Agent Tesla

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Type
Trojan
Origin
Likely Turkey
First seen
1 January, 2014
Last seen
21 May, 2022
Global rank
3
Week rank
3
Month rank
3
IOCs
31316

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, the Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming the legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients, and FTP servers.

In addition, Agent Tesla malware can capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on the requested options the package price could easily reach roughly 70$.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

Based on the analysis, the malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Malware analysis of Agent Tesla

The interactivity of ANY.RUN service allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus. You can also analyze fresh samples and IOCs in our threat intelligence feed in the public submissions.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to identify. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders and try to identify scams.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns like Vidar or IcedID. It is usually delivered to victims in malicious documents, or via malicious web links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in the “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. The research and threat intelligence team can pay attention that in the given example RegSvcs.exe process is stealing personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can identify it by behavioral activities. To do so, try the analysis of the indicators of a malicious process (most often it's an injected "RegAsm.exe"). If there is the indicator "Actions looks like stealing of personal data" in the "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can identify what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption is unsuccessful and with ANY.RUN service's "Network Stream" analysts can take a look at what data this malware stole. To do it open the "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even the attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to threat intelligence reports, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla for incident response and threat intelligence teams lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

IOCs

IP addresses
199.79.62.21
129.121.2.210
206.189.39.129
95.216.103.165
43.255.154.57
162.215.253.110
209.99.40.222
45.141.152.18
86.104.15.60
162.213.251.217
162.213.251.217
198.54.117.216
173.254.30.182
162.222.225.16
208.91.198.46
198.54.117.218
208.91.198.38
198.54.114.249
208.91.198.38
208.91.198.38
Hashes
75f2ff197bf14319cfa73c515597453f6a50d56ce2fe39c384f445b3431a9960
740cdbd68d1d3705021e8b857f177c39938aa485f561ec1c208264d7d4ee5927
49305cce599550ec0a7372a797eb335d3e4ba869ec0fa8e062a8415dacb6a7e0
85c50841a484f05259b3f8e02ed444c0403f605d33f9ee9b0afbceccadc73892
224b1d257b5d2ebb67515ce2367e1cc25254601bc594b6008dcb67275dba1212
dea6a90089c1689599949c5897b5437c592f2b4869b96fe4f4439f21d3abcb76
d552bb57d82e8720a65191f098c93286a607b3bd336ef14c04090693b6dd9200
702a898f99fdcf56d29f5a9d4c54794c09880f7b000488a1f9f4c2259e520bee
081195bc21c899200745e9639e1d3f5080bea9d0dd1ce66af784b8a32ea874e9
82be1914ffbd988bb2f59e64904fa01296f8342bea5fb28a8acca31a70287229
4c7ce63cd966e72e5d94f6dc8b0f82cec35b88b1a8d24305c52a7106cdad5ad9
cf8eade235283e13e38dc42bd7039d6926ac5066532a3a2deae1fa288e1912df
d0e364a2dbc1e728741c8d1b2a559c6187c64ba1944e2d3be2669d2aa94bcd4d
2b96f30a489dfac7dae846c9edd5857c36c27e3aea88af62537111b88396a1c3
396985528f0c119bbbfcb2d974a00f8ebf4c1ae8f7510762608251158c8965ba
46616954c2ceeb7971f7c1014ebca44ecd7e37aa7fbb445a18a2769f00ceca3d
5802ceae7a0a99f2ee6ab9c7ec36ff386e296377e68327b0feeb816e60a06672
80b00858bd141e895719f2e654cee906fc4b35e8a97f92bb5bff74b6d14a3a40
a65de1671d380f734fd636145b084aa646277f05e4ad381869176767b9545393
6164efbdeb87cc0573dfd36181b568815f0ba34de51e3fa38d88e3264bdb0ac6
Domains
parkgreenlot.space
celebration-studio.com
api.ip.sb
www.rszkjx-vps-hosting.website
peak-tv.tk
cyberchef.io
carbinz.gq
genbicta.com
zytrox.tk
saelectronicstrading.com
thewellnessmimi.com
thenewrejuveme.com
www.ur.mom
worldhealthbasicinfo.com
rimborsobancario.net
instatron.net
importardechina.info
grab-indonesia.com
mahikuchen.com
triavlete.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.
Read More