Triage: Knowledge Base

AgentTesla's Year Activity



AgentTesla in Triage


AgentTesla is an infostealer which first appeared in 2014 and has seen widespread usage over the last few years. Written using .NET, it is a full featured stealer which can:

  • Steal saved credentials from a wide range of web browsers and email clients
  • Collect keys from various SSH/FTP clients
  • Log keystrokes
  • Harvest data from the clipboard
  • Take screenshots and video
  • Carry out form-grabbing attacks against login pages for common websites
  • Gather saved credentials for known WiFi networks (first seen in early 2020)

It is openly sold through its own website (the name and location of which has changed over the years) claiming to be a legitimate monitoring program for personal computers, although user guides detailing malicious scenarios and the numerous evasion techniques implemented over the years mean this is clearly not the real intention.

In 2018 krebsonsecurity published an article looking into the identity of the AgentTesla author, concluding that it was likely developed by a Turkish citizen. The malware continues to see widespread usage in 2020, with new versions such as the WiFi stealer variant mentioned above and extensive customer support.

Common Behaviour

Collects Local Credentials from Browsers, Email, FTP etc.

As mentioned above, AgentTesla targets credentials stored locally by many common web browsers, messengers, email clients and FTP/SSH software.

The exact list of paths accessed by the family varies slightly between versions but is generally a very extensive list of file and registry paths. An example of some of these can be seen below.

Collects WiFi Profiles

In Spring of 2020 a new variant of AgentTesla was reported which harvested credentials for previous WiFi connections saved on an infected device.

Example usage of netsh.exe to extract WiFi profiles

External References

1 Who Is Agent Tesla?

Blog investigating the developer behind AgentTesla.

2 New AgentTesla variant steals WiFi credentials

MalwareBytes blog on AgentTesla Wifi stealer module

3 New Agent Tesla Variant Spreading by Phishing

Fortinet report on AgentTesla phishing campaign in early 2020.

Tactics, Techniques, and Procedures

Discovery: Account Discovery

Command and Control: Standard Application Layer Protocol

Collection: Clipboard Data

Defense Evasion: Deobfuscate/Decode Files or Information

Exfiltration: Exfiltration Over Alternative Protocol

Command and Control: Remote File Copy

Collection: Input Capture

Collection: Man in the Browser

Defense Evasion: Obfuscated Files or Information

Discovery: Process Discovery

Collection: Screen Capture

Discovery: System Information Discovery

Discovery: System Network Configuration Discovery

Discovery: System Owner/User Discovery

Discovery: System Time Discovery

Execution: User Execution

Collection: Video Capture

Defense Evasion: Virtualization/Sandbox Evasion