{
	"id": "718beb54-4db5-4959-91c1-5bc325e2dec0",
	"created_at": "2026-04-06T00:13:01.322318Z",
	"updated_at": "2026-04-10T03:21:43.06545Z",
	"deleted_at": null,
	"sha1_hash": "ba9fcb5a4270ac32923b03e57411437b4538c89a",
	"title": "Decrypting AgentTesla strings and config",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1962784,
	"plain_text": "Decrypting AgentTesla strings and config\r\nBy NexusFuzzy\r\nPublished: 2020-09-03 · Archived: 2026-04-05 18:21:04 UTC\r\nThe nefarious malware AgentTesla has been around for some years and remains a serious threat\r\nWorking in cyber security is all about being faster than your adversary to limit or prevent damage to the systems\r\nand users you are about to protect.\r\nThis naturally leads to the need to automate as much as possible to be able to react quickly to new threats. As you\r\ncan see from the stats of Any.run AgentTesla is still one of the most popular malware families when it comes to\r\ncommodity malware:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nPage 1 of 12\n\nAgentTesla remains a threat\r\nDue to the number of samples to analyze I created a little tool called Edison which is able to decrypt all strings\r\nused by AgentTesla with the fact in mind that the exfiltration methods are also present in the strings. Equiped with\r\nthis knowledge let’s dive in!\r\nThe sample\r\nMy prefered site to get interesting samples is bazaar.abuse.ch so you may also use this site to get the following\r\nsample to follow along with theses steps — in a secured VM of course (We are about to execute the malware)\r\nd29da0500ff7aecab3d24397cb745554f399dce5ab59f4ed7a95f6f959b62584\r\nRequired tools\r\nAs already explained you need a VM to run our little experiment since we will execute this sample. If you aren’t\r\nalready using it, this is a good moment to start using FlareVM which is maintained by FireEye.\r\nOnce you got your VM up and running it’s time to get Hollows Hunter. The reason for this is, that most if not all\r\nmalware comes “packed”. This means that the true intention of the malware is not visible at first glance. Only if\r\nthe packer deems your system worthy to get infected (No VM, only specific regions etc.) it will unpack the\r\nmalware and pass control to it. Going in too much details is out of the scope of this post so we chose the automatic\r\nway with Hollows Hunter. Once the malware is unpacked, Hollows Hunter will dump it to disk, fix some things\r\nand you are good to go.\r\nNot necessary but really helpful in our analysis is dnSpy. If you are using FlareVM, it should already be installed.\r\nhttps://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nPage 2 of 12\n\nLast but not least you’ll need Edison to automatically extract the strings from the sample.\r\nLet’s infect ourselves\r\nGet NexusFuzzy’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nOnce you downloaded the sample, we open it up in dnSpy:\r\nThat doesn’t really look like AgentTesla to be honest\r\nAs we can see when we go through the methods it doesn’t look like AgentTesla so at this point we assume that it’s\r\npacked. We now use Hollows Hunter to watch for injections and automatically dump them to disk:\r\nhttps://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nPage 3 of 12\n\nIf Hollows Hunter is working, you should see output similar to this\r\nAfter we got Hollows Hunter in place, we start the malware itsself and wait until a new process is spawned. As\r\nexpected Hollows Hunter catches this:\r\nhttps://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nPage 4 of 12\n\nGotcha!\r\nOnce we made sure that we got a dumped sample we can kill the malware itsself and Hollows Hunter:\r\nPress enter or click to view image in full size\r\nThe dumped file\r\nTo confirm our assumptions we open this file in dnSpy again:\r\nhttps://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nPage 5 of 12\n\nHello, AgentTesla!\r\nOne characteristic thing about AgentTesla is a huge object array of uint[] which turn out to be the encrypted\r\nstrings:\r\nhttps://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nPage 6 of 12\n\nNote the huge list of uint[] at the left\r\nhttps://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nPage 7 of 12\n\nA good training for your fingers if you decide to scroll through the list\r\nKey? IV? CreateDecryptor? Looks like we found the juicy parts!\r\nhttps://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nPage 8 of 12\n\nYou could now dynamically analyze the malware, set breakpoints, work your way to the obfuscated control flow\r\nOR we fire up Edison to just decrypt all strings for us:\r\nIf not already downloaded, this is your chance!\r\nOnce downloaded you can start it without arguments to see the usage:\r\nhttps://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nPage 9 of 12\n\nNo rocket science. Really.\r\nWe do as advised:\r\nJust point Edison to the dumped binary and specify an output textfile\r\nOnce it’s finished we can open up the text file:\r\nAll the strings\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nPage 10 of 12\n\nThat’s what we were interested in — the address used for exfiltration!\r\nTeach me master!\r\nYou can browse the repository to see the complete source code but for reference purposes you can see the\r\ninteresting part here:\r\nPress enter or click to view image in full size\r\nNo rocket science either\r\nI am using reflection to load the AgentTesla sample and afterwards I’m getting all fields of the first module which\r\nturn out to be the uint[] elements.\r\nThrough reversing the sample I found out that the Key and IV for every uint[]/string differs and is found at the end\r\nof every uint[]. Since we know the size of the key and the IV we can use theses values to pass those values to the\r\nhttps://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nPage 11 of 12\n\ndecrypt function we saw earlier.\r\nSource: https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nhttps://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4"
	],
	"report_names": [
		"decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4"
	],
	"threat_actors": [],
	"ts_created_at": 1775434381,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba9fcb5a4270ac32923b03e57411437b4538c89a.pdf",
		"text": "https://archive.orkl.eu/ba9fcb5a4270ac32923b03e57411437b4538c89a.txt",
		"img": "https://archive.orkl.eu/ba9fcb5a4270ac32923b03e57411437b4538c89a.jpg"
	}
}