BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
4
Global rank
1
Month rank
2
Week rank
2112
IOCs

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Trojan
Type
Likely Turkey
Origin
1 January, 2014
First seen
2 December, 2023
Last seen

How to analyze Agent Tesla with ANY.RUN

Type
Likely Turkey
Origin
1 January, 2014
First seen
2 December, 2023
Last seen

IOCs

IP addresses
198.23.221.13
76.74.235.200
92.38.178.11
Hashes
fe36c4907fb678f6da358dc16c0bc9115f92a5a2fcc51d0aa8b496a4d0bd3e65
aec062a76f698f944b379f9ef7b38d6a08c93b048ac8b1849d8d8c22d1f76b76
801352e073b5e718021995a07e3506fd05b12ee410b69f242c1b9dd2917c30ac
4b3919bc8ab3c523d2cc6c48a0279cf72d39de65e3ef428b922461f833e6ad4d
2c4c1e3b9b19dc261dd44b2f59d139e3f53a7369a4bfd100c27260d511c51224
9acb3802e7f15ac9c240749ff8c3ebe7a7cd660bedf4b6a6a1edef4de714aa43
7df6c33cbd852c467ef5a454451436e31a48d360a4959224e11a79ab4ad10f91
ca5c1fefe9b9347b995dc040b7e50b867be70729041afffd475ce7856f394f5b
af5181b58209a8a6e973d806ba6e2321e7aba08b3bd56012d4f159a7b2f51ac2
b868d7a2a78e9436fc3675c1ddbcfa1eda4d73926a856acd36e54f9e5b09fba5
faa53fb5ef92c961d698f431eb19031fe3041e7c36608aa1079deccd07ba93d6
cb371580851e963cfe4db1fa1953269d0c87acaaed578dd9fe670bc7a9d0df45
72dd64b8271556d9e09d0bd2c290ff8cb82bc3114365d98a79313eb0adb08317
65c4d932a71d1f36d1c57b7ed319c20446d3c935b60f8f1262bc047e1c6556ff
ba265838add6a233d8c2d1fbe1ba1869d2e528a6790b24259c56a199a2f038cc
63ad94d4ee50e7edb7ca2125ea488538068aacd4d572be22fa140addf11631e6
d4d1a575034d67e10df09447d8370c72ca3fd3616679f43b59a08e3f9bd7f089
41ba24841b5058d02d56f6e4bd187bd7c9f6ece97f38c682a27bfc26748e4c5f
69724b5cfdc922ae373f5ab6b8ca15c6eb09c17da6aa6b736010d826fd72755f
18eaa7b2e9778fdf846e58e61f6e741c676063f4a4fee2e31eb7cf5b57432e8e
Domains
cp5ua.hyperhost.ua
mail.consultoraosp.com.ar
mail.mgsales.net
mail.iaa-airferight.com
mail.sachingandhiarchitects.com
mail.asiaparadisehotel.com
mail.evantelamin.top
mail.bezzleauto.com
smtp.rapltorsupplies.com
mail.practienvases.com.mx
mail.dayanbiotech.ir
mail.sarahfoils.com
server1.sqsendy.shop
mail.royalwealth.space
merajlimited.com
smtp.trisquarespl.com
mail.medicalhome.com.pe
mail.lubdub.com
mailbuilderbuilder.com
mail.cyber.net.pk
URLs
ftp://ftp.elquijotebanquetes.com/
ftp://ftp.siscop.com.co/
ftp://ftp.experthvac.ro/
ftp://ftp.acc-engineering.xyz/
https://api.telegram.org/bot5693334822:AAHwKqJ9k9J2Fo2uAM05NJCJJVaXcf-tmHY/
ftp://ftp.artemusa.cl/
ftp://ftp.seatradeshipping.net/
ftp://ftp.valvulasthermovalve.cl/
ftp://ftp.ocp.mx/
ftp://ftp.itvlahita.com/
ftp://ftp.svetigeorgije.co.rs/
https://api.telegram.org/bot2062652208:AAEyc-7xEcUOQxNpdlexOidqQZT1Fi23E0A/sendDocument
https://api.telegram.org/bot6048733251:AAHRY3bwFxY_dCpUKVaxkoIu25MIjLFtqRA/
ftp://ftp.lemendoza.com/
ftp://mercuresurabaya.com/
ftp://ftp.mgcpakistan.com/
https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocument
https://api.telegram.org/bot6608518160:AAGWvkedrySVDKcUjgT86hZMARAuINBhuk4/
ftp://valvulasthermovalve.cl/
ftp://gmrentacar.gr/
Last Seen at

Recent blog posts

3 Cybersecurity Events ANY.RUN Attended in No...
watchers 142
comments 0
5 malware threats we discovered in the wild i...
watchers 345
comments 0
RisePro Malware Analysis: Exploring C2 Commun...
watchers 2314
comments 0

What is Agent Tesla malware?

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Being marketed and sold on its own website, which falsely claims that the program is a legitimate keylogger created for personal use, the Agent Tesla virus has become extremely popular in the hacker community. Not lastly due to its ease of use and tech support, available on the “official” website where this malware is being sold by the attackers, as well as on the dedicated Discord server. Despite claiming the legitimacy of the software, support staff gives advice on utilizing the virus illegally. It is thought that Agent Tesla spyware has originated in Turkey.

General description of Agent Tesla

The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients, and FTP servers.

In addition, Agent Tesla malware can capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on the requested options the package price could easily reach roughly 70$.

Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.

Based on the analysis, the malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Malware analysis of Agent Tesla

The interactivity of ANY.RUN service allows tracking activities in real-time and watching Agent Tesla in action in a controlled, safe environment with full real-time access to the sandbox simulation. A video recorded by the ANY.RUN gives us the ability to take a closer look at the lifecycle of this virus. You can also analyze fresh samples and IOCs in our threat intelligence feed in the public submissions.

agent tesla execution process graph Figure 1: A lifecycle graph generated by ANY.RUN

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to identify. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders and try to identify scams.

Distribution of Agent Tesla

The malware is distributed at large via spam email campaigns like Vidar or IcedID. It is usually delivered to victims in malicious documents, or via malicious web links. Upon visiting such a link, a contaminated document will be automatically downloaded to a victim’s PC.

If opened, the document will trigger the download of the actual virus. The spyware saves itself in the “%temp%” folder and then automatically executes. Email campaigns usually target individuals working in different industries. Topics of malicious emails can be extremely diverse.

Agent Tesla execution process

Agent Tesla keylogger is mostly spread via Microsoft Word documents that contain an embedded executed file or exploit. Once clicked, an executable file is downloaded and renamed. The downloaded file runs itself and creates a child process which in turn can create another child process.

The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility. The research and threat intelligence team can pay attention that in the given example RegSvcs.exe process is stealing personal data.

process tree of the agent tesla execution Figure 2: A process tree of the Agent Tesla execution

Since the main purpose of Agent Tesla RAT is stealing personal information you can identify it by behavioral activities. To do so, try the analysis of the indicators of a malicious process (most often it's an injected "RegAsm.exe"). If there is the indicator "Actions looks like stealing of personal data" in the "Process details" section you probably are dealing with the Agent Tesla trojan. Also, you can identify what information the malware has stolen by clicking on the indicator. You can navigate through by clicking right and left arrows in the appeared window.

How to get more Agent Tesla data using ANY.RUN?

Often Agenttesla packets encryption is unsuccessful and with ANY.RUN service's "Network Stream" analysts can take a look at what data this malware stole. To do it open the "Connections" tab in the lower part of the task's window and simply click on the connection which sent data. Not unusual that you can find inside this information even the attacker’s SMTP credential.

agent tesla's network stream without encryption Figure 2: Agent Tesla’s Network stream without encryption

Conclusion

According to threat intelligence reports, since its creation, Agent Tesla trojan has been used by over 6,300 customers. Unfortunately, the popularity of the virus is only continuing to rise. The upward trend is of, course, supported by the ease of use which allows even novice attackers to set up attacks.

A company-like service provided by the virus creators also plays a significant role. The danger of Agent Tesla for incident response and threat intelligence teams lies not only in the fact that it can be used by almost anybody but also in its ability to open doors to more destructive viruses. Thankfully, interactive analysis services such as ANY.RUN allows professionals to examine the malware behavior in detail and set up appropriate security responses.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy