Agent Tesla

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Type
Trojan
Origin
Likely Turkey
First seen
1 January, 2014
Last seen
23 October, 2021
Global rank
3
Week rank
11
Month rank
11
IOCs
24913

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, the Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming the legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients, and FTP servers.

In addition, Agent Tesla malware can capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on the requested options the package price could easily reach roughly 70$.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

Based on the analysis, the malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Malware analysis of Agent Tesla

The interactivity of ANY.RUN service allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus. You can also analyze fresh samples and IOCs in our threat intelligence feed in the public submissions.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to identify. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders and try to identify scams.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns. It is usually delivered to victims in malicious documents, or via malicious web links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in the “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. The research and threat intelligence team can pay attention that in the given example RegSvcs.exe process is stealing personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can identify it by behavioral activities. To do so, try the analysis of the indicators of a malicious process (most often it's an injected "RegAsm.exe"). If there is the indicator "Actions looks like stealing of personal data" in the "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can identify what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption is unsuccessful and with ANY.RUN service's "Network Stream" analysts can take a look at what data this malware stole. To do it open the "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even the attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to threat intelligence reports, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla for incident response and threat intelligence teams lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

IOCs

IP addresses
141.8.192.151
204.11.56.48
141.8.193.236
209.99.40.222
185.27.134.129
199.79.62.93
156.38.171.144
199.188.205.66
92.119.113.115
103.21.59.27
156.38.210.139
198.38.82.246
192.168.100.54
93.157.63.185
198.54.115.249
162.241.217.183
66.96.147.102
103.21.59.28
193.239.84.207
109.234.164.92
Hashes
bcaa7a736371d8db89c5ae663c529635632e86d02273e430997a6373e8f8788e
7d0e2f96ef3e27c5b8533f28d322f7db4d06d2327e415d24b669fe411a2016d1
095a76588631eabca6005a20bab5e32b6e1c12afedc1a3ef0bc403b6bf223883
05228e5c84d7e18c7a609850a2f0810d75ebddd25e83118661e726d1dc9f8ad0
4c7ce63cd966e72e5d94f6dc8b0f82cec35b88b1a8d24305c52a7106cdad5ad9
702a898f99fdcf56d29f5a9d4c54794c09880f7b000488a1f9f4c2259e520bee
8e14bad5231da3405fc56a6f74ec76da97d8f4eec524d8fbefa08d942792b120
800c14dcda37a6c44c475ea802381029f58d1e059481d399abde07cff504cedc
f52c980d6c75e593fbbba1b258658c593461da072c33f8572d418c1f20b2d9bd
9847b1b864dd0f11643981adae4bc1e6fae8a59b4120c8fc40a5072bc0c35511
fa9744a9f8530dfe050f21fd9b85a9cabfcfefd30b5290355e3ea6b6c8136b6f
2abf2a8978d75c05076b1b55593d4c619ff6fcb92146340d72f76aa9e8bed47c
e706fc394ac5f6e433c9ca43924c703584c216b539faf383690e7062014edb8f
ecd0eef71657869c11e2c9249a767d89d49c9d6c4f685002c6466524c9947f38
c87a1308b5783b9d4261acb4704cdbfa482bd5b3080b3f1399424610161386a5
198374493b1e0a3d79941c97fe7cfba6ca83a12f786a23275a185ced18c73591
7191bacce32bac868401f96bdcf0c59275951ba2ceabc27e295d3c9ccd9c0474
ccc78c1d61ff6eb4b314c9ffbbd9f172984a6b3decb088b1398a96b382a3149e
f519a7adeec97db32f536e9868c000842db13a165080a6f85a6d990c8e45dfb6
fb7ed96b47c32d62feed5bddf440cd5d432ad69febae0ab354757bad21a1b7de
Domains
api.ip.sb
isns.net
qxq.ddns.net
f0541260.xsph.ru
f0554024.xsph.ru
f0550246.xsph.ru
f0488450.xsph.ru
f0542299.xsph.ru
f0550461.xsph.ru
f0549750.xsph.ru
f0549925.xsph.ru
f0533712.xsph.ru
f0545380.xsph.ru
f0542710.xsph.ru
f0546032.xsph.ru
f0544857.xsph.ru
f0514964.xsph.ru
f0542403.xsph.ru
f0541979.xsph.ru
f0505180.xsph.ru

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.
Read More