win.agent_tesla (Back to overview)

Agent Tesla

aka: AgentTesla

Actor(s): SWEED

URLhaus              

A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.

References
2019-07-15 ⋅ Cisco TalosEdmund Brumaghin
@online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } SWEED: Exposing years of Agent Tesla campaigns
Agent Tesla Formbook Loki Password Stealer (PWS) SWEED
2018-04-05 ⋅ FortinetXiaopeng Zhang
@online{zhang:20180405:analysis:a048b77, author = {Xiaopeng Zhang}, title = {{Analysis of New Agent Tesla Spyware Variant}}, date = {2018-04-05}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html}, language = {English}, urldate = {2019-11-26} } Analysis of New Agent Tesla Spyware Variant
Agent Tesla
2018-01-12 ⋅ StormshieldRémi Jullian
@online{jullian:20180112:analyzing:572a942, author = {Rémi Jullian}, title = {{Analyzing an Agent Tesla campaign: from a word document to the attacker credentials}}, date = {2018-01-12}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/}, language = {English}, urldate = {2019-07-10} } Analyzing an Agent Tesla campaign: from a word document to the attacker credentials
Agent Tesla
2017-09-25 ⋅ Palo Alto Networks Unit 42Jeff White
@online{white:20170925:analyzing:92167ce, author = {Jeff White}, title = {{Analyzing the Various Layers of AgentTesla’s Packing}}, date = {2017-09-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/}, language = {English}, urldate = {2019-12-20} } Analyzing the Various Layers of AgentTesla’s Packing
Agent Tesla
2017-06-28 ⋅ FortinetXiaopeng Zhang
@online{zhang:20170628:indepth:51d37ec, author = {Xiaopeng Zhang}, title = {{In-Depth Analysis of A New Variant of .NET Malware AgentTesla}}, date = {2017-06-28}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr}, language = {English}, urldate = {2020-01-08} } In-Depth Analysis of A New Variant of .NET Malware AgentTesla
Agent Tesla
2016-08 ⋅ ZscalerDeepen Desai
@online{desai:201608:agent:d527844, author = {Deepen Desai}, title = {{Agent Tesla Keylogger delivered using cybersquatting}}, date = {2016-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting}, language = {English}, urldate = {2019-11-26} } Agent Tesla Keylogger delivered using cybersquatting
Agent Tesla
Yara Rules
[TLP:WHITE] win_agent_tesla_w0 (20190731 | No description)
rule win_agent_tesla_w0 {
    meta:
        author = "InQuest Labs"
        source = "https://www.inquest.net"
        created = "05/18/2018"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"
        malpedia_version = "20190731"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "SecretId1" ascii
        $s1 = "#GUID" ascii
        $s2 = "#Strings" ascii
        $s3 = "#Blob" ascii
        $s4 = "get_URL" ascii
        $s5 = "set_URL" ascii
        $s6 = "DecryptIePassword" ascii
        $s8 = "GetURLHashString" ascii
        $s9 = "DoesURLMatchWithHash" ascii

        $f0 = "GetSavedPasswords" ascii
        $f1 = "IESecretHeader" ascii
        $f2 = "RecoveredBrowserAccount" ascii
        $f4 = "PasswordDerivedBytes" ascii
        $f5 = "get_ASCII" ascii
        $f6 = "get_ComputerName" ascii
        $f7 = "get_WebServices" ascii
        $f8 = "get_UserName" ascii
        $f9 = "get_OSFullName" ascii
        $f10 = "ComputerInfo" ascii
        $f11 = "set_Sendwebcam" ascii
        $f12 = "get_Clipboard" ascii
        $f13 = "get_TotalFreeSpace" ascii
        $f14 = "get_IsAttached" ascii

        $x0 = "IELibrary.dll" ascii wide
        $x1 = "webpanel" ascii wide nocase
        $x2 = "smtp" ascii wide nocase

        $v5 = "vmware" ascii wide nocase
        $v6 = "VirtualBox" ascii wide nocase
        $v7 = "vbox" ascii wide nocase
        $v9 = "avghookx.dll" ascii wide nocase

        $pdb = "IELibrary.pdb" ascii
    condition:
        (
            (
                5 of ($s*) or
                7 of ($f*)
            ) and
            all of ($x*) and
            all of ($v*) and
            $pdb
        )
}
Download all Yara Rules