts all loaded assemblies. You will find all of them in the memory dumps:
All dumped assemblies are scanned against all Yara rules you have stored in Joe Sandbox. What is set_sako doing next? Well, its loading another assembly (named Software Updates.dll, 2nd stage) from its resource section:
Right before the assembly is loaded, it is decrypted, as you can see from the Param 0 and Return Value.
Again, the assembly is dumped and stored so that you can download it.
Generic .NET Unpacking
Wouldn't it be fantastic if we have the source code of the decrypted assembly? Well again we have good news, Joe Sandbox decompiles all dumped PE files (see our previous blog post about generic .NET unpacking). You can download all decompiled .NET projects here:
In the download we find the full source code for the third stage:
This looks to be CyaX Sharp which is a well-known loader and injector. It comes with various anti-analysis features:
It also employs techniques to disable Windows Defender. When all the anti-analysis techniques are passed, it calls its final injection routine to launch the Agent Tesla payload:
Continuing to follow the .NET trace, we can see the various activities related to information-stealing.
Keylogging:
Keylogging:
Stealing login data from Google Chrome:
System information gathering
Uploading the stolen data via e-Mail:
Deep Malware Analysis
Thanks to the new Deep .NET Tracing feature, analysts can look at each single .NET API call and fully understand the inner workings of malware. With the assembly dumping, each unpacking stage is preserved and decompiled. The dumped assembly can be scanned and detected with Yara, while the source code enables an even deeper view into the malware's inner workings.
Joe Sandbox handles the different malware form factors or formats differently and applies various technologies. This helps analyzing malware in a depth previously not possible!
Would you like to try Deep .NET tracing? Then contact us today to get a trial for Joe Sandbox Cloud Pro.
Full Analysis Data
- Deep .NET Trace files: https://www.joesecurity.org/resources/nettrace-03baf522fb9c86bd5512a0ee72457f86.zip
- Decompiled .NET projects: https://www.joesecurity.org/resources/dotnet-03baf522fb9c86bd5512a0ee72457f86.zip