Agent Tesla

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Type
Trojan
Origin
Likely Turkey
First seen
1 January, 2014
Last seen
31 March, 2020
Global rank
2
Week rank
1
Month rank
1
IOCs
6066

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients and FTP servers.

In addition, Agent Tesla malware is able to capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on the requested options the package price could easily reach roughly 70$.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

The malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Malware analysis of Agent Tesla

Interactivity of ANY.RUN allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to detect. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns. It is usually delivered to victims in malicious documents, or via malicious web-links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. In the given example RegSvcs.exe process is stealing the personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can define it by behavioral activities. To do so take a look at the indicators of a malicious process (most often its an injected "RegAsm.exe"). If there are the indicator "Actions looks like stealing of personal data" in "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can view what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption unsuccessful and with ANY.RUN's "Network Stream" analysts can take a look at what data this malware stole. To do it open "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to available information, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

IOCs

IP addresses
162.241.27.33
77.83.117.234
204.11.56.48
162.222.225.59
160.153.133.86
162.241.217.183
136.243.194.254
192.3.202.210
199.79.63.218
209.99.40.222
70.32.23.32
93.157.63.185
198.54.114.246
212.47.208.136
5.23.50.121
68.65.122.53
166.62.10.29
77.245.159.20
192.99.76.30
216.170.123.125
Hashes
a1f8429d0e0750461e796507148f39535fbf28710d45dd5fc90691235b078271
e10a14b34bc52aaac49a0277417c9752ae9d14335bb4df58939ee0d3c682890d
26a1e00dac9576f9678ba22c602af94399c53f799354d68440a891402927b0bd
016986606ce9c15d4c56ade566547178f3db45c7d94fe26d7efd375cf799f923
2e38848821412ab5a878a0e2c5a004aa34dba2266d38083c95a26d6be9f588c0
f8180e33f1554daa206c767b6d7ffa8c9f14e4197e382453544a3d1337e63dfc
7425f8c143bed439aa89ab2b46098fc30ca275fe8a7d2e4e667feed9cf031f4c
887afb0090c2878cf0727e35f5d33cd97aa9964f6193c4ebd1770493279a1263
ca2af2e34a86ee4d67fa4e34686e910b25fbf1cd0572ed3612654061083fed45
08fdccf1656b70f8bf5725536429039d536e2fa060ed2b1d689649ffb57e2cbd
c5870ce85afcbbd3fc62771741531677b7275fe94a2091413b5463372aa57ab2
9cea35239d421bf3e721ef3af7ff3306ff04e13225d8194547a9dddab3607d4d
229534e867fb7c2ac01f8006da30fa78d1c470e53a478c5dd3f2c898e5b82c5f
315f9a2dd00607c135498821f573414c80e52619f2faa8e2715162d318939f35
077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25
17fa2c893c7e4bf717cf4bf63774c6b9bf597806a2ff607c6356bd3fe030382f
2142d5c4eea4dcc71410e5158d0b8984e84c7e6b7b2b664f66dd5fb4d0199e5b
f064455cc58dabc49016f8d87972a6fdbc546b35dc652899efedd441bbb57883
1d550aa0b1e288d14c9c6099aedef41f834ec50ac301b2debe5f8a1d0823ceb5
5cf4efab1c2a7131e8335b8439e8b1c2da51bb9417bb90c8b63c08b9f2fec205
Domains
mail.platinships.net
caftecnologia.com
mail.novaa-ship.com
makemoneywithafiliates.com
www.aliounendiaye.com
www.petsfan.com
smtp.uae-messefrankfurt.com
smtp.abiataltib.xyz
smtp.timbreartdeslgn.com
smtp.farmfresheqypt.com
smtp.seawaygroup-bd.com
smtp.standardbox.space
smtp.ola-loqistics.com
smtp.cwillson.com
smtp.tunaofiis.com
smtp.leapforglobal.net
smtp.eimarwafoods.com
smtp.pmrnk.com
smtp.bramahostel.com
smtp.oyxwise.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More