# The Many Roads Leading To Agent Tesla **[trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/)** [Agent Tesla is a common Remote Access Trojan (RAT) discovered in 2014. This threat is](https://krebsonsecurity.com/2018/10/who-is-agent-tesla/) capable of keylogging, screen capture, form-grabbing, and stealing credentials from a wide range of FTP, VPN, browser, and email clients. The exfiltration method depends on what the attacker sets on the configuration. During the past months, we have found a resurgence of this malware being distributed via spam, as a payload of other threats, and as attachments to the malspams themselves. In this blog, we present three recent, yet quite different, spam campaigns leading to this threat. The first two campaigns deliver Agent Tesla via interesting downloader attachments whereas the third one distributes Agent Tesla directly in the malspams. The Agent Tesla samples we observed send the stolen information through SMTP and FTP. ----- _Figure 1: The process flow of spam campaigns leading to Agent Tesla malware_ ## 1 CAMPAIGN: Through a PowerPoint Slide Show (PPSX) Loaderst The malspams relating to the first campaign contain a PPSX attachment that exploits an old [vulnerability - CVE-2017-0199 which allows attackers to perform remote code execution using](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0199) Windows Object Linking and Embedding (OLE). ----- _Figure 2: The malspam containing a PPSX attachment with CVE-2017-0199_ The offending object inside the attachment AS_FedEx_AWB_00117980920AS.ppsx is _slide1.xml.rels. It contains a script moniker that, when triggered, executes a PowerShell_ command. ----- _Figure 3: The PowerShell command at object slide1.xml.rels_ Once the PowerPoint file is opened, it initializes the script moniker and runs the encoded PowerShell script. Decoding the PowerShell script reveals that it downloads an executable hosted at discordapp[.]com, saves it to the %appdata% folder as NPHBEK.exe, then executes it. _Figure 4: Decoded PowerShell command from Fig. 2_ The downloaded file %appdata%/NPHBEK.exe is the Agent Tesla malware. It exfiltrates data via SMTP. The data includes the username, computer name, and other system information. In addition to that, stolen data will also be included in the email such as key captures, and stolen credentials. _Attacker’s email address: b*****@wezbrd.xyz_ _Password: Ma************di_ _SMTP server: smtp.privateemail.com_ ----- _Figure 5: The system information sent to the attacker’s email address_ ## 2nd CAMPAIGN: Downloaded via a Compiled HTML (CHM) File A Compiled HTML (CHM) Help file contains a collection of HTML pages with an index compressed into a binary format. This file format is mainly used for documentation and help guides. On rare occasions, this file format is also used by cybercriminals to distribute malware. This second spam campaign has a CHM file contained inside an archive attachment, paving the way to the distribution of Agent Tesla. _Figure 6: The malspam containing the CHM downloader and its display when launched_ ----- The CHM attachment 70127_YK90054_Consulta_del_cliente.chm has one HTML object. When the CHM file is executed, the HTML object d5sd00.htm will be loaded by the Microsoft Help Viewer (hh.exe). As the HTML Help window shown in Fig. 6 is displayed, the malicious behavior of the CHM attachment starts to manifest in the background. _Figure 7: The PowerShell command triggered when CHM is executed_ The HTML d5sd00.htm contains a Javascript code that will deobfuscate then launch the PowerShell code also enclosed in the HTML file. The PowerShell then retrieves and processes the obfuscated data at hxxp://egen[.]com[.]tr/7F[.]jpg which is again PowerShell code. _Figure 8: The data obtained from the URL shown in Fig. 8 and its deobfuscated code_ The second PowerShell code contains 2 binaries – the first is the waves.dll file which is obfuscated and the second is the GZip archive containing the Agent Tesla executable. When this second-stage PowerShell runs, the binary waves.dll will inject the Agent Tesla malware into MSBuild.exe. ----- In this Agent Tesla sample, the exfiltrated data will be delivered via FTP. _Figure 9: The decrypted Agent Tesla config on the MSBuild.exe memory dump_ ## 3 CAMPAIGN: The “AstraZeneca” Agent Teslard [In the early days of the Coronavirus pandemic, we observed one of the malwares commonly](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/covid-19-malspam-activity-ramps-up/) distributed via this theme was Agent Tesla. Recently, we have seen another spam campaign taking advantage of the pandemic. _Figure 10: The malspam containing Agent Tesla and the file property of the executable_ _attachment_ ----- Attached to the emails is a RAR or ZIP archive file containing an executable file. The executables we gathered from the malspams are .Net compiled around 700-900KB in size. Statically examining the executables, we noticed the file properties were associated with the company AstraZeneca, one of the Coronavirus vaccine makers. _Figure 11: The executable files obtained from the 3rd campaign_ Using the tool DNSpy, we observed that the .Net files shown in Fig. 11 were compiled on the same day the malspams were distributed. As the executables have encrypted data in the next section, we used the tool MegaDumper to extract the objects wrapped in them. The extracted objects are .Net Agent Tesla malware of which some were compiled a month earlier. _Figure 12: The executable in Fig. 10 viewed in DNSpy_ _Figure 13: The objects dumped, using the MegaDumper tool, from the executable shown in_ _Fig.10_ Just like in the first campaign, the data stolen from the infected system will be exfiltrated via SMTP. ----- _Figure 14: The code snippet of the SMTP process performed by Agent Tesla_ _NQAkXoqEDGGPBNdSxedbVXswADUBFbJCdBUnmtC.exe shown in Fig. 13_ ## IOC Attachments: AS_FedEx_AWB_00117980920AS.ppsx (31586 bytes) SHA1: 02DA2F8F23D468EF2DB4919566A0B43BDABCD656 70127_YK90054_Consulta_del_cliente.chm (12117 bytes) SHA1: 7CD8B837D6222CCD48F69211D9FB466A8A90A6EC Download URLs: hxxp://egen[.]com[.]tr/7F[.]jpg (879190 bytes) SHA1: 3605BA5E2ED894A89AA64740774FBA6A822E978F hxxps://cdn[.]discordapp[.]com/attachments/775445531627356172/793434227491733544/v4[.]exe (1969440 bytes) SHA1: CD9A58B7B81D9469D495CB4600A55F9E3BAAC33D Agent Tesla: Quotation Query for supply of selected list items. Ukraine chamber of commerce.exe (818688 bytes) SHA1: C30DCD540F949691F17B302BFDD862D86A1D93E5 ----- Application letter.exe (832512 bytes) Curriculum vitae.exe (832512 bytes) SHA1: BCB01820699431CF926E297E1C6966527CFE6F32 RFQ.01.11.021.exe (830464 bytes) SHA1: D4CB60FE478B83DA7D483813DD43B32CCA1812C6 Paymentcopy001#psf.exe (742912 byte) SHA1: C46AB15FAB1E57C251CFB979454693601CBE035C -----