Agent Tesla

4
Global rank
13
Month rank
13
Week rank
42079
IOCs

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Trojan
Type
Likely Turkey
Origin
1 January, 2014
First seen
3 June, 2023
Last seen

How to analyze Agent Tesla with ANY.RUN

Trojan
Type
Likely Turkey
Origin
1 January, 2014
First seen
3 June, 2023
Last seen

IOCs

IP addresses
116.206.105.72
23.202.231.167
198.54.117.216
141.8.192.151
198.38.82.77
198.50.154.144
185.104.29.70
198.187.31.167
204.11.56.48
45.79.19.196
192.168.100.167
103.21.58.122
207.174.214.239
85.187.128.34
185.107.56.59
45.33.2.79
192.185.152.151
199.79.62.115
198.54.117.218
5.100.152.24
Hashes
f84d789635e636040055b6e95077408820a412d66bb66934112a004ac24d9eba
b9eef3caa6be71a2a745055198dd0243a792b8faf6314554e050c037733c7588
552273ac2d5100356cd83565d1154f6b7dea0f7d636bc58fd7dd12d93eb04f21
d5ec9cce8338dc381d311746dd4b81562bd8511374840ef949b9a08514c6a2fb
d9136458c333f03b11beaaec3388aa1bd3afad5b5f6920fa992b8e5c05b8c62b
c27c97108c850b217ebab7f0b43024a259889b9f45a83869e995a9dc9a385fb4
ebb7b12f9d51ccab9cb077f147a1c70fcb0b4a750acc21910dde71fb4a88dc1c
5cc5cd74d4d758ee9a8f24504858be43862eeac5d9e29bb08bc6769e64020747
0a531fd9cb9a630e910b620dff459d2dbbf1487fb2782c03f601fa6bbbe832ca
430b243c159c1263e0dec6b0f332193351d15e723c5d413dadca8c240107f6da
17b6e0bb426b762e1caee67606532e3350d8c752c0625994424916e0fba527ab
cac42576ce1d941b30261fea52e04e229a88db712de63e283320dc63c3e13e20
cdfe1ff4fe48d612e2cc9229fb3a3783ed5b2a8261885b24aa2adfa2cbf133cf
284822e2a8acc0d59138076c42efff67ec39954f12a4af283f895334ad2fdd59
d2cb9bd3e2769ef1652826bce633870b4719c876f5a7aa61b114ce3cf533fb28
d90e0253bfeade7d67308491d33d278e48311838b12e23cf19ab62cacde2e844
0b79e503dfa39817fa4615103f6edc1de33a0895740c3fe549ac5a4edb5392ae
c30d700f49c812bd3eee295244b4f62edea495b74e8547aef0da927bb1e13018
21240c07306d5c38d3c30fe2f03b08b62f15cc66d720c86a33799d1fb7829028
ba37331dfdcb8da50797d4b8a3c5648f77fe9281cc6db7bdd65aaed080946286
Domains
vcctggqm3t.dattolocal.net
lombardodiers.net
www.lombardodiers.com
lombardodiers.com
painthenceforth.top
articulaterot.top
online-dib.today
meubs2pj.com
serviclubsiemprejuntos.club
beneficioypfserviclub2022.club
missrevolt.top
citisec-online.co
serviclubpromopuntos.club
ventinious.com
get-beta.app
www.aheatea.com
holdthismoney.site
www.dszrb.com
www.spbutoto.com
www.goo.com
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 308
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5384
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3237
comments 3

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, the Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming the legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients, and FTP servers.

In addition, Agent Tesla malware can capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on the requested options the package price could easily reach roughly 70$.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

Based on the analysis, the malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Malware analysis of Agent Tesla

The interactivity of ANY.RUN service allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus. You can also analyze fresh samples and IOCs in our threat intelligence feed in the public submissions.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to identify. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders and try to identify scams.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns like Vidar or IcedID. It is usually delivered to victims in malicious documents, or via malicious web links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in the “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. The research and threat intelligence team can pay attention that in the given example RegSvcs.exe process is stealing personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can identify it by behavioral activities. To do so, try the analysis of the indicators of a malicious process (most often it's an injected "RegAsm.exe"). If there is the indicator "Actions looks like stealing of personal data" in the "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can identify what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption is unsuccessful and with ANY.RUN service's "Network Stream" analysts can take a look at what data this malware stole. To do it open the "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even the attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to threat intelligence reports, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla for incident response and threat intelligence teams lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy