Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
3
Global rank
6 infographic chevron month
Month rank
5 infographic chevron week
Week rank
0
IOCs

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Trojan
Type
Likely Turkey
Origin
1 January, 2014
First seen
27 September, 2025
Last seen

How to analyze Agent Tesla with ANY.RUN

Type
Likely Turkey
Origin
1 January, 2014
First seen
27 September, 2025
Last seen

IOCs

IP addresses
76.74.235.200
38.68.47.62
92.38.178.11
198.23.221.13
66.29.151.236
162.254.34.31
Hashes
97e004f0fc5d458d290402f9e4060c04be4832a40dd05ccc34de86c1211496d4
4c300ed5aded08c36854fa3beec5468ac6ff35670244fe1f088d3bddb19c3a46
e8da65e395c309509563df99675f2ddaa5339b55fd944867a479ffc5d3639946
7b4943d925f431aae56aca2d86c4ad5b0bde681057969c2d15e06b2085340e27
e27803fb6b9145189362039382b557561cc6054fb5981e0059fd854d2342b0ad
ac0b86bf664770295ad2de9a46edabc374040a467471a61fdac436d52e451964
c3653e5318419f8107d8bcc07a26f01681a189a5f448c417d99bed49b4131ebf
cda07296d20a239bdb9cb5a2c9a814f69811bc85ced8bf32e998b906a413f416
869741c883d52588520803d96a55a16477a0b63a3c2d93189aa43381fe442a36
55f86bc752a7b1a9f17919431ded82c9539d892fbc1dc22979ddc4ee27af8af8
6f7dee1f0db69c9e81cbaa5049ba98615663fe2fd6136e772f415b498d289f6f
720451ebd032018a39ff05792af6a05ff5ebed6595980b51cdcc0292a60f1bd4
18ec601c567f4c05a0ea6b5c9a3a6f4d85569f046c2f56b4e75ade41bb41cdd7
5006b2cfad660bf87b43993e98d1331f6ddeacbade93efa29f57140ab446be7b
235387b2db5e57432266491f03108790e5c4837d73af3df01943b8cd12e17830
e0e7337d14a3e82067dc8ee5e51ad7ed94ecc9057459728f99597ec3c105686c
e5ddcc6d375325b566ef3417bdfb3abe3e4f9bddfee80502074599b88c4d3a53
fd108b640511e040ff81be0ea54bb8bdfdb12aff54def52ac147c3fa112a143e
682fdd0b1a94ea8f92981fd6b697a5c4ff817ff6e838285655ede39107ca9ade
c71216c8edf76cd608d72edc12640567c2045a5d88a66514c593847351f2ddd8
Domains
250-sas1-26681efc71ef.qloud-c.yandex.net
mail.sbrenind.com
mail.elkat.com.my
elkat.com.my
smtp.zoho.eu
mail.gandi.net
smtp.1and1.es
ssl0.ovh.net
mail.privateemail.com
smtp.powweb.com
checkip.amazonaws.com
secure.emailsrvr.com
smtp.strato.com
mail.your-server.de
mail.hover.com
smtp.yandex.ru
smtp.gmail.com
smtp.zoho.com
smtp.mail.ru
smtpout.secureserver.net
URLs
http://alpatrik.com/org/inc/ff4783d4beeeb1.php
http://alpatrik.com/
http://catknock.com//inc/2455818bc570ff.php
http://dropbuyinc.ga/aust/inc/289191b0208dd6.php
http://ffhackti-57920.portmap.io:57920/panel/
http://ffhackti-57920.portmap.io:57920/panel
http://ffhackti-57920.portmap.io:57920/panel/getCommand.php
http://ffhackti-57920.portmap.io:57920/panel/receive.php
http://ffhackti-57920.portmap.io:57920/panel/login.php
http://198.98.55.114/rights/inc/0b221f05c8d6c3.php
http://198.98.55.114/ag7/inc/bb896bf04a14cd.php
http://198.98.55.114/ifex/inc/b06a1d19725a84.php
http://185.225.74.69/mad/inc/1c468152070648.php
http://185.225.74.69/am/inc/8cd2c5088ae130.php
http://107.189.4.253/zipone/inc/10c5bcaaef047d.php
http://107.189.4.253/b22/inc/7097e0820fdf5c.php
http://185.246.220.133/rone/inc/0b23a39d0d08b9.php
http://noctorships.ga/BlackNET/Panel/
http://noctorships.ga/BlackNET/Panel//receive.php
http://noctorships.ga/BlackNET/Panel//connection.php
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 402
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1788
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 908
comments 0

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, the Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming the legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients, and FTP servers.

In addition, Agent Tesla malware can capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as $15. However, depending on the requested options the package price could easily reach roughly $70.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

Based on the analysis, the malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Malware analysis of Agent Tesla

The interactivity of ANY.RUN service allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus. You can also analyze fresh samples and IOCs in our threat intelligence feed in the public submissions.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to identify. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders and try to identify scams.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns like Vidar or IcedID. It is usually delivered to victims in malicious documents, or via malicious web links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in the “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. The research and threat intelligence team can pay attention that in the given example RegSvcs.exe process is stealing personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can identify it by behavioral activities. To do so, try the analysis of the indicators of a malicious process (most often it's an injected "RegAsm.exe"). If there is the indicator "Actions looks like stealing of personal data" in the "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can identify what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption is unsuccessful and with ANY.RUN service's "Network Stream" analysts can take a look at what data this malware stole. To do it open the "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even the attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Gathering threat intelligence on Agent Tesla malware

To collect up-to-date intelligence on Agent Tesla, use Threat Intelligence Lookup.

This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like Agent Tesla.

Agent Tesla ANY.RUN Search results for Agent Tesla in Threat Intelligence Lookup

For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"agenttesla" AND domainName:"" will generate a list of files, events, domain names, and other data extracted from Agent Tesla samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

According to threat intelligence reports, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla for incident response and threat intelligence teams lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

MassLogger screenshot
MassLogger
masslogger
MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.
Read More
DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More
Fog Ransomware screenshot
Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Maze screenshot
Maze
maze ransomware
Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data.
Read More