Unfolding Agent Tesla: The Art of Credentials Harvesting. Stealing FTP Commander
Analysis of Agent Tesla, A Close Look at Password Theft Technique
— Part — 13 — Stealing FTP Commander Credentials
FTP Commander is a Windows-based FTP (File Transfer Protocol) client software that transfers files between a local computer and a remote server over the internet. It provides a user-friendly interface for managing FTP connections and transferring files. FTP is commonly used for uploading files to a web server, downloading files from a remote server, or managing files on a remote server.
The exploit starts by looking at these following paths, it saves 5 paths in array for credentials harvesting.
- @”C:\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt”
- @”C:\Program Files (x86)\FTP Commander\Ftplist.txt”
- @”C:\cftp\Ftplist.txt”
- @”C:\Users\%username%\AppData\Local\VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt”
- @”C:\Users\%username%\AppData\Local\VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt”
It starts reading from @”C:\Program Files (x86) \FTP Commander\Ftplist.txt” and looping through all the credentials.
The password was encrypted, only other details were visible and plain text.
The main objective of this method is to decrypt the characters in the input string (likely “N9cu”) by using an XOR operation with the integer “25,” resulting in the decryption of the password into its original, unencrypted form.
Parts
Part — 1 — Dropper Analysis
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137
Part — 2 — Browsers Stealing
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-2d565c68db0d
Part — 3- Discovery & Exfiltration
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-7a77f69435ee
Part — 4 — Stealing FileZilla
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-d30da9c36988
Part — 5 — Stealing The BAT! EMAIL CLIENT
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-c3fe4854775b
Part — 6 — Stealing Outlook Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-de3737f9d66e
Part — 7 — Stealing Trillian Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-afa2dd6e9de7
Part — 8 — Stealing MailBird Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-e5501af1c942
Part — 9 — Stealing WinSCP Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-55e7b2c64d60
Part — 10 — Stealing Core FTP LE Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-cdce40f6a747
Part — 11 — Stealing WinSCP Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-db9bb6698041
Part — 12 — Stealing FTP Navigator Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-59818a3686a3
Part — 13 — Stealing FTP Commander Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-7d01a41d554b
Part — 14 — Stealing FTP Getter Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-fe5ff29cc93c
