SYMBOLCOMMON_NAMEaka. SYNONYMS
win.agent_tesla (Back to overview)

Agent Tesla

aka: AgenTesla, AgentTesla

Actor(s): SWEED

URLhaus              

A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.

References
2020-09-03Medium mariohenkelMario Henkel
@online{henkel:20200903:decrypting:16cd7a9, author = {Mario Henkel}, title = {{Decrypting AgentTesla strings and config}}, date = {2020-09-03}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4}, language = {English}, urldate = {2020-09-03} } Decrypting AgentTesla strings and config
Agent Tesla
2020-08-27MalWatchMalWatch
@online{malwatch:20200827:wintrojanagenttesla:8c6e4f6, author = {MalWatch}, title = {{Win.Trojan.AgentTesla - Malware analysis & threat intelligence report}}, date = {2020-08-27}, organization = {MalWatch}, url = {https://malwatch.github.io/posts/agent-tesla-malware-analysis/}, language = {English}, urldate = {2020-08-28} } Win.Trojan.AgentTesla - Malware analysis & threat intelligence report
Agent Tesla
2020-08-26Lab52Jagaimo Kawaii
@online{kawaii:20200826:twisted:b91cfb5, author = {Jagaimo Kawaii}, title = {{A twisted malware infection chain}}, date = {2020-08-26}, organization = {Lab52}, url = {https://lab52.io/blog/a-twisted-malware-infection-chain/}, language = {English}, urldate = {2020-08-31} } A twisted malware infection chain
Agent Tesla Loki Password Stealer (PWS)
2020-08-10SentinelOneJim Walter
@online{walter:20200810:agent:d09f042, author = {Jim Walter}, title = {{Agent Tesla | Old RAT Uses New Tricks to Stay on Top}}, date = {2020-08-10}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/}, language = {English}, urldate = {2020-08-13} } Agent Tesla | Old RAT Uses New Tricks to Stay on Top
Agent Tesla
2020-08-10SeqritePavankumar Chaudhari
@online{chaudhari:20200810:gorgon:3a961be, author = {Pavankumar Chaudhari}, title = {{Gorgon APT targeting MSME sector in India}}, date = {2020-08-10}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/}, language = {English}, urldate = {2020-08-13} } Gorgon APT targeting MSME sector in India
Agent Tesla
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-01HPAlex Holland
@online{holland:20200701:aggah:7dd38ba, author = {Alex Holland}, title = {{Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer}}, date = {2020-07-01}, organization = {HP}, url = {https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/}, language = {English}, urldate = {2020-07-17} } Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer
Agent Tesla
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-23InfoSec Handlers Diary BlogXavier Mertens
@online{mertens:20200523:agenttesla:eba0b0c, author = {Xavier Mertens}, title = {{AgentTesla Delivered via a Malicious PowerPoint Add-In}}, date = {2020-05-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/}, language = {English}, urldate = {2020-05-27} } AgentTesla Delivered via a Malicious PowerPoint Add-In
Agent Tesla
2020-05-22YoroiYoroi
@online{yoroi:20200522:cybercriminal:97a41b3, author = {Yoroi}, title = {{Cyber-Criminal espionage Operation insists on Italian Manufacturing}}, date = {2020-05-22}, organization = {Yoroi}, url = {https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/}, language = {English}, urldate = {2020-05-23} } Cyber-Criminal espionage Operation insists on Italian Manufacturing
Agent Tesla
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-04-16MalwarebytesHossein Jazi
@online{jazi:20200416:new:6b7cb7a, author = {Hossein Jazi}, title = {{New AgentTesla variant steals WiFi credentials}}, date = {2020-04-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/}, language = {English}, urldate = {2020-04-16} } New AgentTesla variant steals WiFi credentials
Agent Tesla
2020-04-15Suraj Malhotra
@online{malhotra:20200415:how:6cfc199, author = {Suraj Malhotra}, title = {{How Analysing an AgentTesla Could Lead To Attackers Inbox - Part II}}, date = {2020-04-15}, url = {https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/}, language = {English}, urldate = {2020-04-20} } How Analysing an AgentTesla Could Lead To Attackers Inbox - Part II
Agent Tesla
2020-04-14Palo Alto Networks Unit 42Adrian McCabe, Vicky Ray, Juan Cortes
@online{mccabe:20200414:malicious:9481b60, author = {Adrian McCabe and Vicky Ray and Juan Cortes}, title = {{Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns}}, date = {2020-04-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/}, language = {English}, urldate = {2020-04-14} } Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns
Agent Tesla EDA2
2020-04-13Suraj Malhotra
@online{malhotra:20200413:how:6ea81f8, author = {Suraj Malhotra}, title = {{How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I}}, date = {2020-04-13}, url = {https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/}, language = {English}, urldate = {2020-04-15} } How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I
Agent Tesla
2020-04-05MalwrAnalysisAnurag
@online{anurag:20200405:trojan:2bb6584, author = {Anurag}, title = {{Trojan Agent Tesla – Malware Analysis}}, date = {2020-04-05}, organization = {MalwrAnalysis}, url = {https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/}, language = {English}, urldate = {2020-04-08} } Trojan Agent Tesla – Malware Analysis
Agent Tesla
2020-03-18ProofpointAxel F, Sam Scholten
@online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } Coronavirus Threat Landscape Update
Agent Tesla Get2 ISFB Remcos
2020-02-26MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200226:abusing:2a32e8e, author = {Maciej Kotowicz}, title = {{(Ab)using bash-fu to analyze recent Aggah sample}}, date = {2020-02-26}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/basfu_aggah/}, language = {English}, urldate = {2020-02-27} } (Ab)using bash-fu to analyze recent Aggah sample
Agent Tesla
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cf5f9e4, author = {SecureWorks}, title = {{GOLD GALLEON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-galleon}, language = {English}, urldate = {2020-05-23} } GOLD GALLEON
Agent Tesla HawkEye Keylogger Pony Predator The Thief
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-07-15Cisco TalosEdmund Brumaghin
@online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } SWEED: Exposing years of Agent Tesla campaigns
Agent Tesla Formbook Loki Password Stealer (PWS) SWEED
2018-04-05FortinetXiaopeng Zhang
@online{zhang:20180405:analysis:a048b77, author = {Xiaopeng Zhang}, title = {{Analysis of New Agent Tesla Spyware Variant}}, date = {2018-04-05}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html}, language = {English}, urldate = {2019-11-26} } Analysis of New Agent Tesla Spyware Variant
Agent Tesla
2018-01-12StormshieldRémi Jullian
@online{jullian:20180112:analyzing:572a942, author = {Rémi Jullian}, title = {{Analyzing an Agent Tesla campaign: from a word document to the attacker credentials}}, date = {2018-01-12}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/}, language = {English}, urldate = {2019-07-10} } Analyzing an Agent Tesla campaign: from a word document to the attacker credentials
Agent Tesla
2017-09-25Palo Alto Networks Unit 42Jeff White
@online{white:20170925:analyzing:92167ce, author = {Jeff White}, title = {{Analyzing the Various Layers of AgentTesla’s Packing}}, date = {2017-09-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/}, language = {English}, urldate = {2019-12-20} } Analyzing the Various Layers of AgentTesla’s Packing
Agent Tesla
2017-06-28FortinetXiaopeng Zhang
@online{zhang:20170628:indepth:51d37ec, author = {Xiaopeng Zhang}, title = {{In-Depth Analysis of A New Variant of .NET Malware AgentTesla}}, date = {2017-06-28}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr}, language = {English}, urldate = {2020-01-08} } In-Depth Analysis of A New Variant of .NET Malware AgentTesla
Agent Tesla
2016-08ZscalerDeepen Desai
@online{desai:201608:agent:d527844, author = {Deepen Desai}, title = {{Agent Tesla Keylogger delivered using cybersquatting}}, date = {2016-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting}, language = {English}, urldate = {2019-11-26} } Agent Tesla Keylogger delivered using cybersquatting
Agent Tesla
Yara Rules
[TLP:WHITE] win_agent_tesla_w0 (20190731 | No description)
rule win_agent_tesla_w0 {
    meta:
        author = "InQuest Labs"
        source = "https://www.inquest.net"
        created = "05/18/2018"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"
        malpedia_version = "20190731"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "SecretId1" ascii
        $s1 = "#GUID" ascii
        $s2 = "#Strings" ascii
        $s3 = "#Blob" ascii
        $s4 = "get_URL" ascii
        $s5 = "set_URL" ascii
        $s6 = "DecryptIePassword" ascii
        $s8 = "GetURLHashString" ascii
        $s9 = "DoesURLMatchWithHash" ascii

