Agent Tesla

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Type
Trojan
Origin
Likely Turkey
First seen
1 January, 2014
Last seen
18 January, 2020
Global rank
2
Week rank
2
Month rank
2
IOCs
4999

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients and FTP servers.

In addition, Agent Tesla malware is able to capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on requested options the package price could easily reach roughly 70$.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

The malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Malware analysis of Agent Tesla

Interactivity of ANY.RUN allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to detect. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns. It is usually delivered to victims in malicious documents, or via malicious web-links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. In the given example RegSvcs.exe process is stealing the personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can define it by behavioral activities. To do so take a look at the indicators of a malicious process (most often its an injected "RegAsm.exe"). If there is the indicator "Actions looks like stealing of personal data" in "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can view what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption unsuccessful and with ANY.RUN's "Network Stream" analysts can take a look at what data this malware stole. To do it open "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to available information, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

IOCs

IP addresses
204.11.56.48
146.20.161.10
184.106.54.10
173.203.187.10
166.78.79.129
103.6.198.126
52.44.169.135
66.96.147.102
34.192.250.175
166.62.10.29
103.21.59.28
45.58.121.194
145.14.159.241
34.236.80.17
217.116.0.228
185.151.28.68
211.115.64.90
67.20.76.184
162.241.252.182
92.53.96.35
Hashes
a0d2e64f01591efaea773b90d0e98feab484874a0238c075977ad2bd8a4e9558
43e661218dcd2a81c39533842e299df7ce7fd732cc1ea15cc33d7facb87f189e
7a0e0a9c816bf856da43860a5805caca8f1df1e35fa2d9cb4b80277b6f15bc29
32086fb40b0204b2b9a1f650bf5da068634acdf91e23ea6cd9ac86e5fab9295c
32b60d7bba22cc1682f4ba651d86c9fb357bdc82e9a284ab9668e5446bd24bb3
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
8da9187e3a25fe69c918d67bff998612096272c27d77dcf0050579009d094ae2
252637453a25a4095f92d5127b4f26f402b137d5dac42a3afa333b621df0073a
02dab85a2cc42d944f1c4f873d11206b6007d9f67fa8ee058d5f3d929b8ffaab
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
78f18cf9b303236096eb58ae67a72f917a27db62b3c2bd5906f5d8473d7fd877
41336aec2bf0a31ac4f407a4f8777683574164159748d9708c4f31dad65c45b6
6022edf81037af980d6dbb8e3b9010773ad5bcef2c72227fcd6542c6471ee679
7d4652e67d9adeb11a0a13deebd16a0d3dc458a0d655e0f85b51624ebc45ba9c
df9c39543c8ab318e598861086f00be5b9bb0962dfcda46c183b6231116c5a23
4efa9402590197a6084523c8d54195769ded6b9a8478afcdbdf409d282121b19
11029b534e67a3ef0caa63ed224e89a6cdb7a2fc646bfbc46627f2996d84a557
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
4cd35bcc7793a04daa0c20774ff2a60c3f1ae693964011cb34d13544dda8b500
cbe791dfc28b1abef46090e568e30309f7b3d48abb0d07f49ee7132e84ceaf3d
Domains
madmax.stuffpicks.com
stats.stuffpicks.com
delivery.us.myswitchads.com
appgoldnews.com
smtp.tradels-co.com
qxq.ddns.net
mail.ricksrv.com
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
smtp.safewaypm.ae
smtp.ganeshstone.in
smtp.iconic-qrp.com
mail.cr-container.com
beautynams.com
www.illicowebcash.com
yuepinco.com
spiritbuds.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is one of the most dangerous banking Trojans to have been created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.
Read More