Unfolding Agent Tesla: The Art of Credentials Harvesting. Browsers Stealing

4 min readFeb 6, 2024

Analysis of Agent Tesla, A Close Look at Password Theft Technique

— Part — 2 — Browsers Stealing

The final stage is also developed in dot net (C#) and it is also obfuscated. I tried de4dot but still, the final stage was obfuscated so I continued with the debugging.

In the following figure, you can see all the names are obfuscated.

At first, the xNLwYiY function is a C# method that attempts to terminate all processes with the same name as the current process, excluding itself.

It gets all processes ids and compares with current process id if current running process id does match then it terminates the process. It is doing this so that if it is already running then close it and remove the repetition.

Create an instance of MD5.

The MD5.Create() method is available in the System.Security.Cryptography namespace to create an instance of the MD5 hash algorithm.

The pFLA method attempts to retrieve the serial number of the baseboard using Windows Management Instrumentation (WMI) and returns it; if an exception occurs during the retrieval process, it returns a hardcoded “52b0e816–0a2b-41d9-a0e3–257276619f61” default value.

The 9KASXql5F method retrieves the processor’s ID which in my case is “0FXBFBFFXX090672” using Windows Management Instrumentation (WMI) from the “win32_processor” class and returns it; if an exception occurs during the retrieval process, it returns a hardcoded default value.

The “array” contains the hash value of the UTF-8 encoded string “hk1TqC.”

After this it stores 39 browsers and 34 endpoint client’s paths in the list.

Full Password harvesting blog is shifted to blogging website. Click on following link to see how agent tesla steals browser, we unfold it very deeply.

https://breachnova.com/blog.php?id=30