agent tesla

Agent Tesla Analysis

The past and present of Agent Tesla

In 2014, Agent Tesla first appeared on a Turkish-language website and was sold as a keylogger product. Although the website claims that the product only provides legitimate services to users, the functions it provides to bypass anti-virus software, secret bundling programs, and sensitive file transfer are comparable to, and even more sophisticated than, secret-stealing Trojans. Therefore, people are more inclined to think that it is a kind of software specially used to steal secrets. Until later, Agent Tesla gradually began to become popular in underground forums and hacker communities. The price generally ranges from 15 US dollars to 69 US dollars. The transactions are often through Bitcoin. And so on.


Nowadays, Agent Tesla has undergone several code improvements and continuously enhanced functions. It has become a professional stealing software capable of stealing various sensitive information such as browsers, FTP, VPN, mailboxes, and WIFI.

In terms of propagation methods, Agent Tesla mainly spreads through phishing emails or spam with attachments in various formats (such as ZIP, CAB, MSI, IMG, Office files, etc.), and supports data of multiple protocols such as smtp, ftp, and http. Backhaul; In terms of analysis and confrontation, Agent Tesla uses a variety of methods to avoid killing, anti-debugging and anti-virtual machines, which greatly increases the difficulty of analysis by security personnel. At the user level, Agent Tesla provides easy-to-configure pages. Users can easily select the required Trojan horse functions according to their own situation, such as multiple ways to achieve persistence, UAC settings, forcibly shutting down the anti-virus software process, etc.;


In terms of target industry selection, Agent Tesla’s attacks spread to the Internet, education, banking, telecommunications, medicine and manufacturing, etc., and expanded to attacks on the energy industry in early 2020.


To this day, Agent Tesla is still active. For example, in early 2020, multiple hacker organizations were revealed to use Agent Tesla to conduct phishing activities against government and medical organizations on the theme of COVID-19. Among them, Deloitte CTI observed a phishing attack in the name of “COVID-19”. In phishing attacks, hackers use Agent Tesla Trojan horses to steal IP information against medical research institutions in Japan and Canada. After analysis by Deloitte CTI researchers, during the attack, hackers will send phishing emails called “COVID-19 Supplier Notice” or “Pandemic Consultation” to the attacker. These phishing emails contained a Trojan horse file disguised as “COVID-19 Supplier”. Once the user clicks on the file, the Agent Tesla Trojan horse program will be automatically loaded onto the victim’s computer, thereby stealing current medical research results .

Another example is in mid-2020, Gorgon APT used Agent Tesla to steal secrets against the Indian MSME industry. Researchers have observed phishing campaigns targeting MSME (Small, Small and Medium Enterprise) companies in India, with malicious documents on the subject of COVID-19. The attack process is: After the victim opens the “face mask order.doc”, RTF triggers the CVE-2017-11882 vulnerability to execute arbitrary code; the RTF file contains two malicious ole objects, the first is the executable file, ServerCrypted.vbs Script; the second one is Equation.3 exploit (CVE-2017-11882) and the script that runs ServerCrypted.vbs; after successful use, the script will download two files with the extension .jpg, one of which is a PowerShell script, Load the DLL in memory; the second file is the payload of Agent Tesla.

In late 2020, Agent Tesla’s attacks still tend to be in India. In addition, the United States and Brazil are also mainly targeted countries. In addition to the previous financial services and some public entities, the main targets of the attacks also include Internet service providers (ISPs). ), because the ISP holds emails or other important personal data that can be used to gain access to other accounts and services. This is of great significance for subsequent attacks.

Sample analysis

As mentioned earlier, Agent Tesla’s main propagation method is phishing emails-attackers usually use social engineering to deliver seductive emails, documents or compressed packages to their targets. In the past few months, we have observed a large number of attackers spreading Agent Tesla Trojans in emails with the subject of the new crown epidemic, namely “COVID-19” or “2019-nCov”.


Relevant emails generally contain malicious link addresses, or their attachments are malicious payloads of Agent Tesla to trick victims into clicking. Some samples will also be downloaded and executed through macro files or office files with vulnerabilities. Among them, common exploit vulnerabilities such as CVE-2017-11882, and CVE-2017-0199, etc., the details are shown in the following table:

file name Exploited vulnerabilities Vulnerability description harm
COVID 19 NEW ORDER FACE MASKS.doc.rtf CVE-2017-11882 Stack-based buffer overflow vulnerability Vulnerability allows an to run arbitrary code to provide a payload
measures for FAIRCHEM STEED Voyage
CVE-2017-8570 Remote code execution vulnerability in Microsoft Office Vulnerability allows attackers to download .NET payloads
RFQ REF NS326413122017.docx CVE-2017-0199 Use OFFICE OLE Object Link Technology The Microsoft HTA application (mshta.exe) loads the malicious to download and execute the payload

Here, we analyze a typical Agent Tesla Trojan horse sample and find that its main behavior is as follows:

1. First use the remote template injection method to remotely download a doc file containing the vulnerability of cve-2017-11882.


2. After the document runs, it will automatically trigger the vulnerability to execute the code, and use the API function URLDownloadToFileW to download the attack payload from the specified URL and save it to C:\Users\Public\ regasm.exe file.


3. After opening the file, it was found that the content of the bait file was garbled.


4. The attack payload will first load the resource file in the file, which on the surface is a picture in png format.



5. After in-depth analysis, it is found that there is hidden code to be executed in the resource file, and the Trojan will continue to run the relevant code after decryption.


6. The Trojan will be persisted by choosing one of three methods according to the settings, including self-starting directories, registry, and scheduled tasks.


7. After that, the Trojan will continue to read the content from the resource file and release the real Agent Tesla main file through decryption.


The decryption function is as follows:


The main body of the Trojan will use the timer to call functions, such as using the global hook for keylogging:


Take a screenshot and take a screenshot:


8. The Trojan can be transmitted through multiple protocols.







9. Through the content of the SMTP-related code, we can obtain the victim’s email information. The analysis found that most of the test environments are honeypots and analysts. Of course, there are also a small number of real lost hosts.


10. Combining the analysis results of other samples, we summarize the related software that will be stolen by Agent Tesla. The details are shown in the table below.

Software type name of software
Browser client 360 Browser、Comodo Dragon、Coccoc、7Star、Kometa、Orbitum、Yandex
Browser、Opera Browser、Sleipnir 6、Coowon、Brave、Sputnik、Chromium、Uran、QIP Surf、Cool
Novo、Epic Privacy、Vivaldi、Torch Browser、Chedot、Liebao Browser、CentBrowser、Iridium
Browser、Amigo、Elements Browser、Citrio、Google Chrome、Mozilla Firefox、 Microsoft
IE、Apple、Safari、SeaMonkey、 ComodoDragon、FlockBrowser、SRWarelron、UC browser;
Mail client Microsoft Office、Outlook. Mozilla Thunderbird.
Foxmail、Opera Mail、PocoMail、Eudora
FTP client FileZill、WS FTP、WinSCP、CoreFTP、FlashFXP、SmartFTP、FTPCommander
Dynamic DNS DynDNS、No-IP ;
Video chat Paltalk 、 Pidgin;
Download management Internet Download Manager、 JDownloader


Although the overall structure of Agent Tesla is relatively simple and has a history of 6 years, it is still one of the most popular malware. In recent years, it has been continuously updated and iterated, and its functions have been continuously improved. It has become increasingly complex in anti-virus and analysis and confrontation. At the same time, it combines social engineering to significantly increase the difficulty of prevention. I believe this commercial stealing software will also be in the future. To be more active, we recommend the following measures to detect and prevent related threats: