Agent Tesla

4
Global rank
13
Month rank
12
Week rank
42079
IOCs

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Trojan
Type
Likely Turkey
Origin
1 January, 2014
First seen
3 June, 2023
Last seen

How to analyze Agent Tesla with ANY.RUN

Trojan
Type
Likely Turkey
Origin
1 January, 2014
First seen
3 June, 2023
Last seen

IOCs

IP addresses
116.206.105.72
23.202.231.167
198.54.117.216
141.8.192.151
198.38.82.77
198.50.154.144
185.104.29.70
198.187.31.167
204.11.56.48
45.79.19.196
192.168.100.167
103.21.58.122
207.174.214.239
85.187.128.34
185.107.56.59
45.33.2.79
192.185.152.151
199.79.62.115
198.54.117.218
5.100.152.24
Hashes
6b6e9d2619d60cdf361abffa34e814a63e9bbda785137e0527abcd2e9a91b0b2
f9d49ba395212bc46444ac00546a04c8da9b251ce103adf52d9c80be61f6348c
139108c63c1c7cddfa8ab353bfd2c9540349be90d4e8ec1f4c21249ed57ec109
88c57d68e2ca4a359aaf8a1d6225ce440657f02c27f2e87f61cf72d93b4ae956
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
dff610d1e149c13ed0668d4802c1f876650383dc1777db71201c9e7ae57e1197
cbabbb56010d51c93caec5d8a9e90c966685ebe9b20efb4f414b824eac64e022
aff4528d78481eab74e742dd336b353115ca51f9180a539916d4bea14cbfece0
7eb5fc974a47b3cf8695d0d4bdba3f6b1b8544d6cd63e8e49d18009d4e054331
fda0911dca7590a76d9ad415817b83f11b1857569d356169c979c1e39592a9b4
8c61d194e68c94fcc2c577a5d61a697698c7aba068807c648e17ac4b93351dc2
cf5a9106d284d163a0a2ffabcaaf6dabce8e767523f55849808e65ca536878b5
cd411ecb3d96095589fd740f81bb355b050fd16218151c20b821386b880401e3
433b531c2e0164a4a17d35986991e60f00af986e5c2e16f6813ef1f5b17ccac7
eee343d495e68114285274d5ed3d551789575136f74745a48a74db1657a3bd5f
94c8e7275f5a8ac45b9d06db99c233bcd32c8d7bfafabef68650fe4a4e9d766c
a61eb06c438a55a81c3ca3923f27e2e07460362c14aad4dff125691a2d750b95
be867c634d6f6a4ff7cdc7a845795403edfd78f91b7d0877553f28340641fe58
52f3765c53ca641f1188b800f5df661eaab124f78950fe7e8f5858c765dfc054
344466bcc5bfd5112dedb0e287efd02518c764cb75e2f8cd0309cf077f6f638a
Domains
njxyro.ddns.net
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
frederikkempe.com
majul.com
postback.trafficmotor.com
device-local-3193b8ff-0889-41c5-8fd6-67066f88b277.remotewd.com
qxq.ddns.net
opertos.freedynamicdns.org
vcctggqm3t.dattolocal.net
www.sciencepub123.com
www.goo.com
www.adthurst.com
lingaly.pl
jumpstart.store
fastkeysautomation.com
www.techno360.in
www.simpleclick.us
blueeyeswebsite.com
dlwordpress.com
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 307
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5382
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3236
comments 3

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, the Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming the legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients, and FTP servers.

In addition, Agent Tesla malware can capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on the requested options the package price could easily reach roughly 70$.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

Based on the analysis, the malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Malware analysis of Agent Tesla

The interactivity of ANY.RUN service allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus. You can also analyze fresh samples and IOCs in our threat intelligence feed in the public submissions.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to identify. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders and try to identify scams.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns like Vidar or IcedID. It is usually delivered to victims in malicious documents, or via malicious web links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in the “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. The research and threat intelligence team can pay attention that in the given example RegSvcs.exe process is stealing personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can identify it by behavioral activities. To do so, try the analysis of the indicators of a malicious process (most often it's an injected "RegAsm.exe"). If there is the indicator "Actions looks like stealing of personal data" in the "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can identify what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption is unsuccessful and with ANY.RUN service's "Network Stream" analysts can take a look at what data this malware stole. To do it open the "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even the attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to threat intelligence reports, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla for incident response and threat intelligence teams lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy