Skill

extracting-config-from-agent-tesla-rat

Extracts embedded config from Agent Tesla RAT malware samples including SMTP/FTP/Telegram credentials, keylogger settings, and C2 endpoints using .NET decompilation, string patterns, and decryption.

.NET

Python

security

Popularity

Stars

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/cybersecurity-skills-zh:extracting-config-from-agent-tesla-rat

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Agent Tesla 是一款基于 .NET 的远程访问木马（RAT）和键盘记录器，在 2024 年跻身十大恶意软件变种之列，影响全球 6.3% 的企业网络。它通过 SMTP 电子邮件、FTP 上传、Telegram Bot API 或 Discord Webhook 窃取凭据。恶意软件配置内嵌于 .NET 程序集中，通常使用字符串加密、资源加密或自定义加载器进行混淆，后者通过 .NET Reflection 在内存中解密并执行 Agent Tesla（无文件方式）。配置提取需要使用 dnSpy 或 ILSpy 反编译 .NET 程序集，识别配置字符串的解密例程，并提取 SMTP 服务器地址、凭据、FTP 端点、Telegram Bot Token 和目标应用程序。

Supporting Files

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.py

SKILL.md

170 lines · ~1.3k tokens

Stats

LanguagePython

Stars13

Forks2

MaintenanceExcellent

Last CommitApr 28, 2026

Actions

View Source View Plugin View on GitHub View README

从 Agent Tesla RAT 中提取配置

概述

前置条件

dnSpy 或 ILSpy，用于 .NET 反编译
Python 3.9+，带有 dnlib 或 pythonnet，用于自动化提取
de4dot，用于 .NET 去混淆
理解 .NET IL 代码和 Reflection
沙箱环境，用于动态分析（ANY.RUN、CAPE）

操作步骤

步骤 1：去混淆并提取配置

#!/usr/bin/env python3
"""从 .NET 程序集中提取 Agent Tesla RAT 配置。"""
import re
import sys
import json
import base64
import hashlib
from pathlib import Path


def extract_strings_from_dotnet(filepath):
    """从 .NET 二进制文件中提取可读字符串用于配置分析。"""
    with open(filepath, 'rb') as f:
        data = f.read()

    # 从 .NET 元数据中提取 US（用户字符串）堆
    strings = []

    # 查找常见的 Agent Tesla 配置模式
    patterns = {
        "smtp_server": re.compile(rb'smtp[\.\-][\w\.\-]+\.\w{2,}', re.I),
        "email": re.compile(rb'[\w\.\-]+@[\w\.\-]+\.\w{2,}'),
        "ftp_url": re.compile(rb'ftp://[\w\.\-:/]+', re.I),
        "telegram_token": re.compile(rb'\d{8,10}:[A-Za-z0-9_-]{35}'),
        "telegram_chat": re.compile(rb'(?:chat_id=|chatid[=:])[\-]?\d{5,15}', re.I),
        "discord_webhook": re.compile(rb'https://discord\.com/api/webhooks/\d+/[\w-]+'),
        "password": re.compile(rb'(?:pass(?:word)?|pwd)[=:]\s*[\w!@#$%^&*]{4,}', re.I),
        "port": re.compile(rb'(?:port|smtp_port)[=:]\s*\d{2,5}', re.I),
    }

    results = {}
    for name, pattern in patterns.items():
        matches = pattern.findall(data)
        if matches:
            results[name] = [m.decode('utf-8', errors='replace') for m in matches]

    # 提取 Base64 编码的字符串（常见混淆方式）
    b64_pattern = re.compile(rb'[A-Za-z0-9+/]{20,}={0,2}')
    b64_decoded = []
    for match in b64_pattern.finditer(data):
        try:
            decoded = base64.b64decode(match.group())
            text = decoded.decode('utf-8', errors='strict')
            if text.isprintable() and len(text) > 5:
                b64_decoded.append(text)
        except Exception:
            pass

    if b64_decoded:
        results["base64_decoded_strings"] = b64_decoded[:30]

    return results


def decrypt_agenttesla_strings(data, key_hex):
    """解密 Agent Tesla 加密的配置字符串。"""
    key = bytes.fromhex(key_hex)
    # Agent Tesla V1：使用密钥进行简单 XOR
    decrypted_strings = []

    # 查找加密数据块（高熵字节序列）
    blob_pattern = re.compile(rb'[\x80-\xff]{16,256}')
    for match in blob_pattern.finditer(data):
        blob = match.group()
        # 尝试 XOR 解密
        decrypted = bytes(b ^ key[i % len(key)] for i, b in enumerate(blob))
        try:
            text = decrypted.decode('utf-8', errors='strict')
            if text.isprintable() and len(text.strip()) > 3:
                decrypted_strings.append(text.strip())
        except UnicodeDecodeError:
            pass

    # V2：基于 SHA256 的密钥派生，然后 AES 解密
    sha256_key = hashlib.sha256(key).digest()

    return decrypted_strings


def analyze_exfiltration_config(config):
    """分析提取的配置以识别数据泄露方式。"""
    methods = []

    if config.get("smtp_server"):
        methods.append({
            "type": "SMTP",
            "servers": config["smtp_server"],
            "emails": config.get("email", []),
        })

    if config.get("ftp_url"):
        methods.append({
            "type": "FTP",
            "urls": config["ftp_url"],
        })

    if config.get("telegram_token"):
        methods.append({
            "type": "Telegram",
            "tokens": config["telegram_token"],
            "chat_ids": config.get("telegram_chat", []),
        })

    if config.get("discord_webhook"):
        methods.append({
            "type": "Discord",
            "webhooks": config["discord_webhook"],
        })

    return methods


if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"用法：{sys.argv[0]} <agent_tesla_sample>")
        sys.exit(1)

    config = extract_strings_from_dotnet(sys.argv[1])
    methods = analyze_exfiltration_config(config)

    report = {"raw_config": config, "exfiltration_methods": methods}
    print(json.dumps(report, indent=2))

验证标准

已识别数据泄露方式（SMTP/FTP/Telegram/Discord）
已从配置中提取服务器地址和凭据
已恢复目标应用程序列表
已记录键盘记录器和截屏功能设置
已识别持久化机制
已提取适合网络封锁的 IoC

extracting-config-from-agent-tesla-rat

Popularity

Invocation

Context Preview

Supporting Files

SKILL.md

extracting-config-from-agent-tesla-rat

Popularity

Invocation

Context Preview

Supporting Files

SKILL.md

从 Agent Tesla RAT 中提取配置

概述

前置条件

操作步骤

步骤 1：去混淆并提取配置

验证标准

参考资料

Similar Skills

从 Agent Tesla RAT 中提取配置

概述

前置条件

操作步骤

步骤 1：去混淆并提取配置

验证标准

参考资料

Similar Skills