Agent Tesla

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Type
Trojan
Origin
Likely Turkey
First seen
1 January, 2014
Last seen
2 August, 2021
Global rank
2
Week rank
4
Month rank
4
IOCs
23756

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients and FTP servers.

In addition, Agent Tesla malware is able to capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on the requested options the package price could easily reach roughly 70$.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

The malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Malware analysis of Agent Tesla

Interactivity of ANY.RUN allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to detect. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns. It is usually delivered to victims in malicious documents, or via malicious web-links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. In the given example RegSvcs.exe process is stealing the personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can define it by behavioral activities. To do so take a look at the indicators of a malicious process (most often its an injected "RegAsm.exe"). If there are the indicator "Actions looks like stealing of personal data" in "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can view what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption unsuccessful and with ANY.RUN's "Network Stream" analysts can take a look at what data this malware stole. To do it open "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to available information, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

IOCs

IP addresses
204.11.56.48
192.254.235.237
199.188.200.169
209.99.40.222
185.55.225.19
185.239.243.112
141.8.192.151
133.130.125.170
185.38.151.11
69.16.230.42
103.99.1.60
99.198.101.234
185.107.56.59
43.225.55.205
166.62.10.189
193.239.84.207
45.141.152.18
198.54.116.9
45.79.19.196
195.206.229.17
Hashes
de8707ebebb83431ee56d03bd8b4d596f9148d31f0589a5e03aa40ae7b39419e
94d008685ba759f32d3b80b5542394c9bd4a4f2ca42781cb67f31a7460244bcc
73aea7bf914b70b05b10187aa77eb59cc484334850f6472ddf007366b8476a14
0a2d2b015b51c82e1d3861387ef2b7656193bd223411579ae7bc9e6b272b44d4
2b6adc7aa1a50c467ed0d0ce2fa1d184203a86d3f3b58c7bac7b32ed1d0d6bd9
59814638dabc1fc04592ba2f4d7ad7af343a5f36fbec4574d5654f660b20a527
22f6c65c3950e7223cdf8a317e134b75f21a3ab8492c31caeed075c7c7c2ffc6
3a71a50f33e803d1b3fb864adbcdf7d39a52778f0eaabdb245c792e7b9473d57
4b6751dc987644678ad7b17310885bbd236b2eac1bed2fb7ccb77c55382c5fe8
c0c0552b6fe1a289d5a15f1c74282acd119a00d3865eddb5126dfdba142ddc8e
b29a82ba98c59e8d9cf92a33da990db99625f9665dace68e3f29872971df8e88
5a0c8ee77f3b3a456846d43f1de0de06123c6e5bd545ee1c4130c846d67ef328
a7379c1e2452081884337575afa29ec218cf1a242936a1e998d311939633bf03
ea58d9344f7ec384cc7fe907419d649bb18f0d35b6b5c19004602d8d00611823
a0f4645d3e6c50963956205ac5703fefa5fbc56dc99c3994c8852fe004059c7b
63136f71d456a9f4f34458d6634b7b6bdb6376a0587cf9f66c2589dc524e01d6
bb8f297b69b83f67d611e5d0fd966efc9116a79598044c02e9a691a30fb7c07d
66f844eae8ea1cce0dcd71f2aafcd9bc4882007719a3da654e5df000b425ca49
52588494e071e71a1c8f47311bd922432d1c721dc7b10ad69f86afc651bb056b
e64c0a4f990a69ed7b395ed86eb27f0334bc48a4cae437db54f3e7625392eaa9
Domains
api.ip.sb
majul.com
smtp.aiotecs.com
zonamovie21.net
checkoutspace.com
interiordesignacademy.com
www.perfumela.com
www.newcontemporaryartists.com
smtp.jaol877.com
smtp.nuntai-tw.com
smtp.dobblegrace.biz
smtp.astcdv.com
smtp.fireacoustics.com
smtp.qwerrrty.us
smtp.mpjewellers.com
smtp.seksiui.com
smtp.gleehotel-ke.com
smtp.sempreviva.pet
smtp.arcaz-azcuba.com
smtp.belpac.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is an advanced Ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.
Read More