Agent Tesla

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Type
Trojan
Origin
Likely Turkey
First seen
1 January, 2014
Last seen
19 February, 2020
Global rank
2
Week rank
2
Month rank
2
IOCs
5390

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients and FTP servers.

In addition, Agent Tesla malware is able to capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on requested options the package price could easily reach roughly 70$.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

The malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Malware analysis of Agent Tesla

Interactivity of ANY.RUN allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to detect. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns. It is usually delivered to victims in malicious documents, or via malicious web-links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. In the given example RegSvcs.exe process is stealing the personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can define it by behavioral activities. To do so take a look at the indicators of a malicious process (most often its an injected "RegAsm.exe"). If there is the indicator "Actions looks like stealing of personal data" in "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can view what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption unsuccessful and with ANY.RUN's "Network Stream" analysts can take a look at what data this malware stole. To do it open "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to available information, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

IOCs

IP addresses
67.225.141.8
5.23.50.121
54.72.9.51
204.11.56.48
34.192.250.175
78.142.19.111
34.236.80.17
162.251.80.24
185.93.71.204
139.162.57.218
208.79.232.22
89.252.183.112
198.96.95.42
217.70.178.3
78.142.19.101
158.69.249.21
198.54.115.208
199.188.206.58
103.14.20.94
198.54.125.159
Hashes
a52b0be713fd35bad7dd17a68aca2d28c20ec902a0abd2865ac07c81898885e3
1f3b2ec3c8c69a1642a7cdade578cda68fc0da8407c71b9e8e37b712e4638be9
df852399151c0d36dd18bee5ddf7cfd3e82219355aac1f27264cfca90bfc1b66
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
43e29456ff581972032c55ee1eb3481fec75446a05797908b249de98444b5bcd
8d58d63ee8e16d6c0f5be2cf7d408875da25201cb5c85a7a7794082d5f1dd26c
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
7d4652e67d9adeb11a0a13deebd16a0d3dc458a0d655e0f85b51624ebc45ba9c
5e75de4e4cccdbb0b4d4164929002ea7e5a9ec7ff637004f5a6b6a74b2cc3905
63e2ce5555c4eb7ad5d3fd2e7b42c9714d3bfd85b2c8ec97121fe1d89cce80f9
28083f9a66e78d3d541dcdd90a516f7ec54f72cb503f9dec60f542f6442d618c
87df21184be867b7114a0ff11640a505a240516eaae44a8bc544904064aaab8d
ee51c127326dc6d3f51052a441d0e1e471b4e85a814bf7510955915dc50531bc
159cda985fc73e60b58d348d2462a01decb0f85ec9ed79e6e2b8ee48cf2deb50
9a1eb352ca7064bbed8b246eeed72bf1fbe0f3c3c52dc7444d80966718613254
fecb4a27ed1019c7bd4558aaab76f4fd4090c561608d342b1cad7e405b7ab443
29f6b06c8ead956e034a653f0b8a0cd7221424ff9a4d52d55bddf985b153afe1
7299eb6e11c8704e7cb18f57879550cdd88ef7b2ae8cba031b795bc5d92ce8e3
06cc70f8ea9430ec51ffd68afdc3ad4e1bba66052f61bc575a3b865cf1b430be
68a95c25f32d66d70dfc10c28a77a1a57795611728f54e7fb4ee92ec27642706
Domains
mail.flyxpo.com
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
premium38.timeweb.ru
wgifts.ru
ce13854.tmweb.ru
cl00548.tmweb.ru
cv92493.tmweb.ru
cm59049.tmweb.ru
cy88592.tmweb.ru
cs29106.tmweb.ru
cp12772.tmweb.ru
cu26865.tmweb.ru
ck48994.tmweb.ru
cr55019.tmweb.ru
cx34878.tmweb.ru
cl35302.tmweb.ru

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is one of the most dangerous trojans to have been created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.
Read More