Cyberdudebivash

Agent Tesla Malware — Threat Analysis Report (CyberDudeBivash Deep-Dive) By CyberDudeBivash

Powered by: cyberdudebivash.com | cyberbivash.blogspot.com

Executive Summary

Agent Tesla is a long-running, commodity .NET infostealer/keylogger sold via MaaS (Malware-as-a-Service). It remains popular because it’s cheap, easy to build, and flexible: operators toggle modules for credential theft, keylogging, clipboard/cookies theft, screenshots, USB spread, and exfiltration over SMTP/FTP/HTTP(S)/Telegram/Discord. Campaigns are typically malspam-driven (invoice/PO/shipping lures) and increasingly use containerized attachments (ZIP/ISO/IMG/LNK/OneNote/HTML smuggling) to bypass email filters.

This report delivers defender-only coverage: attack chainTTPsdetections (Sigma/KQL/YARA)IoC patterns, and a controls playbook mapped to ATT&CK—plus a publication-ready block and hashtags for CyberBivash.

1) Threat Overview

  • Family: Agent Tesla (multiple “builder” lineages; cracked/repacked variants common)
  • Goal: Steal identities (browser passwords, email/FTP/VPN creds, crypto-wallet data), surveil (keylogs/screenshots), and exfiltrate to attacker-controlled relays.
  • Why defenders still see it: Persistent malspam ecosystemsbuilder GUIs, frequent re-obfuscation/packing, and SMTP exfil via compromised mailboxes (blends with normal traffic).

2) Capabilities (common modules)

  • Credential theft from Chromium/Gecko browsers, Outlook/Thunderbird, VPN/FTP clients, Wi-Fi profiles, mail clients, some password managers when unlocked.
  • Session & cookie theft (bypass MFA by replaying live sessions).
  • Keylogger & clipboard grabber (captures typed creds, crypto addresses).
  • Screenshots / webcam (occasionally) at configurable intervals.
  • Anti-analysis: string encryption, junk code, packers (e.g., ConfuserEx derivatives), VM/DBG checks.
  • Persistence: Run/RunOnce keys, Scheduled Tasks, Startup folder, WMI event consumer (less common).
  • C2/exfil: SMTP (most frequent), FTP/HTTP(S) POST, Telegram/Discord webhooks, custom panels; optional proxy settings and TLS.

3) Delivery & Attack Chain (typical)

  1. Initial Access – Email/Malvertising
    • Lures: Invoices, purchase orders, RFQs, DHL/FedEx, shipping docs, remittances, “scanner/copier” PDFs.
    • Containers: ZIP (w/ EXE or script), ISO/IMG (mount → LNK + decoy), RAR/7zOneNote (.one)XLLHTML smuggling (JS builds payload client-side).
  2. Execution – LOLBins & Stagers
    • LNK → PowerShell/JScript; mshta/wscript/cscript; regsvr32; rundll32; Add-Type to load .NET assemblies; reflective load of packed Agent Tesla.
  3. Discovery & Collection
    • Enumerates installed browsers/mail/FTP/VPN; accesses DPAPI/Keychain to decrypt; scrapes cookies; activates keylogger/screenshot loop.
  4. Exfiltration
    • Sends “logs” (often ZIP) via SMTP (AUTH) using hard-coded creds (frequently stolen/throwaway), or uploads over FTP/HTTP(S); many samples use Telegram bots/Discord webhooks.
  5. Persistence & Cleanup
    • Adds autoruns; sets hidden attributes; may delete dropper; rotates exfil intervals to avoid throttling.

4) What to Hunt (high-value signals)

4.1 Host & Process clues

  • Office/PDF/archiver → scripting engine → network tool chains:
    • WINWORD.EXE / Acrobat.exe / 7zFM.exe → wscript.exe / mshta.exe / powershell.exe → outbound SMTP/HTTP(S).
  • Abnormal access to browser artifacts:
    • …\AppData\Local\Google\Chrome\User Data\Default\Login Data
    • …\AppData\Local\Google\Chrome\User Data\Default\Cookies
    • Firefox profile logins.jsonkey4.db
  • Rapid screenshot bursts (temp PNG/JPG in %TEMP% then delete).
  • New autoruns (Run/RunOnce/Scheduled Tasks) referencing user-writable paths (AppData\Roaming).

4.2 Network/egress clues

  • SMTP to foreign providers (port 587/465) from user endpoints (not mail relays).
  • HTTP(S) POST to low-reputation VPS; multipart/form-data with logs.zipkeylogs.txt.
  • Telegram/Discord API from corporate endpoints (if not sanctioned).
  • Odd user-agent strings (statically coded, e.g., “Mozilla/5.0 AgentTesla …”).

4.3 Email gateway clues

  • Attachment mashupsINV####.zip → INV####.iso → INV####.lnk → powershell -enc …
  • HTML attachments containing large JS blobs (smuggling).
  • Content referring to shipping termsSWIFTTT paymentremittance copyPI/PO.

5) MITRE ATT&CK Mapping (representative)

  • Initial Access: T1566 Phishing; T1189 Drive-by Compromise
  • Execution: T1059 Command/Scripting; T1218 Signed Binary Proxy Exec (mshta/regsvr32)
  • Persistence: T1060/T1547 Autoruns; T1053 Scheduled Task
  • Credential Access: T1555 Credentials from Web Browsers; T1040 Keylogging; T1003 OS Credential Dumping (occasionally)
  • Collection: T1113 Screen Capture; T1119 Automated Collection
  • Exfiltration: T1041 Exfil over C2; T1071.002/003 Application Layer Protocol (SMTP/HTTP)
  • Defense Evasion: T1027 Obfuscated/Encrypted Files; VM/DBG Checks

6) IoC Patterns (safe exemplars)

Exact domains rotate quickly; treat these as patterns and feed current intel from your sources.

Filenames / Paths

  • %TEMP%\logs.zip%TEMP%\keylogs.txt%APPDATA%\Microsoft\<random>\*.exe
  • LNK displays doc icon but runs: powershell.exe -ExecutionPolicy Bypass -enc <base64>

Registry / Tasks

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<random> → AppData EXE
  • Task names mimicking drivers/services (e.g., “Windows System Host”, “Office Update Helper”)

SMTP Traits

  • AUTH to free mail providers; subjects like “Keylogger report from %USERNAME%”, “Daily Logs”; attachment ZIP with host/user in name.

Network

  • Telegram api.telegram.org/bot<token>/sendDocument
  • Discord https://discord.com/api/webhooks/...
  • HTTP POST multipart to /gate.php/panel/upload.php

7) Detections (drop-in starters)

7.1 Sigma (process chain)

title: Office/Archive Spawns Scripting with Network Egress
logsource: { product: windows, service: sysmon }
detection:
  parent:
    EventID: 1
    ParentImage|endswith:
      - '\WINWORD.EXE'
      - '\EXCEL.EXE'
      - '\POWERPNT.EXE'
      - '\Acrobat.exe'
      - '\7zFM.exe'
  child:
    Image|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
      - '\powershell.exe'
  condition: parent and child
level: high

7.2 Sigma (browser DB access by scripts)

title: Suspicious Access to Browser Secrets by Script Host
logsource: { product: windows, service: sysmon }
detection:
  sel:
    EventID: 11
    Image|endswith:
      - '\powershell.exe'
      - '\wscript.exe'
      - '\python.exe'
    TargetFilename|contains:
      - '\Login Data'
      - '\Cookies'
      - '\logins.json'
      - '\key4.db'
  condition: sel
level: high

7.3 KQL (SMTP from endpoints)

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (25,465,587) and InitiatingProcessFileName !in ("outlook.exe","thunderbird.exe")
| summarize count() by DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl, bin(Timestamp, 30m)
| where count_ > 5

7.4 YARA (very generic, strings are placeholders—tune per feed)

rule AgentTesla_Generic
{
  meta:
    author = "CyberDudeBivash"
    description = "Generic heuristics for Agent Tesla .NET packers"
  strings:
    $s1 = "System.Net.Mail.SmtpClient" nocase ascii
    $s2 = "KEYLOGS" ascii
    $s3 = "Cookies" ascii
    $s4 = /Discord\/api\/webhooks|api\.telegram\.org\/bot/ nocase
  condition:
    uint16(0) == 0x5A4D and 2 of ($s*)
}

Tune these with your TI feed; prefer behavior detections over brittle hashes.