        $f0 = "GetSavedPasswords" ascii
        $f1 = "IESecretHeader" ascii
        $f2 = "RecoveredBrowserAccount" ascii
        $f4 = "PasswordDerivedBytes" ascii
        $f5 = "get_ASCII" ascii
        $f6 = "get_ComputerName" ascii
        $f7 = "get_WebServices" ascii
        $f8 = "get_UserName" ascii
        $f9 = "get_OSFullName" ascii
        $f10 = "ComputerInfo" ascii
        $f11 = "set_Sendwebcam" ascii
        $f12 = "get_Clipboard" ascii
        $f13 = "get_TotalFreeSpace" ascii
        $f14 = "get_IsAttached" ascii

        $x0 = "IELibrary.dll" ascii wide
        $x1 = "webpanel" ascii wide nocase
        $x2 = "smtp" ascii wide nocase

        $v5 = "vmware" ascii wide nocase
        $v6 = "VirtualBox" ascii wide nocase
        $v7 = "vbox" ascii wide nocase
        $v9 = "avghookx.dll" ascii wide nocase

        $pdb = "IELibrary.pdb" ascii
    condition:
        (
            (
                5 of ($s*) or
                7 of ($f*)
            ) and
            all of ($x*) and
            all of ($v*) and
            $pdb
        )
}
[TLP:WHITE] win_agent_tesla_w1 (20200506 | Detect Agent Tesla based on common .NET code sequences)
rule win_agent_tesla_w1 {
    meta:
        description = "Detect Agent Tesla based on common .NET code sequences"
        author = "govcert_ch"
        date = "20200429"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"
        malpedia_version = "20200506"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        hash_1 = "2b68a3f88fbd394d572081397e3d8d349746a88e3e67a2ffbfac974dd4c27c6a"
        hash_2 = "abadca4d00c0dc4636e382991e070847077c1d19d50153487da791d3be9cc401"

    strings:
        $sequence_0 = { 20 ?? ?? ?? ?? 61 25 FE 0E 01 00 20 05 00 00 00 5E 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 38 51 00 00 00}
        $sequence_1 = { 20 ?? ?? ?? ?? 61 25 FE 0E 06 00 20 03 00 00 00 5E 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 38 1C 00 00 00 }
        $sequence_2 = { 04 02 7B 33 04 00 04 03 8F 36 00 00 02 7B 38 04 00 04 8E B7 3F 21 00 00 00 20 ?? ?? ?? ?? 38 97 FF FF FF }

    condition:
        any of them
}
Download all Yara Rules