{"id":2023,"date":"2023-05-22T07:10:00","date_gmt":"2023-05-22T05:10:00","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=2023"},"modified":"2023-05-22T14:25:41","modified_gmt":"2023-05-22T12:25:41","slug":"2023-2","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/2023-2\/","title":{"rendered":"GuLoader as the Gatekeeper of AgentTesla: A Comprehensive Analysis"},"content":{"rendered":"\n

The malware team at Lab52 has a saying that our colleages know well: “We want your malware”. On this occasion, the Theat Intelligence team gifted us a file that appeared to be a dropper. The file was already flagged by 15 antivirus engines on VirusTotal as malicious. <\/p>\n\n\n\n

\"\"
Target file in VirusTotal<\/figcaption><\/figure><\/div>\n\n\n\n

Among the open files, the results of specific calls to Powershell.exe are displayed.<\/p>\n\n\n\n

\"\"
VirusTotal information from the sandboxes<\/figcaption><\/figure><\/div>\n\n\n\n

Due to its context, it could be interesting to investigate it further, so we eagerly began analyzing it with a curious mindset.<\/p>\n\n\n\n

This post provides a comprehensive analysis of the GuLoader malware, its role as a gatekeeper for the notorious AgentTesla stealer, and the entire infection process from start to finish. GuLoader employs sophisticated anti-analysis techniques, which pose challenges to researchers. However, through diligent analysis, the stages leading to the final payload, AgentTesla, are uncovered. While the initial sample is publicly accessible, the subsequent artifacts used to trigger different stages remain elusive in public sources.<\/p>\n\n\n\n

\"\"
Attack chain analysed in this post<\/figcaption><\/figure><\/div>\n\n\n\n

First checks on the initial script<\/h1>\n\n\n\n

The original name of the .vbs file is “Hitni zahtjev za prijedlog za programski ured Vijeca Europe u Skoplju 26.04.2023”, meaning “Urgent request for proposal for the program office of the Council of Europe in Skopje 26.04.2023<\/strong>“. <\/p>\n\n\n\n

The code consists of nearly 900 lines, including comments scattered throughout. The first noticeable element in the script is a variable named “Hent,” which corresponds to “WScript.Shell<\/strong>” This suggests that the variable may be invoked later for code execution purposes.<\/p>\n\n\n\n

Throughout the script, there is repeated concatenation of new strings to the variable V8. This technique can be employed to make the task of the analyzing analyst more challenging<\/strong>.<\/p>\n\n\n\n

\"\"
WScript.Shell<\/figcaption><\/figure><\/div>\n\n\n\n

When searching through the document for the variable name “Hent,” a match is found on line 666<\/strong> – the number of the beast. In this line, an assignment to the variable “Foret” is observed, which, like “Hent,” is equivalent to “WScript.Shell”<\/p>\n\n\n\n

\"\"
Foret<\/figcaption><\/figure><\/div>\n\n\n\n

After this, the variable “Teleg” is found, in which the concatenated string “powershell” is observed followed by the variable “V8” enclosed in quotes.<\/p>\n\n\n\n

Following that, the variable “Foret” is present, which will execute the content of the variable “Teleg”.<\/p>\n\n\n\n

\"\"
Teleg assignation<\/figcaption><\/figure><\/div>\n\n\n\n

Therefore, it is expected that the script will execute PowerShell commands, which aligns with the preliminary information from VirusTotal.<\/p>\n\n\n\n

At the end of the code, there is a signature that has also been used to search for related files in VirusTotal. However, in this case, nothing notable has been found that would expedite this analysis. This means that there is manual analysis work to be done.<\/p>\n\n\n\n

Stage 1 – Downloader<\/h1>\n\n\n\n

When double-clicking on the “Hitni zahtjev za prijedlog za programski ured Vijeca Europe u Skoplju 26.04.2023.vbs” file, a “wscript” process is launched, which ultimately executes “powershell.exe”.<\/p>\n\n\n\n

\"\"
Script powershell (ProcessHacker)<\/figcaption><\/figure><\/div>\n\n\n\n

In order to make the code more readable, it has been formatted into a separate document. Upon observing the code, an evident alteration of the strings can be noticed. The “Regent9” function will be responsible for converting the strings, making them readable.<\/p>\n\n\n\n

\"\"
Regent9<\/figcaption><\/figure><\/div>\n\n\n\n

Starting from the first variable “Pluvine,” the resulting string is a URL.<\/p>\n\n\n\n

\"\"
Pluvine variable and URL<\/figcaption><\/figure><\/div>\n\n\n\n

A successful download of the file referenced in the URL has been completed. <\/p>\n\n\n\n

\"\"
Downloading Genicula.prm<\/figcaption><\/figure><\/div>\n\n\n\n

The domain melsicon.com (195.191.148.219) is a legitimate domain created 12 years ago, which does not have visible history of being used by malware in utilities such as VirusTotal, at the time of creating this post. When reviewing the content of the downloaded file, it is observed that it is encoded in base64.<\/p>\n\n\n\n

\"\"
Genicula.prm<\/figcaption><\/figure><\/div>\n\n\n\n

The downloaded file remains the same across different executions and maintains the same hash, therefore, it can be considered as an Indicator of Compromise (IOC).<\/p>\n\n\n\n

Name<\/th>Hash(256)<\/th><\/tr><\/thead>
Genicula.prm<\/td>3f0a012d75144686917f5a1ac151b03894c662783c2b9ed4867c02d39e682545<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

However, the execution does not continue, and a typical message representative of anti-analysis techniques is displayed.<\/p>\n\n\n\n

\"\"
Message displayed during the execution<\/figcaption><\/figure><\/div>\n\n\n\n

This type of message has been seen, for example, with GuLoader malware<\/a>. If that is the case, it’s important to note that such malware often employs sophisticated anti-analysis techniques that are challenging to overcome.<\/p>\n\n\n\n

Stage 2 – Deployment<\/h1>\n\n\n\n

Once “Genicula.prm” is decoded, it can be analyzed in more detail in an attempt to understand it and allow the malware to proceed with its execution. Indeed, as part of the script, a new PowerShell script is detected. There are numerous comments and a function that appears to be responsible for decrypting the strings.<\/p>\n\n\n\n

\"\"
Script powershell<\/figcaption><\/figure><\/div>\n\n\n\n

As seen in the previous capture, the function “Udskressv02” is responsible for decrypting strings<\/strong> included in the download itself, being invoked a total of 45 times throughout the execution. All the decrypted strings have been extracted:<\/p>\n\n\n\n

\"\"
Decrypted strings<\/figcaption><\/figure><\/div>\n\n\n\n

Among the strings, references to variables already present in the script can be found. The lines that stand out the most are the last ones, where copy operations can be observed, as well as the use of “Invoke” to execute commands.<\/p>\n\n\n\n

The variable “Conjuga” will load the VirtualAlloc function, which will be used to store the handle of the memory stored in the variables “Minefa3” and “Maudlinlyh”. The sections will have write, read, and execute permissions.<\/p>\n\n\n\n

Following this, there are two copy operations from the variable “Tsarit”. This last was part of the first PowerShell script as one of the encrypted strings. The content of “Tsarit” represents the second stage, already converted from base64.<\/p>\n\n\n\n

\"\"
Tsarit assignation<\/figcaption><\/figure><\/div>\n\n\n\n

Following the execution, it is possible to determine that it will copy the following bytes to the following variables:<\/p>\n\n\n\n