win.agent_tesla (Back to overview)

Agent Tesla

aka: AgenTesla, AgentTesla, Negasteal

Actor(s): SWEED


A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.

2024-06-06Medium b.magnezi0xMrMagnezi
Agent Tesla Analysis
Agent Tesla
2024-05-14Check Point ResearchAntonis Terefos, Tera0017
Foxit PDF “Flawed Design” Exploitation
Rafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT XWorm
Agent Tesla Malware Analysis
Agent Tesla
2024-04-15Positive TechnologiesAleksandr Badaev, Kseniya Naumova
SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world
LokiBot 404 Keylogger Agent Tesla CloudEyE Formbook Remcos XWorm
2024-04-02Check Point ResearchAntonis Terefos, Raman Ladutska
Agent Tesla Targeting United States & Australia: Revealing the Attackers' Identities
Agent Tesla Bignosa
2024-03-26EchoCTIBilal BAKARTEPE, bixploit
Agent Tesla Technical Analysis Report
Agent Tesla
2024-02-28Security IntelligenceGolo Mühr, Ole Villadsen
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023
404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos
2024-02-16Medium b.magnezi0xMrMagnezi
Malware Analysis — AgentTesla
Agent Tesla
2024-02-06Medium osamaellahiOsama Ellahi
Unfolding Agent Tesla: The Art of Credentials Harvesting.
Agent Tesla
2024-02-02StairwellThreat Research at Stairwell
Proactive response: AnyDesk, any breach
Agent Tesla
2024-01-09BitSightAndré Tavares
Data Insights on AgentTesla and OriginLogger Victims
Agent Tesla OriginLogger
2024-01-08YouTube (Embee Research)Embee_research
Javascript Malware Analysis - Decoding an AgentTesla Loader
Agent Tesla
2023-12-20ropgadget.comJeff White
The Origin of OriginLogger & Agent Tesla
Agent Tesla OriginLogger
2023-10-12Cluster25Cluster25 Threat Intel Team
CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations
Agent Tesla Crimson RAT Nanocore RAT SmokeLoader
2023-10-01Infinitum ITKerime Gencay
Agent Tesla Technical Analysis Report (Paywall)
Agent Tesla
2023-09-29IntrinsecCTI Intrinsec, Intrinsec
Ongoing threats targeting the energy industry
Agent Tesla CloudEyE
2023-08-29ViuleeenzAlessandro Strino
Agent Tesla - Building an effective decryptor
Agent Tesla
2023-05-07Twitter (@embee_research)Matthew
AgentTesla - Full Loader Analysis - Resolving API Hashes Using Conditional Breakpoints
Agent Tesla
2023-04-16OALabsSergei Frankoff
Agent Tesla RedLine Stealer
2023-04-10Check PointCheck Point
March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee
2023-04-07ElasticSalim Bitam
Attack chain leads to XWORM and AGENTTESLA
Agent Tesla XWorm
2023-03-30loginsoftSaharsh Agrawal
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2023-03-23LogpointAnish Bogati
Emerging Threats: AgentTesla – A Review and Detection Strategies
Agent Tesla
2023-03-16Trend MicroCedric Pernet, Jaromír Hořejší, Loseway Lu
IPFS: A New Data Frontier or a New Cybercriminal Hideout?
Agent Tesla Formbook RedLine Stealer Remcos
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2023-01-16Difesa & SicurezzaFrancesco Bussoletti
Cybercrime, RFQ from Turkey carries AgentTesla and zgRAT
Agent Tesla zgRAT
2022-12-18SANS ISCGuy Bruneau
Infostealer Malware with Double Extension
Agent Tesla
2022-11-21 Threat Intel Report
404 Keylogger Agent Tesla Formbook Hive Remcos
2022-11-16splunkSplunk Threat Research Team
Inside the Mind of a ‘Rat’ - Agent Tesla Detection and Analysis
Agent Tesla
2022-11-09Cisco TalosEdmund Brumaghin
Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
Agent Tesla
2022-09-23KasperskyArtem Ushkov, Roman Dedenok
Mass email campaign with a pinch of targeted spam
Agent Tesla
2022-09-15SekoiaThreat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-09-13Palo Alto Networks Unit 42Jeff White
OriginLogger: A Look at Agent Tesla’s Successor
Agent Tesla OriginLogger
2022-08-29360 netlabwanghao
PureCrypter Loader continues to be active and has spread to more than 10 other families
404 Keylogger Agent Tesla AsyncRAT Formbook RedLine Stealer
2022-08-29360 netlabwanghao
PureCrypter is busy pumping out various malicious malware families
Agent Tesla PureCrypter RedLine Stealer
2022-08-17SecureworksCounter Threat Unit ResearchTeam
DarkTortilla Malware Analysis
Agent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer
Malware AV evasion - part 8. Encode payload via Z85
Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector
Cyberattack on State Organizations of Ukraine using the topic OK "South" and the malicious program AgentTesla (CERT-UA#4987)
Agent Tesla
2022-07-12Team CymruKyle Krejci
An Analysis of Infrastructure linked to the Hagga Threat Actor
Agent Tesla
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord
Agent Tesla Quasar RAT WhisperGate
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-12Palo Alto Networks Unit 42Tyler Halfpop
Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla
Agent Tesla
2022-05-05Malwarebytes LabsThreat Intelligence Team
Nigerian Tesla: 419 scammer gone malware distributor unmasked
Agent Tesla
Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2022-04-15Center for Internet SecurityCIS
Top 10 Malware March 2022
Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus
2022-04-12Check PointCheck Point Research
March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance
Alien FluBot Agent Tesla Emotet
2022-03-31APNICDebashis Pal
How to: Detect and prevent common data exfiltration attacks
Agent Tesla DNSMessenger PingBack Rising Sun
2022-03-26forensicitguyTony Lambert
An AgentTesla Sample Using VBA Macros and Certutil
Agent Tesla
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-07FortinetFred Gutierrez, James Slaughter, Val Saengphaibul
Fake Purchase Order Used to Deliver Agent Tesla
Agent Tesla
2022-03-07LAC WATCHCyber ​​Emergency Center
Xloader Agent Tesla Formbook Loki Password Stealer (PWS)
2022-03-04Bleeping ComputerBill Toulas
Russia-Ukraine war exploited as lure for malware distribution
Agent Tesla Remcos
2022-03-04BitdefenderAlina Bizga
Bitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine
Agent Tesla Remcos
2022-02-23Weixin360 Threat Intelligence Center
APT-C-58 (Gorgon Group) attack warning
Agent Tesla
2022-02-06forensicitguyTony Lambert
AgentTesla From RTF Exploitation to .NET Tradecraft
Agent Tesla
2022-02-02QualysGhanshyam More
Catching the RAT called Agent Tesla
Agent Tesla
2022-01-25Palo Alto Networks Unit 42Yaron Samuel
Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies
Agent Tesla
DTPacker – a .NET Packer with a Curious Password
Agent Tesla TA2536
2022-01-24NetskopeGhanashyam Satpathy, Gustavo Palazolo
Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware
Agent Tesla
2022-01-21MalGamyGameel Ali
Deep Analysis Agent Tesla Malware
Agent Tesla
2022-01-12Guillaume Orlando
2021 Gorgon Group APT Operation
Agent Tesla
Deep analysis agent tesla malware
Agent Tesla
2022-01-12Guillaume Orlando
Malware Analysis - AgentTesla v3
Agent Tesla
2022-01-03forensicitguyTony Lambert
A Tale of Two Dropper Scripts for Agent Tesla
Agent Tesla
2021-12-31InfoSec Handlers Diary BlogJan Kopriva
Do you want your Agent Tesla in the 300 MB or 8 kB package?
Agent Tesla
2021-12-30InfoSec Handlers Diary BlogBrad Duncan
Agent Tesla Updates SMTP Data Exfiltration Technique
Agent Tesla
2021-12-20InfoSec Handlers Diary BlogAlef Nula, Jan Kopriva
PowerPoint attachments, Agent Tesla and code reuse in malware
Agent Tesla
2021-12-17YoroiCarmelo Ragusa, Luca Mella, Luigi Martire
Serverless InfoStealer delivered in Est European Countries
Agent Tesla
2021-12-08YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
Full malware analysis Work-Flow of AgentTesla Malware
Agent Tesla
Agent Tesla
2021-12-02AhnLabASEC Analysis Team
Spreading AgentTesla through more sophisticated malicious PPT
Agent Tesla
2021-11-22YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
Powershell and DnSpy tricks in .NET reversing – AgentTesla [Part1]
Agent Tesla
2021-11-22YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
Powershell and DnSpy tricks in .NET reversing – AgentTesla [Part2]
Agent Tesla
2021-11-16YoroiCarmelo Ragusa, Luca Mella, Luigi Martire
Office Documents: May the XLL technique change the threat Landscape in 2022?
Agent Tesla Dridex Formbook
2021-11-12Living CodeDominik Degroot
AgentTesla dropped via NSIS installer
Agent Tesla
2021-11-02InQuestDmitry Melikov
Adults Only Malware Lures
Agent Tesla
2021-10-06zimperiumJordan Herman
Malware Distribution with Mana Tools
Agent Tesla Azorult
REMCOS and Agent Tesla loaded into memory with Rezer0 loader
Agent Tesla Remcos
2021-09-08JuniperPaul Kimayong
Aggah Malware Campaign Expands to Zendesk and GitHub to Host Its Malware
Agent Tesla
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-07-28RiskIQJennifer Grob, Jordan Herman
Use of XAMPP Web Component to Identify Agent Tesla Infrastructure
Agent Tesla
2021-07-24InfoSec Handlers Diary BlogXavier Mertens
Agent.Tesla Dropped via a .daa Image and Talking to Telegram
Agent Tesla
2021-07-12IBMClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-06-29YoroiLuca Mella, Luigi Martire
The "WayBack” Campaign: a Large Scale Operation Hiding in Plain Sight
Agent Tesla Cobian RAT Oski Stealer
2021-06-24TrustwaveDiana Lopera
Yet Another Archive Format Smuggling Malware
Agent Tesla
2021-06-24BlackberryThe BlackBerry Research and Intelligence Team
Threat Thursday: Agent Tesla Infostealer
Agent Tesla
2021-06-11NSFOCUSFuying Laboratory
Nigerian Hacker Organization SWEED is Distributing Phishing Documents Targeting the Logistics Industry
Agent Tesla
2021-06-04FortinetXiaopeng Zhang
Phishing Malware Hijacks Bitcoin Addresses and Delivers New Agent Tesla Variant
Agent Tesla
2021-06-02SophosSean Gallagher
AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter
2021-05-18Youtube (AhmedS Kasmani)AhmedS Kasmani
Malware Analysis: Agent Tesla Part 1/2 Extraction of final payload from dropper.
Agent Tesla
2021-05-11Twitter (@MsftSecIntel)Microsoft Security Intelligence
Tweet on Snip3 crypter delivering AsyncRAT or AgentTesla
Agent Tesla AsyncRAT
2021-05-11VMRayMateusz Lukaszewski, VMRay Labs Team
Threat Bulletin: Exploring the Differences and Similarities of Agent Tesla v2 & v3
Agent Tesla
2021-05-07MorphisecNadav Lorber
Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader
Agent Tesla AsyncRAT NetWire RC Revenge RAT
2021-05-05ZscalerAniruddha Dolas, Manohar Ghule, Mohd Sadique
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-04-21SophosLabs UncutAnand Aijan, Andrew Brandt, Markel Picado, Michael Wood, Sean Gallagher, Sivagnanam Gn, Suriya Natarajan
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-04menshaway blogspotMahmoud Morsy
Technical report of AgentTesla
Agent Tesla
2021-03-17HPHP Bromium
Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-25MinervaMinerva Labs
Preventing AgentTelsa Infiltration
Agent Tesla
2021-02-12TrustwaveDiana Lopera, Rodel Mendrez
The Many Roads Leading To Agent Tesla
Agent Tesla
2021-02-12InfoSec Handlers Diary BlogXavier Mertens
AgentTesla Dropped Through Automatic Click in Microsoft Help File
Agent Tesla
2021-02-11InfoSec Handlers Diary BlogJan Kopriva
Agent Tesla hidden in a historical anti-malware tool
Agent Tesla
2021-01-21DENEXUSMarkel Picado
Spear Phishing Targeting ICS Supply Chain - Analysis
Agent Tesla
2021-01-11ESET ResearchMatías Porolli
Operation Spalax: Targeted malware attacks in Colombia
Agent Tesla AsyncRAT NjRAT Remcos
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
Threat Profile: GOLD GALLEON
Agent Tesla HawkEye Keylogger Pony GOLD GALLEON
2020-12-21Cisco TalosJON MUNSHAW
2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-12-18Trend MicroJunestherry Salvador, Matthew Camacho, Raphael Centeno
Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware
Agent Tesla Dharma
2020-12-15CofenseAaron Riley
Strategic Analysis: Agent Tesla Expands Targeting and Networking Capabilities
Agent Tesla
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-07ProofpointProofpoint Threat Research Team
Commodity .NET Packers use Embedded Images to Hide Payloads
Agent Tesla Loki Password Stealer (PWS) Remcos
2020-12-04IndeChris Campbell
Inside a .NET Stealer: AgentTesla
Agent Tesla
2020-12-03TelsyTelsy Research Team
