Analyzing a Suspected AgentTesla Sample with ChatGPT

A Few Notes

I would like to start off by thanking my fellow Curated Intelligence members for reviewing this before publication and providing feedback!

https://twitter.com/CuratedIntel

This was originally shared amongst CI as TLP: AMBER; as of publication of this blog it has been reclassed as TLP: CLEAR.

Also, when this was drafted, the hashes were tagged with DarkGate; it appears they are now tagged with AgentTesla. Regardless, the analysis remains the same.

Stage 1 (LNK File)

The shortcut calls PowerShell Invoke-WebRequest to download http://185.196.9[.]20/test/sleeps.exe and execute it via Start-Process.

The image below shows a bash function I use to analyze LNK files as well as the LNK file content.

VirusTotal

LNK File Analysis

Stage 2 (.NET EXE)

At the time of analysis (February 5th, 2024), visiting the URL above yielded the following hash.

VirusTotal

Downloading the file and opening it in Detect It Easy shows a .NET executable.

.NET

Opening this in ILSpy shows a few things of interest:

• It downloads data from a text file.
• It decrypts this data and passes it to a “RunPE” function with regasm.exe as an argument.

This “RunPE” function appears to be a process injection technique as we see it reading, allocating, and writing to memory

The way I interpret these together is:

1. The program is downloading and decrypting a file.
2. Then it is taking the decrypted information and injecting it into regasm.exe.

Stage 3 (Encrypted Data)

By downloading the encrypted data, we see that it is just read as “Binary”, which is to be expected.

At this point, I tried re-creating the decryption routine in Python and was having trouble. So I turned to ChatGPT. It ran into the same errors I did but it was ultimately able to solve them.

For reference, this specific part of the code above is the decryption routine.

(Admittedly I guessed at this being C#; not sure what derivative of C this is)

This code produced one of the same errors I was dealing with so I fed it the error.

The answer it gave seemed plausible so I needed to refine it since the code in ILSpy showed the key to be an array.

One of the issues I ran into while trying to write my own was also writing the data to a new file (I kept writing integers rather than bytes). Luckily it was able to solve this as well.

Here we see the finished decryption routines side by side.

After running it, it did produce a new sample that had a different hash than the original. More importantly, when I opened the decrypted data in Detect It Easy, it showed to be a valid binary!

High level review of the code in PEStudio showed plenty of suspicious imports and strings.

Lastly, the code was written with a bunch of unnecessary conditionals.

While I cannot independently confirm this is AgentTesla, the main point was to showcase using ChatGPT to help reverse an XOR encryption scheme.

If you spot any mistakes in the analysis, please ping me at https://twitter.com/_montysecurity

IOCs

• d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d (Stage 1; LNK File)
• f62640b8047a6105ba98ab690d7908f6c3e8aef22f05d6512e838457a01e0593 (Stage 2; .NET EXE)
• 3ae234ec1adbc5e133e9aa67c28b92abccb1d7b009594c34d46dd94070361ee3 (Stage 3; Encrypted EXE)
• f6f4c2e5a15e8eec24ec79553ef380b31569bb92e28411687bf305f20174487f (Stage 3; Decrypted EXE)
• 185.196.9[.]20 (Hosted payloads)