rule agent_tesla { meta: description = "Detecting HTML strings used by Agent Tesla malware" author = "Stormshield" version = "1.0" strings: $html_username = "
UserName      : " wide ascii $html_pc_name = "
PC Name       : " wide ascii $html_os_name = "
OS Full Name  : " wide ascii $html_os_platform = "
OS Platform   : " wide ascii $html_clipboard = "
[clipboard]" wide ascii condition: 3 of them } rule AgentTesla { meta: author = "kevoreilly" description = "AgentTesla Payload" cape_type = "AgentTesla Payload" strings: $string1 = "smtp" wide $string2 = "appdata" wide $string3 = "76487-337-8429955-22614" wide $string4 = "yyyy-MM-dd HH:mm:ss" wide //$string5 = "%site_username%" wide $string6 = "webpanel" wide $string7 = "
UserName      :" wide $string8 = "
IP Address  :" wide $agt1 = "IELibrary.dll" ascii $agt2 = "C:\\Users\\Admin\\Desktop\\IELibrary\\IELibrary\\obj\\Debug\\IELibrary.pdb" ascii $agt3 = "GetSavedPasswords" ascii $agt4 = "GetSavedCookies" ascii condition: uint16(0) == 0x5A4D and (all of ($string*) or 3 of ($agt*)) } rule AgentTeslaV2 { meta: author = "ditekshen" description = "AgenetTesla Type 2 Keylogger payload" cape_type = "AgentTesla Payload" strings: $s1 = "get_kbHook" ascii $s2 = "GetPrivateProfileString" ascii $s3 = "get_OSFullName" ascii $s4 = "get_PasswordHash" ascii $s5 = "remove_Key" ascii $s6 = "FtpWebRequest" ascii $s7 = "logins" fullword wide $s8 = "keylog" fullword wide $s9 = "1.85 (Hash, version 2, native byte-order)" wide $cl1 = "Postbox" fullword ascii $cl2 = "BlackHawk" fullword ascii $cl3 = "WaterFox" fullword ascii $cl4 = "CyberFox" fullword ascii $cl5 = "IceDragon" fullword ascii $cl6 = "Thunderbird" fullword ascii condition: (uint16(0) == 0x5a4d and 6 of ($s*)) or (6 of ($s*) and 2 of ($cl*)) } rule AgentTeslaV3 { meta: author = "ditekshen" description = "AgentTeslaV3 infostealer payload" cape_type = "AgentTesla payload" strings: $s1 = "get_kbok" fullword ascii $s2 = "get_CHoo" fullword ascii $s3 = "set_passwordIsSet" fullword ascii $s4 = "get_enableLog" fullword ascii $s5 = "bot%telegramapi%" wide $s6 = "KillTorProcess" fullword ascii $s7 = "GetMozilla" ascii $s8 = "torbrowser" wide $s9 = "%chatid%" wide $s10 = "logins" fullword wide $s11 = "credential" fullword wide $s12 = "AccountConfiguration+" wide $s13 = ".+?)\\1[^>]*>" fullword wide $s14 = "set_Lenght" fullword ascii $s15 = "get_Keys" fullword ascii $s16 = "set_AllowAutoRedirect" fullword ascii $s17 = "set_wtqQe" fullword ascii $s18 = "set_UseShellExecute" fullword ascii $s19 = "set_IsBodyHtml" fullword ascii $s20 = "set_FElvMn" fullword ascii $s21 = "set_RedirectStandardOutput" fullword ascii $g1 = "get_Clipboard" fullword ascii $g2 = "get_Keyboard" fullword ascii $g3 = "get_Password" fullword ascii $g4 = "get_CtrlKeyDown" fullword ascii $g5 = "get_ShiftKeyDown" fullword ascii $g6 = "get_AltKeyDown" fullword ascii $m1 = "yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.htmlLogtext/html[]Time" ascii $m2 = "%image/jpg:Zone.Identifier\\tmpG.tmp%urlkey%-f \\Data\\Tor\\torrcp=%PostURL%127.0.0.1POST+%2B" ascii $m3 = ">{CTRL}Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\\WScript.ShellRegReadg401" ascii $m4 = "%startupfolder%\\%insfolder%\\%insname%/\\%insfolder%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run%insregname%SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\RunTruehttp" ascii $m5 = "\\WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera" ascii condition: (uint16(0) == 0x5a4d and (8 of ($s*) or (6 of ($s*) and 4 of ($g*)))) or (2 of ($m*)) } rule AgentTeslaXor { meta: author = "kevoreilly" description = "AgentTesla xor-based config decoding" cape_type = "AgentTesla Payload" strings: $decode = {06 91 06 61 20 [4] 61 D2 9C 06 17 58 0A 06 7E [4] 8E 69 FE 04 2D ?? 