What is obiper830279.exe?

Let’s take look at this one.

It is .NET based one.

You can see source code by dnSpy or something.

At the entrypoint, it fetches Wanted from resource and decrypt it by XOR.

I wrote decryption code for it.

def decrypt_data(data, key_gen, round_count, data_length):
    data_ = bytearray(data)
    pl = 256
    for i in range(data_length * (round_count + 1)):
        kw = i + 1
        dataIndex = i % data_length
        d = kw % data_length
        f = data_[d] + pl
        xor_result = data_[dataIndex]
        g = xor_result ^ key_gen[i % 22]
        subt = g - f
        data_[dataIndex] = subt % pl
    return bytes(data_)
with open("./Wanted", "rb") as f:
    enc = f.read()
KeyGen = [67, 82, 90, 90, 66, 56, 52, 71, 72, 70, 70, 72, 66, 52, 55, 89, 66, 65, 70, 56, 82, 71]
Round = 0
dataLength = 74240
decrypted_data = decrypt_data(enc, KeyGen, Round, dataLength)
with open("agent_tesla", "wb") as f:
    f.write(decrypted_data)

It was Agent Tesla.

When you encounter malware like this, you need to extract config.

ANY.RUN has this feature.

MalConf reveals Agent Tesla’s config!!!!!

It is so easy!!!!!!!!!!!!!!!

Finally, I can get malware’s config and IOC’s. This is an easy flow of analysis with ANY.RUN. At this analysis, I tried not to static analysis just using ANY.RUN features.