BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
3
Global rank
1
Month rank
1
Week rank
2855
IOCs

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Trojan
Type
Likely Turkey
Origin
1 January, 2014
First seen
14 July, 2024
Last seen

How to analyze Agent Tesla with ANY.RUN

Type
Likely Turkey
Origin
1 January, 2014
First seen
14 July, 2024
Last seen

IOCs

IP addresses
162.254.34.31
66.29.151.236
198.23.221.13
76.74.235.200
92.38.178.11
Hashes
c54a3c60bc528e8594c813c61a2f929666e0f22a3ca837612b9cd48442721853
97a6f1686f456a126c4fd823b01df49814c71dbf4e2f3458ce9c62f89de17719
8bfbe6c64b3e9bb5ea1eef4bd87874cf7c9521eb55aeb5c0becee6c06ebd5d69
297b6b9e2ea036c31d6847a448581f7caf185aa92ddbf4ea5fd1a9b5864d55e6
f4db8a1f981a33479e7ee3013aa87145041d97e0c82083c78c508a6d41820f09
cba91ca10ce9ec62e5785a3f2004655540054a281cb76a4fce46b56441b2a119
954c1a6eaa6c9946aef8dbf957e00b6eb2ab564f564bde22c4a1c1af6b7e2c23
2091183db00054d0dc8504468cdf15c10f9a4172dd36afa1d18123e59155dcdc
8bc2d2a8e99fdf12dabed46d100d94d357e064f307718087591e9858c840a1c3
eae8ee79f837443d3f1ca4a05375b801e6f12b5cc9b826312a59efbff650cbdb
5485c351ca583b40b70345114311f9f514014c054b5317ef6c5744a3faed5233
fece0277367bab0ee97f89b5fc4f2c0b2603d3c36d29c25b38870adef7200e59
9e2f5bad6acb0454f71026526cb9d5d78985ef6e566b433b04ba7aba5b277ddb
85f65e0fbc92ef783cddb1d31e539515c237feaa525f07afd7a42d39a855abf7
b67634b988dfb1f43e7ecd30579fe285e1e57740d646f6896b4f6a0d13cfb9dd
90f2a4d197b1370900643697e22b3fbbc4f7d05c63a1a7bd8d0f665cc76dbdc5
937dab028a6d88b7b985465c62eb1257878a42b865b73cb745c5593d0b70b586
5a3c93667e6754c550e0ca2027bb4edf488965a433df6ad8e9f2d22cfc5b06a8
9886fa5dd072d4bb23ea5353ac0014d36b5425f49fdb0b315a2ed54cc5fcc33d
6af896efdf2c6070a453c6226930104816ef6bbb0a9a97580bb185907362547a
Domains
250-sas1-26681efc71ef.qloud-c.yandex.net
mail.sbrenind.com
mail.elkat.com.my
elkat.com.my
smtp.godforeu.com
terminal4.veeblehosting.com
gator3220.hostgator.com
mail.funworld.co.id
smtp.claresbout.com
investms.vadavo.cloud
mail.pgsu.co.id
cp8nl.hyperhost.ua
mail.fasmacopy.gr
mail.suplementvases.com
mail.window10server.com
mail.commtechtrading.com
mail.groupmt.vn
mail.iaa-airferight.com
mail.myhydropowered.com
mail.hinge1.com
URLs
ftp://ftp.acc-engineering.xyz/
https://activeheat.co.vu/dek/inc/f08405615b33f6.php
https://api.telegram.org/bot5160342877:AAG7aI_cOY3UzpErIEUdfVUJMJszvGYLIiI/sendDocument
https://api.telegram.org/bot6282444605:AAF3ljrvcPGjf3okB7t0o_QzQ88OoHOJ7gw/
ftp://ftp.svetigeorgije.co.rs/
ftp://ftp.corpsa.net/
https://api.telegram.org/bot6041893220:AAF8CZzv8AFxOdWhmChH81__ao3x5_lnfqU/
https://api.telegram.org/bot1611551445:AAFDJ3yQMlB3zXJGib2_TFkq1jedBMj3GTw/sendDocument
ftp://ftp.lemendoza.com/
https://api.telegram.org/bot6236057808:AAEPjUfD2i1Z2Y6D-v4tJe2o-ZsIOYXQJ0Q/
https://api.telegram.org/bot1338829993:AAGkgJ80sLaIYwBfp79Ps5EtdSP1XH6jBV8/sendDocument
https://api.telegram.org/bot5843567515:AAEdtJWwcJKNn64U81CKVdG-li_Ejds8raM/
http://www.texlandbd.com/vvs/inc/c874c1a5333207.php
http://originwealth.ydns.eu/sew/inc/10a5031d37bc79.php
http://pushkinorigin.ydns.eu/wiz/inc/1d7c50187af637.php
https://api.telegram.org/bot5268976687:AAFVn0p7E2gEOnhpsNJOFeUNsuaE1sW24jE/
https://api.telegram.org/bot6568247464:AAHsSOES5pRueRqAlbG1bx5hx02y4of2d_Q/
ftp://ftp.onelovehk.com.ng/
https://www.ronaldsmith.loan//inc/4e7ada8f7b87bc.php
https://api.telegram.org/bot5304537825:AAFt7BhY9MUlq_s5TsQbIJu1GotM2jL0xGU/
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q2, 2024 
watchers 1341
comments 0
post image
A Guide to Common Encryption Algorithms in Mo...
watchers 360
comments 0
post image
Search for Network Threats by Suricata in TI...
watchers 684
comments 0

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, the Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming the legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients, and FTP servers.

In addition, Agent Tesla malware can capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as $15. However, depending on the requested options the package price could easily reach roughly $70.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

Based on the analysis, the malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Malware analysis of Agent Tesla

The interactivity of ANY.RUN service allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus. You can also analyze fresh samples and IOCs in our threat intelligence feed in the public submissions.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to identify. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders and try to identify scams.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns like Vidar or IcedID. It is usually delivered to victims in malicious documents, or via malicious web links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in the “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. The research and threat intelligence team can pay attention that in the given example RegSvcs.exe process is stealing personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can identify it by behavioral activities. To do so, try the analysis of the indicators of a malicious process (most often it's an injected "RegAsm.exe"). If there is the indicator "Actions looks like stealing of personal data" in the "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can identify what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption is unsuccessful and with ANY.RUN service's "Network Stream" analysts can take a look at what data this malware stole. To do it open the "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even the attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to threat intelligence reports, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla for incident response and threat intelligence teams lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy