Origin Logger is a variant of Agent tesla, it is build on top of it and uses all of its capabilities. The malware is spreading using spam emails with a malicious attachments. The malware exfiltrate user accounts and passwords and other information from the infected machine.
Infection through Email
the infection is started with spam email attached by
the .ISO file contains only an executable with a PDF icon.
the ISO file contains
.exe file that is likely to be the fist loader. Dropping the executable in Detect It Easy
It is a .NET executable and the entropy is not high, Hopefully it will not be packed . So, I will use
dnSpyEx to decompile the executable. Going to the Entry Point:
there is Three function calls.
SetCompatibleTextRenderingDefault both do not contain anything useful as they are library functions and not written by the author.
the third part is creating a instance to
The constructor contains two functions:
InitializeComponent is used to configure the form, it is not part of the malicious code so let’s continue to
by exploring the first function, it stores a random string in
Text variable and calls
Hyper class contains the information we are looking for, a link for the second stage.
Array() function which calls
GetBuffer() just calls
Avrql() and passing
http://savory.com[.]bd/sav/Ztvfo.png as an argument.
Avrql() function downloads the file
Ztvfo.png and stores it as an array in the memory and returns that Array. Returning to
Array() function which takes the downloaded file in
buffer variable and XOR it with the string
Sfhdjkpkowgnpcgoshb and stores the XORed data in
that’s all for the hyper class, returning back to
Socker to check the other function.
Void() loads assembly data stored in
Tag which is the file downloaded and XORed previously.
To run the loaded assembly,
Ursa are used, both Invokes different namespaces from the randomized string
this.richTextBox1.Text = "Gdbtshcw.Sdnceyzqa Vqyhbeqthicxedwtrnxrbzcq"
Downloading the second stage
using the PCAP file provided with the sample to get the second stage. we can use
wireshark to do so.
to Download the file, navigate to
File > Export Objects > HTTP
The Content of the this file is Encrypted using XOR cipher as we saw previously. using the following script to decrypt the file
second stage Analysis
Uploading the extracted file to DIE, The executable is obfuscated using .NET Reactor.
Network capture analysis
from the provided PCAP file of the traffic. Origin Logger exfiltrate the data using SMTP communication. the following is the content of the communication:
the exfiltrated data
|type of data||example from the PCAP|
|Current Time||01/05/2023 22:51:26|
|OS Full Name||Microsoft Windows 11 Pro|
|CPU||Intel(R) Core(TM) i5-13600K CPU @ 5.10GHz|
|Application: Edge Chromium||AURL=https[://]login.us.coca-cola[.]com/ Username:admin@windows11users[.]com Password:Zp61-7$r#J_iLpCYV&jKr|
it steals the username and password of the user and send data of the current machine and steals user accounts from different locations like thunderbird and edge browser.