When a false flagdoesn’t work: Exploring the digital-crimeunderground at campaign preparation stage
Agent Tesla
2020-11-27HPAlex Holland
Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer
Agent Tesla
SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world
Agent Tesla Dridex TrickBot Zloader
2020-11-18G DataG-Data
Business as usual: Criminal Activities in Times of a Global Pandemic
Agent Tesla Nanocore RAT NetWire RC Remcos
2020-11-05MorphisecMichael Gorelik
Agent Tesla: A Day in a Life of IR
Agent Tesla
2020-10-16HornetsecurityHornetsecurity Security Lab
VBA Purging Malspam Campaigns
Agent Tesla Formbook
2020-10-05JuniperPaul Kimayong
New pastebin-like service used in multiple malware campaigns
Agent Tesla LimeRAT RedLine Stealer
2020-09-03Medium mariohenkelMario Henkel
Decrypting AgentTesla strings and config
Agent Tesla
Win.Trojan.AgentTesla - Malware analysis & threat intelligence report
Agent Tesla
2020-08-26Lab52Jagaimo Kawaii
A twisted malware infection chain
Agent Tesla Loki Password Stealer (PWS)
2020-08-10SentinelOneJim Walter
Agent Tesla | Old RAT Uses New Tricks to Stay on Top
Agent Tesla
2020-08-10SeqritePavankumar Chaudhari
Gorgon APT targeting MSME sector in India
Agent Tesla
2020-07-30SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-23InfoSec Handlers Diary BlogXavier Mertens
AgentTesla Delivered via a Malicious PowerPoint Add-In
Agent Tesla
2020-05-22YoroiAntonio Pirozzi, Giacomo d'Onofrio, Luca Mella, Luigi Martire
Cyber-Criminal espionage Operation insists on Italian Manufacturing
Agent Tesla
2020-05-14SophosLabsMarkel Picado
RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-04-16MalwarebytesHossein Jazi
New AgentTesla variant steals WiFi credentials
Agent Tesla
2020-04-15Suraj Malhotra
How Analysing an AgentTesla Could Lead To Attackers Inbox - Part II
Agent Tesla
2020-04-14Palo Alto Networks Unit 42Adrian McCabe, Juan Cortes, Vicky Ray
Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns
Agent Tesla EDA2
2020-04-13Suraj Malhotra
How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I
Agent Tesla
Trojan Agent Tesla – Malware Analysis
Agent Tesla
2020-03-24RiskIQWes Smiley
Exploring Agent Tesla Infrastructure
Agent Tesla
2020-03-18ProofpointAxel F, Sam Scholten
Coronavirus Threat Landscape Update
Agent Tesla Get2 ISFB Remcos
2020-02-26MalwareLab.plMaciej Kotowicz
(Ab)using bash-fu to analyze recent Aggah sample
Agent Tesla
2020-02-02Sophos LabsMarkel Picado, Sean Gallagher
Agent Tesla amps up information stealing attacks
Agent Tesla
Agent Tesla HawkEye Keylogger Pony Predator The Thief
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-07-15Cisco TalosEdmund Brumaghin
SWEED: Exposing years of Agent Tesla campaigns
Agent Tesla Formbook Loki Password Stealer (PWS) SWEED
2018-04-18SecureworksCounter Threat Unit ResearchTeam
GOLD GALLEON: How a Nigerian Cyber Crew Plunders the Shipping Industry
Agent Tesla HawkEye Keylogger Pony GOLD GALLEON
2018-04-05FortinetXiaopeng Zhang
Analysis of New Agent Tesla Spyware Variant
Agent Tesla
2018-01-12StormshieldRémi Jullian
Analyzing an Agent Tesla campaign: from a word document to the attacker credentials
Agent Tesla
2017-09-25Palo Alto Networks Unit 42Jeff White
Analyzing the Various Layers of AgentTesla’s Packing
Agent Tesla
2017-06-28FortinetXiaopeng Zhang
In-Depth Analysis of A New Variant of .NET Malware AgentTesla
Agent Tesla
2016-08-01ZscalerDeepen Desai
Agent Tesla Keylogger delivered using cybersquatting
Agent Tesla
Yara Rules
[TLP:WHITE] win_agent_tesla_w0 (20190731 | No description)
rule win_agent_tesla_w0 {
        author = "InQuest Labs"
        source = ""
        created = "05/18/2018"
        malpedia_reference = ""
        malpedia_version = "20190731"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        $s0 = "SecretId1" ascii
        $s1 = "#GUID" ascii
        $s2 = "#Strings" ascii
        $s3 = "#Blob" ascii
        $s4 = "get_URL" ascii
        $s5 = "set_URL" ascii
        $s6 = "DecryptIePassword" ascii
        $s8 = "GetURLHashString" ascii
        $s9 = "DoesURLMatchWithHash" ascii

        $f0 = "GetSavedPasswords" ascii
        $f1 = "IESecretHeader" ascii
        $f2 = "RecoveredBrowserAccount" ascii
        $f4 = "PasswordDerivedBytes" ascii
        $f5 = "get_ASCII" ascii
        $f6 = "get_ComputerName" ascii
        $f7 = "get_WebServices" ascii
        $f8 = "get_UserName" ascii
        $f9 = "get_OSFullName" ascii
        $f10 = "ComputerInfo" ascii
        $f11 = "set_Sendwebcam" ascii
        $f12 = "get_Clipboard" ascii
        $f13 = "get_TotalFreeSpace" ascii
        $f14 = "get_IsAttached" ascii

        $x0 = "IELibrary.dll" ascii wide
        $x1 = "webpanel" ascii wide nocase
        $x2 = "smtp" ascii wide nocase

        $v5 = "vmware" ascii wide nocase
        $v6 = "VirtualBox" ascii wide nocase
        $v7 = "vbox" ascii wide nocase
        $v9 = "avghookx.dll" ascii wide nocase

        $pdb = "IELibrary.pdb" ascii
                5 of ($s*) or
                7 of ($f*)
            ) and
            all of ($x*) and
            all of ($v*) and
[TLP:WHITE] win_agent_tesla_w1 (20200506 | Detect Agent Tesla based on common .NET code sequences)
rule win_agent_tesla_w1 {
        description = "Detect Agent Tesla based on common .NET code sequences"
        author = "govcert_ch"
        date = "20200429"
        hash = "2b68a3f88fbd394d572081397e3d8d349746a88e3e67a2ffbfac974dd4c27c6a"
        hash = "abadca4d00c0dc4636e382991e070847077c1d19d50153487da791d3be9cc401"
        malpedia_reference = ""
        malpedia_version = "20200506"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

        $sequence_0 = { 20 ?? ?? ?? ?? 61 25 FE 0E 01 00 20 05 00 00 00 5E 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 38 51 00 00 00}
        $sequence_1 = { 20 ?? ?? ?? ?? 61 25 FE 0E 06 00 20 03 00 00 00 5E 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 38 1C 00 00 00 }
        $sequence_2 = { 04 02 7B 33 04 00 04 03 8F 36 00 00 02 7B 38 04 00 04 8E B7 3F 21 00 00 00 20 ?? ?? ?? ?? 38 97 FF FF FF }

        any of them
Download all Yara Rules