AgentTesla

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

  • Type
    Trojan
  • Origin
    Likely Turkey
  • First seen
    1 January, 2014
  • Last seen
    22 November, 2019
Global rank
3
Week rank
2
Month rank
2
IOCs
2614

What is Agent Tesla?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients and FTP servers.

In addition, Agent Tesla malware is able to capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on requested options the package price could easily reach roughly 70$.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

The malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Malware analysis of Agent Tesla

Interactivity of ANY.RUN allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla

Agent Tesla malware is not an easy one to detect. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns. It is usually delivered to victims in malicious documents, or via malicious web-links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. In the given example RegSvcs.exe process is stealing the personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can define it by behavioral activities. To do so take a look at the indicators of a malicious process (most often its an injected "RegAsm.exe"). If there is the indicator "Actions looks like stealing of personal data" in "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can view what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

How to get more info from the analysis of Agent Tesla malware using ANY.RUN?

Often Agenttesla packets encryption unsuccessful and with ANY.RUN's "Network Stream" analysts can take a look at what data this malware stole. To do it open "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to available information, since its creation, Agent Tesla has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

IOCs

IP addresses
68.65.122.52
192.185.152.151
66.96.147.102
173.203.187.10
184.106.54.10
18.215.65.215
104.219.248.60
46.21.144.100
34.236.80.17
45.58.121.194
198.187.29.23
166.62.27.188
34.196.181.158
52.44.169.135
166.62.10.29
108.167.136.54
69.167.172.77
108.170.55.202
192.254.182.132
45.64.104.71
Hashes
111ef3f92045b216b7fbbaf22f787e492bd2b923e47b93cce3f6060df6ed5023
63c2fbcc4d036ed6f476e7bf79ad8a65988f5844b962576bff5edec2127ff830
ed24298b3f4f953357e6fc268061ada3fd9a10a8cddfa5163bfb22516ffdab1c
94328f830ff01d418d97e24900bfaadcdb5918367b6fe3bb8aa2a323fcf37d95
7e1c968f18b2063f6972617240bc14d6b51635d1b6498f3efec46e3561269fc9
d82917424e39a6db84fc596b7198261fb44eddaa89fc2e3e6e5c5353f18f2db9
510effa96b726b93aee3f1ff4df3b8f7ed3be4f94b7da0bb4300c426a48a6439
53fa0b33995db370d1ed35c6bded0ad2bec3ea4d862111c668b1e18b7cd2af3a
98a0f58609cd5543faebea8c72c534db139ac96fdd856c8e49990c904d0be1ad
5254aa75584dbe26500d9c614aabbfd23d6b2e95872d3e1dec126976aac5c7fd
32951deb30dd0dbde0dd60d1bbcb08af79d249b30e78e5c03b0d556064daa9aa
e7c91f550de1988a3af5f78c29333dac52b46199fc48fcb105633e1604cf6f9e
d2a06c16a483a399b854c18086a09775ee81c1f025023bb2abfbeccc34d07e04
2af72880f5e84df8d5c29868230f8f5b803b9d87c0ab2c29c3d1685439216712
32b60d7bba22cc1682f4ba651d86c9fb357bdc82e9a284ab9668e5446bd24bb3
aaf0ba4037857585f2966246b1453969a7fa246ba09bf20a08fc94126e4e5426
65fd6083438be57bf63f0345f3520e3b6226664bc5cefb9a93344c671b3974e8
08540fe7c1f5e98dc54084ee63ef925308b47d23b07519423766d60bb3350ede
fa47f50234a451771bff951b6d2ab7d5d80e46dac652645378da72f74c03dc90
4121bed6dcb9f077fcde0d767a8c8d2d4d07543dca5eede50a8f7f0ce0c1b0e7
Domains
smtp.strykeir.com
mail.tawakalimpex.com
smtp.bmssrevis.com
majul.com
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
isns.net
syspaynxt.website
mail.coins-hub.net
goipilert.xyz
smtp.juili-tw.com
elx01.knas.systems
server1.monovm.com
smtp.ibemakine.com
mail.vitiren.website
www.newcontemporaryartists.com
mail.adityaprinters.com
mail.dadatiles.com.au
textelindia.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More
FlawedAmmyy screenshot
FlawedAmmyy
flawedammyy trojan rat
FlawedAmmyy is a Remote Access Trojan – a malware that is utilized by attackers to take full control over the target machine. It is based on the source code of a completely legitimate program Ammyy Admin. Despite this RAT being recorded as a new malware in 2018, some researchers suggest that it has been in use since 2016.
Read More