Extracts embedded config from Agent Tesla RAT malware samples including SMTP/FTP/Telegram credentials, keylogger settings, and C2 endpoints using .NET decompilation, string patterns, and decryption.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Agent Tesla 是一款基于 .NET 的远程访问木马(RAT)和键盘记录器,在 2024 年跻身十大恶意软件变种之列,影响全球 6.3% 的企业网络。它通过 SMTP 电子邮件、FTP 上传、Telegram Bot API 或 Discord Webhook 窃取凭据。恶意软件配置内嵌于 .NET 程序集中,通常使用字符串加密、资源加密或自定义加载器进行混淆,后者通过 .NET Reflection 在内存中解密并执行 Agent Tesla(无文件方式)。配置提取需要使用 dnSpy 或 ILSpy 反编译 .NET 程序集,识别配置字符串的解密例程,并提取 SMTP 服务器地址、凭据、FTP 端点、Telegram Bot Token 和目标应用程序。
Extracts config from Agent Tesla RAT samples via .NET decompilation and Python scripts, uncovering SMTP/FTP/Telegram credentials, keyloggers, and C2 endpoints for malware analysis.
Extracts configuration from Agent Tesla RAT malware samples including SMTP/FTP/Telegram credentials, keylogger settings, and C2 endpoints via .NET decompilation and Python regex patterns. For cybersecurity malware analysis.
Extracts and analyzes Cobalt Strike beacon configurations from PE files and memory dumps to identify C2 servers, Malleable C2 profiles, watermarks, and attacker tactics. Useful for malware analysis and incident response.
Share bugs, ideas, or general feedback.
Agent Tesla 是一款基于 .NET 的远程访问木马(RAT)和键盘记录器,在 2024 年跻身十大恶意软件变种之列,影响全球 6.3% 的企业网络。它通过 SMTP 电子邮件、FTP 上传、Telegram Bot API 或 Discord Webhook 窃取凭据。恶意软件配置内嵌于 .NET 程序集中,通常使用字符串加密、资源加密或自定义加载器进行混淆,后者通过 .NET Reflection 在内存中解密并执行 Agent Tesla(无文件方式)。配置提取需要使用 dnSpy 或 ILSpy 反编译 .NET 程序集,识别配置字符串的解密例程,并提取 SMTP 服务器地址、凭据、FTP 端点、Telegram Bot Token 和目标应用程序。
dnlib 或 pythonnet,用于自动化提取#!/usr/bin/env python3
"""从 .NET 程序集中提取 Agent Tesla RAT 配置。"""
import re
import sys
import json
import base64
import hashlib
from pathlib import Path
def extract_strings_from_dotnet(filepath):
"""从 .NET 二进制文件中提取可读字符串用于配置分析。"""
with open(filepath, 'rb') as f:
data = f.read()
# 从 .NET 元数据中提取 US(用户字符串)堆
strings = []
# 查找常见的 Agent Tesla 配置模式
patterns = {
"smtp_server": re.compile(rb'smtp[\.\-][\w\.\-]+\.\w{2,}', re.I),
"email": re.compile(rb'[\w\.\-]+@[\w\.\-]+\.\w{2,}'),
"ftp_url": re.compile(rb'ftp://[\w\.\-:/]+', re.I),
"telegram_token": re.compile(rb'\d{8,10}:[A-Za-z0-9_-]{35}'),
"telegram_chat": re.compile(rb'(?:chat_id=|chatid[=:])[\-]?\d{5,15}', re.I),
"discord_webhook": re.compile(rb'https://discord\.com/api/webhooks/\d+/[\w-]+'),
"password": re.compile(rb'(?:pass(?:word)?|pwd)[=:]\s*[\w!@#$%^&*]{4,}', re.I),
"port": re.compile(rb'(?:port|smtp_port)[=:]\s*\d{2,5}', re.I),
}
results = {}
for name, pattern in patterns.items():
matches = pattern.findall(data)
if matches:
results[name] = [m.decode('utf-8', errors='replace') for m in matches]
# 提取 Base64 编码的字符串(常见混淆方式)
b64_pattern = re.compile(rb'[A-Za-z0-9+/]{20,}={0,2}')
b64_decoded = []
for match in b64_pattern.finditer(data):
try:
decoded = base64.b64decode(match.group())
text = decoded.decode('utf-8', errors='strict')
if text.isprintable() and len(text) > 5:
b64_decoded.append(text)
except Exception:
pass
if b64_decoded:
results["base64_decoded_strings"] = b64_decoded[:30]
return results
def decrypt_agenttesla_strings(data, key_hex):
"""解密 Agent Tesla 加密的配置字符串。"""
key = bytes.fromhex(key_hex)
# Agent Tesla V1:使用密钥进行简单 XOR
decrypted_strings = []
# 查找加密数据块(高熵字节序列)
blob_pattern = re.compile(rb'[\x80-\xff]{16,256}')
for match in blob_pattern.finditer(data):
blob = match.group()
# 尝试 XOR 解密
decrypted = bytes(b ^ key[i % len(key)] for i, b in enumerate(blob))
try:
text = decrypted.decode('utf-8', errors='strict')
if text.isprintable() and len(text.strip()) > 3:
decrypted_strings.append(text.strip())
except UnicodeDecodeError:
pass
# V2:基于 SHA256 的密钥派生,然后 AES 解密
sha256_key = hashlib.sha256(key).digest()
return decrypted_strings
def analyze_exfiltration_config(config):
"""分析提取的配置以识别数据泄露方式。"""
methods = []
if config.get("smtp_server"):
methods.append({
"type": "SMTP",
"servers": config["smtp_server"],
"emails": config.get("email", []),
})
if config.get("ftp_url"):
methods.append({
"type": "FTP",
"urls": config["ftp_url"],
})
if config.get("telegram_token"):
methods.append({
"type": "Telegram",
"tokens": config["telegram_token"],
"chat_ids": config.get("telegram_chat", []),
})
if config.get("discord_webhook"):
methods.append({
"type": "Discord",
"webhooks": config["discord_webhook"],
})
return methods
if __name__ == "__main__":
if len(sys.argv) < 2:
print(f"用法:{sys.argv[0]} <agent_tesla_sample>")
sys.exit(1)
config = extract_strings_from_dotnet(sys.argv[1])
methods = analyze_exfiltration_config(config)
report = {"raw_config": config, "exfiltration_methods": methods}
print(json.dumps(report, indent=2))