Agent Tesla

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Type
Trojan
Origin
Likely Turkey
First seen
1 January, 2014
Last seen
5 October, 2022
Global rank
3
Week rank
2
Month rank
2
IOCs
50098

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, the Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming the legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients, and FTP servers.

In addition, Agent Tesla malware can capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on the requested options the package price could easily reach roughly 70$.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

Based on the analysis, the malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Malware analysis of Agent Tesla

The interactivity of ANY.RUN service allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus. You can also analyze fresh samples and IOCs in our threat intelligence feed in the public submissions.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to identify. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders and try to identify scams.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns like Vidar or IcedID. It is usually delivered to victims in malicious documents, or via malicious web links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in the “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. The research and threat intelligence team can pay attention that in the given example RegSvcs.exe process is stealing personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can identify it by behavioral activities. To do so, try the analysis of the indicators of a malicious process (most often it's an injected "RegAsm.exe"). If there is the indicator "Actions looks like stealing of personal data" in the "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can identify what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption is unsuccessful and with ANY.RUN service's "Network Stream" analysts can take a look at what data this malware stole. To do it open the "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even the attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to threat intelligence reports, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla for incident response and threat intelligence teams lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

IOCs

IP addresses
104.194.10.93
43.224.137.92
86.104.15.60
103.17.211.69
206.221.182.74
192.168.100.166
92.53.114.87
216.10.250.96
185.162.171.75
109.106.250.131
162.222.225.153
185.107.56.59
162.241.123.16
94.46.176.210
89.107.229.136
185.81.4.99
192.185.52.193
103.21.58.10
103.229.73.122
108.167.172.191
Hashes
037c3ce9cc259847ab3e5c14ad4758bc79d60f300f358dc89708196fd752ad05
8e13d2811b868a517d94bfe74134e172fa719c752510802cbb26a60131b7a9f3
856c4c4a932bc7f4b8ecb92bcfc96e7bb430db4dfeadd9ba92a5283f3aecef2e
2107eeec59919ea8ec495701134e942d7f88d19de70b97016f1df74b16c8c90d
cbf3e0891832e026ad5221a8e8d4aefc585b22439f14dcd4dba592bf99f82903
1a5dc050439ce6610caa44e657953b33473779262fb107350c964c8d0477e345
413c242bae0ea6bcd5f06089f06afabc0b6f156192cbf7ac48f7b7e0379d02ae
a98ac5607a095962435302d226de952d07d3843136136b3bb4a80235af7189ae
9b27d471b33160457e05277ef547cb15d04602c2c1dc77015c59997b1a79d1d2
19ba232cb63d28c85f64966dc6961149b4952453f7627ac7ca8fc5709ba4e9b8
685d5c8dd4d8f84ff0690e34197b4ceaff915f137629d4ac6e89759199a862fe
1e82e7a579c595f8c442e5f993cba0bcef4fad6cd9cf3c64f4dfc6518682c411
3e8538df66efc0c110ba8bca5f3f6e02aefe24f80f622b97731f46f958803f86
e48102120cffcac97206067caee589ca90608b2a2f5ad44b71ab121bfbd05d17
acb576edbe932e77bedba1dcbd7cbf32cad8ff85bd206cfb1957a8733b5b3385
d42ced497572cbbc20298ea289e35fc77d6b6f233bcea1859986ae4dcdee8b90
2f4fd13e5b765d3999d174a172bb6d3d65ab5196e92cfc49ff189bee12c40f0d
6ef9a376afdb282ef522864e538136e5351108451c5ee92410d5b4c14ad20342
708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089
e0fa0f4d2336e2ec046f7ff6ae6dddbdf28cca48a0108e1a9c4419d0edf84555
Domains
zerit.top
fuyt.org
tzgl.org
kotob.top
securebiz.org
www.thecitizensforum.org
steamid.biz
wrrst.top
tbpws.top
astdg.top
rasenalong.com
smtp.vhs-tr.com
api.ip.sb
www.aladel.net
www.youtube-nocookies.com
mercantedifiori.com
aladel.net
discrod.com
googloe.com
www.ocpsoftware.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
DarkComet screenshot
DarkComet
darkcomet rat darkcomet rat
DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.
Read More