SYMBOLCOMMON_NAMEaka. SYNONYMS
win.agent_tesla (Back to overview)

Agent Tesla

aka: AgenTesla, AgentTesla, Negasteal

Actor(s): SWEED

URLhaus              

A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.

References
2021-02-25MinervaMinerva Labs
@online{labs:20210225:preventing:c968dbc, author = {Minerva Labs}, title = {{Preventing AgentTelsa Infiltration}}, date = {2021-02-25}, organization = {Minerva}, url = {https://blog.minerva-labs.com/preventing-agenttesla}, language = {English}, urldate = {2021-02-25} } Preventing AgentTelsa Infiltration
Agent Tesla
2021-02-12InfoSec Handlers Diary BlogXavier Mertens
@online{mertens:20210212:agenttesla:228400f, author = {Xavier Mertens}, title = {{AgentTesla Dropped Through Automatic Click in Microsoft Help File}}, date = {2021-02-12}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27092}, language = {English}, urldate = {2021-02-18} } AgentTesla Dropped Through Automatic Click in Microsoft Help File
Agent Tesla
2021-02-12TrustwaveRodel Mendrez, Diana Lopera
@online{mendrez:20210212:many:560778f, author = {Rodel Mendrez and Diana Lopera}, title = {{The Many Roads Leading To Agent Tesla}}, date = {2021-02-12}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/}, language = {English}, urldate = {2021-02-18} } The Many Roads Leading To Agent Tesla
Agent Tesla
2021-02-11InfoSec Handlers Diary BlogJan Kopriva
@online{kopriva:20210211:agent:e27e397, author = {Jan Kopriva}, title = {{Agent Tesla hidden in a historical anti-malware tool}}, date = {2021-02-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27088}, language = {English}, urldate = {2021-02-20} } Agent Tesla hidden in a historical anti-malware tool
Agent Tesla
2021-01-11ESET ResearchMatías Porolli
@online{porolli:20210111:operation:409662d, author = {Matías Porolli}, title = {{Operation Spalax: Targeted malware attacks in Colombia}}, date = {2021-01-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/}, language = {English}, urldate = {2021-01-18} } Operation Spalax: Targeted malware attacks in Colombia
Agent Tesla AsyncRAT NjRAT Remcos
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-12-18Trend MicroMatthew Camacho, Raphael Centeno, Junestherry Salvador
@online{camacho:20201218:negasteal:e5b291f, author = {Matthew Camacho and Raphael Centeno and Junestherry Salvador}, title = {{Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware}}, date = {2020-12-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware}, language = {English}, urldate = {2020-12-26} } Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware
Agent Tesla Dharma
2020-12-15CofenseAaron Riley
@online{riley:20201215:strategic:653455d, author = {Aaron Riley}, title = {{Strategic Analysis: Agent Tesla Expands Targeting and Networking Capabilities}}, date = {2020-12-15}, organization = {Cofense}, url = {https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/}, language = {English}, urldate = {2020-12-17} } Strategic Analysis: Agent Tesla Expands Targeting and Networking Capabilities
Agent Tesla
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus
2020-12-07ProofpointProofpoint Threat Research Team
@online{team:20201207:commodity:027b864, author = {Proofpoint Threat Research Team}, title = {{Commodity .NET Packers use Embedded Images to Hide Payloads}}, date = {2020-12-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads}, language = {English}, urldate = {2020-12-10} } Commodity .NET Packers use Embedded Images to Hide Payloads
Agent Tesla Loki Password Stealer (PWS) Remcos
2020-12-03TelsyTelsy Research Team
@techreport{team:20201203:when:0269579, author = {Telsy Research Team}, title = {{When a false flagdoesn’t work: Exploring the digital-crimeunderground at campaign preparation stage}}, date = {2020-12-03}, institution = {Telsy}, url = {https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf}, language = {English}, urldate = {2020-12-14} } When a false flagdoesn’t work: Exploring the digital-crimeunderground at campaign preparation stage
Agent Tesla
2020-11-27HPAlex Holland
@online{holland:20201127:aggah:7dd38ba, author = {Alex Holland}, title = {{Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer}}, date = {2020-11-27}, organization = {HP}, url = {https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/}, language = {English}, urldate = {2020-11-27} } Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer
Agent Tesla
2020-11-18G DataG-Data
@online{gdata:20201118:business:f4eda3a, author = {G-Data}, title = {{Business as usual: Criminal Activities in Times of a Global Pandemic}}, date = {2020-11-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire}, language = {English}, urldate = {2020-11-23} } Business as usual: Criminal Activities in Times of a Global Pandemic
Agent Tesla Nanocore RAT NetWire RC Remcos
2020-11-18SophosSophos
@techreport{sophos:20201118:sophos:8fd201e, author = {Sophos}, title = {{SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world}}, date = {2020-11-18}, institution = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf}, language = {English}, urldate = {2020-11-19} } SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world
Agent Tesla Dridex TrickBot Zloader
2020-11-05MorphisecMichael Gorelik
@online{gorelik:20201105:agent:1cefe08, author = {Michael Gorelik}, title = {{Agent Tesla: A Day in a Life of IR}}, date = {2020-11-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir}, language = {English}, urldate = {2020-11-09} } Agent Tesla: A Day in a Life of IR
Agent Tesla
2020-10-16HornetsecurityHornetsecurity Security Lab
@online{lab:20201016:vba:577dd47, author = {Hornetsecurity Security Lab}, title = {{VBA Purging Malspam Campaigns}}, date = {2020-10-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/}, language = {English}, urldate = {2020-12-08} } VBA Purging Malspam Campaigns
Agent Tesla Formbook
2020-10-05JuniperPaul Kimayong
@online{kimayong:20201005:new:739309f, author = {Paul Kimayong}, title = {{New pastebin-like service used in multiple malware campaigns}}, date = {2020-10-05}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns}, language = {English}, urldate = {2020-10-07} } New pastebin-like service used in multiple malware campaigns
Agent Tesla LimeRAT RedLine Stealer
2020-09-03Medium mariohenkelMario Henkel
@online{henkel:20200903:decrypting:16cd7a9, author = {Mario Henkel}, title = {{Decrypting AgentTesla strings and config}}, date = {2020-09-03}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4}, language = {English}, urldate = {2020-09-03} } Decrypting AgentTesla strings and config
Agent Tesla
2020-08-27MalWatchMalWatch
@online{malwatch:20200827:wintrojanagenttesla:8c6e4f6, author = {MalWatch}, title = {{Win.Trojan.AgentTesla - Malware analysis & threat intelligence report}}, date = {2020-08-27}, organization = {MalWatch}, url = {https://malwatch.github.io/posts/agent-tesla-malware-analysis/}, language = {English}, urldate = {2020-08-28} } Win.Trojan.AgentTesla - Malware analysis & threat intelligence report
Agent Tesla
2020-08-26Lab52Jagaimo Kawaii
@online{kawaii:20200826:twisted:b91cfb5, author = {Jagaimo Kawaii}, title = {{A twisted malware infection chain}}, date = {2020-08-26}, organization = {Lab52}, url = {https://lab52.io/blog/a-twisted-malware-infection-chain/}, language = {English}, urldate = {2020-08-31} } A twisted malware infection chain
Agent Tesla Loki Password Stealer (PWS)
2020-08-10SentinelOneJim Walter
@online{walter:20200810:agent:d09f042, author = {Jim Walter}, title = {{Agent Tesla | Old RAT Uses New Tricks to Stay on Top}}, date = {2020-08-10}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/}, language = {English}, urldate = {2020-08-13} } Agent Tesla | Old RAT Uses New Tricks to Stay on Top
Agent Tesla
2020-08-10SeqritePavankumar Chaudhari
@online{chaudhari:20200810:gorgon:3a961be, author = {Pavankumar Chaudhari}, title = {{Gorgon APT targeting MSME sector in India}}, date = {2020-08-10}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/}, language = {English}, urldate = {2020-08-13} } Gorgon APT targeting MSME sector in India
Agent Tesla
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-23InfoSec Handlers Diary BlogXavier Mertens
@online{mertens:20200523:agenttesla:eba0b0c, author = {Xavier Mertens}, title = {{AgentTesla Delivered via a Malicious PowerPoint Add-In}}, date = {2020-05-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/}, language = {English}, urldate = {2020-05-27} } AgentTesla Delivered via a Malicious PowerPoint Add-In
Agent Tesla
2020-05-22YoroiYoroi
@online{yoroi:20200522:cybercriminal:97a41b3, author = {Yoroi}, title = {{Cyber-Criminal espionage Operation insists on Italian Manufacturing}}, date = {2020-05-22}, organization = {Yoroi}, url = {https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/}, language = {English}, urldate = {2020-05-23} } Cyber-Criminal espionage Operation insists on Italian Manufacturing
Agent Tesla
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-04-16MalwarebytesHossein Jazi
@online{jazi:20200416:new:6b7cb7a, author = {Hossein Jazi}, title = {{New AgentTesla variant steals WiFi credentials}}, date = {2020-04-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/}, language = {English}, urldate = {2020-04-16} } New AgentTesla variant steals WiFi credentials
Agent Tesla
2020-04-15Suraj Malhotra
@online{malhotra:20200415:how:6cfc199, author = {Suraj Malhotra}, title = {{How Analysing an AgentTesla Could Lead To Attackers Inbox - Part II}}, date = {2020-04-15}, url = {https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/}, language = {English}, urldate = {2020-04-20} } How Analysing an AgentTesla Could Lead To Attackers Inbox - Part II
Agent Tesla
2020-04-14Palo Alto Networks Unit 42Adrian McCabe, Vicky Ray, Juan Cortes
@online{mccabe:20200414:malicious:9481b60, author = {Adrian McCabe and Vicky Ray and Juan Cortes}, title = {{Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns}}, date = {2020-04-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/}, language = {English}, urldate = {2020-04-14} } Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns
Agent Tesla EDA2
2020-04-13Suraj Malhotra
@online{malhotra:20200413:how:6ea81f8, author = {Suraj Malhotra}, title = {{How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I}}, date = {2020-04-13}, url = {https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/}, language = {English}, urldate = {2020-04-15} } How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I
Agent Tesla
2020-04-05MalwrAnalysisAnurag
@online{anurag:20200405:trojan:2bb6584, author = {Anurag}, title = {{Trojan Agent Tesla – Malware Analysis}}, date = {2020-04-05}, organization = {MalwrAnalysis}, url = {https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/}, language = {English}, urldate = {2020-04-08} } Trojan Agent Tesla – Malware Analysis
Agent Tesla
2020-03-18ProofpointAxel F, Sam Scholten
@online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } Coronavirus Threat Landscape Update
Agent Tesla Get2 ISFB Remcos
2020-02-28PWC UKPWC UK
@techreport{uk:20200228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2020-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-02} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-02-26MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200226:abusing:2a32e8e, author = {Maciej Kotowicz}, title = {{(Ab)using bash-fu to analyze recent Aggah sample}}, date = {2020-02-26}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/basfu_aggah/}, language = {English}, urldate = {2020-02-27} } (Ab)using bash-fu to analyze recent Aggah sample
Agent Tesla
2020-02-02Sophos LabsSean Gallagher, Markel Picado
@online{gallagher:20200202:agent:81dd245, author = {Sean Gallagher and Markel Picado}, title = {{Agent Tesla amps up information stealing attacks}}, date = {2020-02-02}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/}, language = {English}, urldate = {2021-02-04} } Agent Tesla amps up information stealing attacks
Agent Tesla
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cf5f9e4, author = {SecureWorks}, title = {{GOLD GALLEON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-galleon}, language = {English}, urldate = {2020-05-23} } GOLD GALLEON
Agent Tesla HawkEye Keylogger Pony Predator The Thief
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-07-15Cisco TalosEdmund Brumaghin
@online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } SWEED: Exposing years of Agent Tesla campaigns
Agent Tesla Formbook Loki Password Stealer (PWS) SWEED
2018-04-05FortinetXiaopeng Zhang
@online{zhang:20180405:analysis:a048b77, author = {Xiaopeng Zhang}, title = {{Analysis of New Agent Tesla Spyware Variant}}, date = {2018-04-05}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html}, language = {English}, urldate = {2019-11-26} } Analysis of New Agent Tesla Spyware Variant
Agent Tesla
2018-01-12StormshieldRémi Jullian
@online{jullian:20180112:analyzing:572a942, author = {Rémi Jullian}, title = {{Analyzing an Agent Tesla campaign: from a word document to the attacker credentials}}, date = {2018-01-12}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/}, language = {English}, urldate = {2019-07-10} } Analyzing an Agent Tesla campaign: from a word document to the attacker credentials
Agent Tesla
2017-09-25Palo Alto Networks Unit 42Jeff White
@online{white:20170925:analyzing:92167ce, author = {Jeff White}, title = {{Analyzing the Various Layers of AgentTesla’s Packing}}, date = {2017-09-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/}, language = {English}, urldate = {2019-12-20} } Analyzing the Various Layers of AgentTesla’s Packing
Agent Tesla
2017-06-28FortinetXiaopeng Zhang
@online{zhang:20170628:indepth:51d37ec, author = {Xiaopeng Zhang}, title = {{In-Depth Analysis of A New Variant of .NET Malware AgentTesla}}, date = {2017-06-28}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr}, language = {English}, urldate = {2020-01-08} } In-Depth Analysis of A New Variant of .NET Malware AgentTesla
Agent Tesla
2016-08ZscalerDeepen Desai
@online{desai:201608:agent:d527844, author = {Deepen Desai}, title = {{Agent Tesla Keylogger delivered using cybersquatting}}, date = {2016-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting}, language = {English}, urldate = {2019-11-26} } Agent Tesla Keylogger delivered using cybersquatting
Agent Tesla
Yara Rules
[TLP:WHITE] win_agent_tesla_w0 (20190731 | No description)
rule win_agent_tesla_w0 {
    meta:
        author = "InQuest Labs"
        source = "https://www.inquest.net"
        created = "05/18/2018"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"
        malpedia_version = "20190731"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "SecretId1" ascii
        $s1 = "#GUID" ascii
        $s2 = "#Strings" ascii
        $s3 = "#Blob" ascii
        $s4 = "get_URL" ascii
        $s5 = "set_URL" ascii
        $s6 = "DecryptIePassword" ascii
        $s8 = "GetURLHashString" ascii
        $s9 = "DoesURLMatchWithHash" ascii

