AgentTesla

Agent Tesla is a remote access tool (RAT) written in visual basic.

Process spawned unexpected child process

This typically indicates the parent process was compromised via an exploit or macro.

AgentTesla Payload

Blocklisted process makes network request

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Modifies Windows Firewall