2A} condition: uint16(0) == 0x5A4D and any of them } rule AgentTeslaV4 { meta: author = "kevoreilly" description = "AgentTesla Payload" cape_type = "AgentTesla Payload" packed = "7f8a95173e17256698324886bb138b7936b9e8c5b9ab8fffbfe01080f02f286c" strings: $decode1 = {(07|FE 0C 01 00) (07|FE 0C 01 00) 8E 69 (17|20 01 00 00 00) 63 8F ?? 00 00 01 25 47 (06|FE 0C 00 00) (1A|20 04 00 00 00) 58 4A D2 61 D2 52} $decode2 = {(07|FE 0C 01 00) (08|FE 0C 02 00) 8F ?? 00 00 01 25 47 (07|FE 0C 01 00) (11 07|FE 0C 07 00) 91 (06|FE 0C 00 00) (1A|20 04 00 00 00) 58 4A 61 D2 61 D2 52} $decode3 = {(07|FE 0C 01 00) (11 07|FE 0C 07 00) 8F ?? 00 00 01 25 47 (07|FE 0C 01 00) (08|FE 0C 02 00) 91 61 D2 52} condition: uint16(0) == 0x5A4D and all of them } rule AgentTeslaV4JIT { meta: author = "kevoreilly" description = "AgentTesla JIT-compiled native code" cape_type = "AgentTesla Payload" packed = "7f8a95173e17256698324886bb138b7936b9e8c5b9ab8fffbfe01080f02f286c" strings: $decode1 = {8B 01 8B 40 3C FF 50 10 8B C8 E8 [4] 89 45 CC B8 1A 00 00 00} $decode2 = {83 F8 18 75 2? 8B [2-5] D1 F8} $decode3 = {8D 4C 0? 08 0F B6 01 [0-3] 0F B6 5? 04 33 C2 88 01 B8 19 00 00 00} condition: 2 of them } rule AgentTeslaV5 { meta: author = "ClaudioWayne" description = "AgentTeslaV5 infostealer payload" cape_type = "AgentTesla payload" sample = "893f4dc8f8a1dcee05a0840988cf90bc93c1cda5b414f35a6adb5e9f40678ce9" strings: $template1 = "
User Name: " fullword wide $template2 = "
Username: " fullword wide $template3 = "
RAM: " fullword wide $template4 = "
Password: " fullword wide $template5 = "
OSFullName: " fullword wide $template6 = "

Copied Text:
" fullword wide $template7 = "
CPU: " fullword wide $template8 = "
Computer Name: " fullword wide $template9 = "
Application: " fullword wide $chromium_browser1 = "Comodo\\Dragon\\User Data" fullword wide $chromium_browser2 = "Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer" fullword wide $chromium_browser3 = "Google\\Chrome\\User Data" fullword wide $chromium_browser4 = "Elements Browser\\User Data" fullword wide $chromium_browser5 = "Yandex\\YandexBrowser\\User Data" fullword wide $chromium_browser6 = "MapleStudio\\ChromePlus\\User Data" fullword wide $mozilla_browser1 = "\\Mozilla\\SeaMonkey\\" fullword wide $mozilla_browser2 = "\\K-Meleon\\" fullword wide $mozilla_browser3 = "\\NETGATE Technologies\\BlackHawk\\" fullword wide $mozilla_browser4 = "\\Thunderbird\\" fullword wide $mozilla_browser5 = "\\8pecxstudios\\Cyberfox\\" fullword wide $mozilla_browser6 = "360Chrome\\Chrome\\User Data" fullword wide $mozilla_browser7 = "\\Mozilla\\Firefox\\" fullword wide $database1 = "Berkelet DB" fullword wide $database2 = " 1.85 (Hash, version 2, native byte-order)" fullword wide $database3 = "00061561" fullword wide $database4 = "key4.db" fullword wide $database5 = "key3.db" fullword wide $database6 = "global-salt" fullword wide $database7 = "password-check" fullword wide $software1 = "\\FileZilla\\recentservers.xml" fullword wide $software2 = "\\VirtualStore\\Program Files (x86)\\FTP Commander\\Ftplist.txt" fullword wide $software3 = "\\The Bat!" fullword wide $software4 = "\\Apple Computer\\Preferences\\keychain.plist" fullword wide $software5 = "\\MySQL\\Workbench\\workbench_user_data.dat" fullword wide $software6 = "\\Trillian\\users\\global\\accounts.dat" fullword wide $software7 = "SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions" fullword wide $software8 = "FTP Navigator\\Ftplist.txt" fullword wide $software9 = "NordVPN" fullword wide $software10 = "JDownloader 2.0\\cfg" fullword wide condition: uint16(0) == 0x5a4d and 4 of ($template*) and 3 of ($chromium_browser*) and 3 of ($mozilla_browser*) and 3 of ($database*) and 5 of ($software*) }