        $f0 = "GetSavedPasswords" ascii
        $f1 = "IESecretHeader" ascii
        $f2 = "RecoveredBrowserAccount" ascii
        $f4 = "PasswordDerivedBytes" ascii
        $f5 = "get_ASCII" ascii
        $f6 = "get_ComputerName" ascii
        $f7 = "get_WebServices" ascii
        $f8 = "get_UserName" ascii
        $f9 = "get_OSFullName" ascii
        $f10 = "ComputerInfo" ascii
        $f11 = "set_Sendwebcam" ascii
        $f12 = "get_Clipboard" ascii
        $f13 = "get_TotalFreeSpace" ascii
        $f14 = "get_IsAttached" ascii

        $x0 = "IELibrary.dll" ascii wide
        $x1 = "webpanel" ascii wide nocase
        $x2 = "smtp" ascii wide nocase

        $v5 = "vmware" ascii wide nocase
        $v6 = "VirtualBox" ascii wide nocase
        $v7 = "vbox" ascii wide nocase
        $v9 = "avghookx.dll" ascii wide nocase

        $pdb = "IELibrary.pdb" ascii
    condition:
        (
            (
                5 of ($s*) or
                7 of ($f*)
            ) and
            all of ($x*) and
            all of ($v*) and
            $pdb
        )
}
[TLP:WHITE] win_agent_tesla_w1 (20200506 | Detect Agent Tesla based on common .NET code sequences)
rule win_agent_tesla_w1 {
    meta:
        description = "Detect Agent Tesla based on common .NET code sequences"
        author = "govcert_ch"
        date = "20200429"
        hash = "2b68a3f88fbd394d572081397e3d8d349746a88e3e67a2ffbfac974dd4c27c6a"
        hash = "abadca4d00c0dc4636e382991e070847077c1d19d50153487da791d3be9cc401"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"
        malpedia_version = "20200506"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $sequence_0 = { 20 ?? ?? ?? ?? 61 25 FE 0E 01 00 20 05 00 00 00 5E 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 38 51 00 00 00}
        $sequence_1 = { 20 ?? ?? ?? ?? 61 25 FE 0E 06 00 20 03 00 00 00 5E 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 38 1C 00 00 00 }
        $sequence_2 = { 04 02 7B 33 04 00 04 03 8F 36 00 00 02 7B 38 04 00 04 8E B7 3F 21 00 00 00 20 ?? ?? ?? ?? 38 97 FF FF FF }

    condition:
        any of them
}
Download all Yara Rules