Agent Tesla

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Type
Trojan
Origin
Likely Turkey
First seen
1 January, 2014
Last seen
26 January, 2023
Global rank
4
Week rank
2
Month rank
3
IOCs
53083

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, the Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming the legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients, and FTP servers.

In addition, Agent Tesla malware can capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on the requested options the package price could easily reach roughly 70$.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

Based on the analysis, the malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Malware analysis of Agent Tesla

The interactivity of ANY.RUN service allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus. You can also analyze fresh samples and IOCs in our threat intelligence feed in the public submissions.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to identify. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders and try to identify scams.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns like Vidar or IcedID. It is usually delivered to victims in malicious documents, or via malicious web links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in the “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. The research and threat intelligence team can pay attention that in the given example RegSvcs.exe process is stealing personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can identify it by behavioral activities. To do so, try the analysis of the indicators of a malicious process (most often it's an injected "RegAsm.exe"). If there is the indicator "Actions looks like stealing of personal data" in the "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can identify what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption is unsuccessful and with ANY.RUN service's "Network Stream" analysts can take a look at what data this malware stole. To do it open the "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even the attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to threat intelligence reports, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla for incident response and threat intelligence teams lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

IOCs

IP addresses
185.162.171.75
109.106.250.131
89.107.229.136
185.81.4.99
103.229.73.122
162.0.215.31
158.69.242.51
212.76.85.39
185.58.73.14
41.77.117.236
192.186.233.163
108.170.27.202
109.232.216.46
198.54.125.197
104.197.158.42
107.180.38.104
103.8.25.128
108.167.136.54
143.95.232.76
45.64.105.11
Hashes
6dd20082faf4c07f30a39327695ec299b02431c6c80f7fdb93b7de163cf4581a
d00ff6937bc8b2ca70912469a6ed4f25feadf54a47d4bfe35b80e866af3a9588
8db04b3a0c1bf0ff77b9f0f352e6091887199e998236f70bbe0833260b864370
a4ac60c70bc8c875814e38085fc33a85ff2c7fb765dd26c839ac1751dc1f016a
850f818aca36188fff35a492275cd63ba81f6e48263faa669fb5e192165f2f92
9909753bfb0ac8ab165bab3555233d03b01a9274a92e57c022f87ccbe51ca415
37003fa3fb04516876763b549ee88f0948d657329441fa6578628c924e5c1365
6693e7c922c3f1976d4f6583d664a8cb992d5202521a77da5cd0be60b85829f5
cd4fd070dbe5909f9e14e9228bc1243c2993e6dd105e91deed3bb3ca53e1f30d
e31c608e7f7c15f3783ce3a0f60de2df28ac15195aa873d74feacfac98d2b0fb
268d6278d88b2f5f4ff3f0d071ad0545d12015d4e3c7d57a108c161ccdba2465
cdfe1ff4fe48d612e2cc9229fb3a3783ed5b2a8261885b24aa2adfa2cbf133cf
4a4e8a393e35339151e522c8c190c93f07c5a7583dc0d07b243656f9dba1d0d7
7a6edbaf562665871428580c21db293fadb243554b5c160519fe456543360fcb
38f14638288df84d6a5014c998a9e6b1e7859676fbf7274d4bdda7d79e948e1d
0c5c9a088ae160f566a1e9673cb354def61b74bbc40043737b70ccc3114d989d
031e9d43bb362aef89deff7c9fbc4d0cf3c4ed7f7eb8869c402a0a0f803feb08
0cd43e8243b736228d29f850dcb224dcde06b20eb7b018bd34934eafc4dddbbb
ea4684def9f3926d666c908edb9fa2646d33c2d84e7b502afbb987c5b2302cd7
4d7f8631561a48991aba76e5515220eae13e86c5312f278fd53039562b352716
Domains
pluto.iziis.ukim.edu.mk
postback.trafficmotor.com
vcctggqm3t.dattolocal.net
booking.msg.bluhotels.com
booking.msg.bluhotels.com
0.pool.ntp.org
carder.bit
mail.dmstech.in
zerit.top
fuyt.org
tzgl.org
kotob.top
tbpws.top
astdg.top
securebiz.org
karpa.bounceme.net
zoomvideo.site
santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion
focuzpartsmart.com
mail.focuzpartsmart.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy