Extract embedded configuration from Agent Tesla RAT samples including SMTP/FTP/Telegram exfiltration credentials, keylogger settings, and C2 endpoints using .NET decompilation and memory analysis.
cybersecurity
malware-analysis
agent-tesla
rat
config-extraction
dotnet
malware-analysis
keylogger
credential-theft
1.0
mahipal
MIT
Extracting Config from Agent Tesla RAT
Overview
Agent Tesla is a .NET-based Remote Access Trojan (RAT) and keylogger that ranked among the top 10 malware variants in 2024, impacting 6.3% of corporate networks globally. It exfiltrates stolen credentials via SMTP email, FTP upload, Telegram bot API, or Discord webhooks. The malware configuration is embedded in the .NET assembly, typically obfuscated using string encryption, resource encryption, or custom loaders that decrypt and execute Agent Tesla in memory via .NET Reflection (fileless). Configuration extraction involves decompiling the .NET assembly with dnSpy or ILSpy, identifying the decryption routine for configuration strings, and extracting SMTP server addresses, credentials, FTP endpoints, Telegram bot tokens, and targeted applications.
Prerequisites
dnSpy or ILSpy for .NET decompilation
Python 3.9+ with dnlib or pythonnet for automated extraction
de4dot for .NET deobfuscation
Understanding of .NET IL code and Reflection
Sandbox for dynamic analysis (ANY.RUN, CAPE)
Practical Steps
Step 1: Deobfuscate and Extract Configuration
#!/usr/bin/env python3"""Extract Agent Tesla RAT configuration from .NET assemblies."""importreimportsysimportjsonimportbase64importhashlibfrompathlibimportPathdefextract_strings_from_dotnet(filepath):"""Extract readable strings from .NET binary for config analysis."""withopen(filepath,'rb')asf:data=f.read()# Extract US (User Strings) heap from .NET metadatastrings=[]# Look for common Agent Tesla config patternspatterns={"smtp_server":re.compile(rb'smtp[\.\-][\w\.\-]+\.\w{2,}',re.I),"email":re.compile(rb'[\w\.\-]+@[\w\.\-]+\.\w{2,}'),"ftp_url":re.compile(rb'ftp://[\w\.\-:/]+',re.I),"telegram_token":re.compile(rb'\d{8,10}:[A-Za-z0-9_-]{35}'),"telegram_chat":re.compile(rb'(?:chat_id=|chatid[=:])[\-]?\d{5,15}',re.I),"discord_webhook":re.compile(rb'https://discord\.com/api/webhooks/\d+/[\w-]+'),"password":re.compile(rb'(?:pass(?:word)?|pwd)[=:]\s*[\w!@#$%^&*]{4,}',re.I),"port":re.compile(rb'(?:port|smtp_port)[=:]\s*\d{2,5}',re.I),}results={}forname,patterninpatterns.items():matches=pattern.findall(data)ifmatches:results[name]=[m.decode('utf-8',errors='replace')forminmatches]# Extract Base64-encoded strings (common obfuscation)b64_pattern=re.compile(rb'[A-Za-z0-9+/]{20,}={0,2}')b64_decoded=[]formatchinb64_pattern.finditer(data):try:decoded=base64.b64decode(match.group())text=decoded.decode('utf-8',errors='strict')iftext.isprintable()andlen(text)>5:b64_decoded.append(text)exceptException:passifb64_decoded:results["base64_decoded_strings"]=b64_decoded[:30]returnresultsdefdecrypt_agenttesla_strings(data,key_hex):"""Decrypt Agent Tesla encrypted configuration strings."""key=bytes.fromhex(key_hex)# Agent Tesla V1: Simple XOR with keydecrypted_strings=[]# Find encrypted blobs (high-entropy byte sequences)blob_pattern=re.compile(rb'[\x80-\xff]{16,256}')formatchinblob_pattern.finditer(data):blob=match.group()# Try XOR decryptiondecrypted=bytes(b^key[i%len(key)]fori,binenumerate(blob))try:text=decrypted.decode('utf-8',errors='strict')iftext.isprintable()andlen(text.strip())>3:decrypted_strings.append(text.strip())exceptUnicodeDecodeError:pass# V2: SHA256-based key derivation then AESsha256_key=hashlib.sha256(key).digest()returndecrypted_stringsdefanalyze_exfiltration_config(config):"""Analyze extracted configuration for exfiltration methods."""methods=[]ifconfig.get("smtp_server"):methods.append({"type":"SMTP","servers":config["smtp_server"],"emails":config.get("email",[]),})ifconfig.get("ftp_url"):methods.append({"type":"FTP","urls":config["ftp_url"],})ifconfig.get("telegram_token"):methods.append({"type":"Telegram","tokens":config["telegram_token"],"chat_ids":config.get("telegram_chat",[]),})ifconfig.get("discord_webhook"):methods.append({"type":"Discord","webhooks":config["discord_webhook"],})returnmethodsif__name__=="__main__":iflen(sys.argv)<2:print(f"Usage: {sys.argv[0]} <agent_tesla_sample>")sys.exit(1)config=extract_strings_from_dotnet(sys.argv[1])methods=analyze_exfiltration_config(config)report={"raw_config":config,"exfiltration_methods":methods}print(json.dumps(report,indent=2))