8) Incident Response Playbook (Agent Tesla suspected)

  1. Isolate host (network quarantine).
  2. Preserve evidence (RAM + disk; collect autoruns, tasks, prefetch, browser DBs).
  3. Hunt organization-wide for the email lure, attachment hashes, and SMTP egress patterns.
  4. Invalidate sessions (SaaS/SSO), rotate credentials (email/FTP/VPN/cloud), and revoke OAuth tokens.
  5. Eradicate persistence; reimage when feasible.
  6. Block current C2/SMTP accounts, Telegram/Discord webhooks; submit to filtering vendors.
  7. Lessons learned: gate risky attachments, strengthen ASR, add detections, run a tabletop.

9) Control Stack That Actually Works

Email & Web

  • Block dangerous attachment types (EXE, JS/JSE, VBS/VBE, CHM, SCR, MSI, ISO/IMG, LNK, XLL, HTA, shortcut inside archives).
  • Detonate attachments in sandbox; flatten Office/PDF.
  • DMARC p=rejectbrand impersonation detection, URL isolation for finance/execs.
  • Detect HTML smuggling (download triggered by in-page JS).

Endpoint (Windows)

  • ASR rules: block Office from creating child processes, block executable content from email/web clients, block credential stealing via LSASS, block abuse of WMI/PSExec.
  • EDR/XDR with script-control & tamper protection; application allow-listing for high-risk roles.
  • Disable Office macros from the internet; enable Protected View/Attack Surface Reduction.

Identity

  • Password manager policy (no browser save), FIDO2/WebAuthn for admins/finance, Conditional Access & token-binding/DPoP where supported.
  • Short TTLs for sessions; step-up on risk; continuous access evaluation.

Network & Cloud

  • Egress allow-lists; block SMTP/Telegram/Discord from user subnets.
  • TLS inspection for outbound POST with archive signatures; DLP for high-entropy archives.
  • For cloud-hosted mail: monitor abnormal SMTP AUTH from end-user IPs.

10) KPIs & Metrics

  • >95% coverage of ASR rules on Windows endpoints.
  • 0 direct SMTP from user subnets (except sanctioned mail clients).
  • 100% phishing-resistant MFA for admin/finance; 0 legacy protocols.
  • <4h time-to-invalidate sessions for impacted users (measured in drills).
  • Quarterly attachment-type audit; monthly sandbox efficacy test.

11) CyberBivash Publishing Block 

Title: Agent Tesla Malware Threat Analysis: How Commodity Infostealers Still Win
Meta Description (≤160 chars): Deep dive on Agent Tesla: delivery lures, credential theft, SMTP/HTTP exfil, detections, and a control stack that actually stops it.
Slug: /agent-tesla-malware-threat-analysis-credential-theft
Excerpt: Agent Tesla remains a top infostealer because it’s cheap, flexible, and email-driven. This CyberDudeBivash report maps the attack chain, shows what to hunt (Office→script→SMTP), and provides drop-in Sigma/KQL/YARA plus a hardened control set (ASR, sandboxing, egress allow-lists, MFA).


#AgentTesla #Infostealer #Keylogger #SMTPExfil #HTMLSmuggling #ASR #EDR #EmailSecurity #ThreatIntel #CyberDudeBivash

Affiliate-Ready CTAs (swap in your links):

  • 1Password Business — rapid credential rotation & vault policies
  • Malwarebytes / Bitdefender EDR — behavior detections for stealers & RATs
  • Cloudflare Zero Trust — block Telegram/Discord/SMTP egress from endpoints
  • NordVPN/Proton (Teams) — isolate admin planes & remote access

Leave a comment

Design a site like this with WordPress.com
Get started