Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25
Family : Agent Tesla
Downloaded Sample Link: Click here
Signature: Microsoft Visual C# v7.0/ Basic.NET
- Steal browser information (URL, Usernames, Passwords)
- Steal passwords for email clients.
- Steal FTP Clients
- Steal download manager passwords.
- Collect OS and hardware information.
When I debug the malware executable, Initially it creates a SQLite database to store collected information from victims machine.
Below are the tables getting created.
found it collected browsers data (Google chrome), that includes accessed URLs and related usernames and passwords.
database table logins stores all browser related information. Below are the table columns.
Apart from this, malware also look for all different types of browsers to steal data from it.
It look for below browsers:
- Opera Browser
- Yandex Browser
- 360 Browser
- Iridium Browser
- Comodo Dragon
- Cool Novo
- Torch Browser
- Elements Browser
- Epic Privacy
- Liebao Browser
- Sleipnir 6
- QIP Surf
Below screenshot taken while debugging malware.
Malware also look for below email clients. I haven’t install any of them on my machine during analyzing this.
- Opera Mail
Malware grabs credentials from FTP clients as well. Below list.
- Core FTP
It also makes FTP web request. (Remote Server couldn’t find)
It uses smtp client to send information over the network using port 587 which indicates sending data from smtp client to a particular smtp Server through mail attachments.
Malware executable also make HTTPWebRequest which must be downloading SMTP client to transfer data to remote SMTP server.
unfortunately, it didn’t make any connection to any remote server address.
- Steal Browser Information including urls, usernames and passwords.
- Steal email client credentials.
- Steal credentials of FTP servers.
- Computer information.