{
	"id": "5d33a9bc-dcef-4366-8e0e-32e3d835d813",
	"created_at": "2026-04-06T00:18:58.310593Z",
	"updated_at": "2026-04-10T03:20:07.010059Z",
	"deleted_at": null,
	"sha1_hash": "039f288dc47e5ec6f45c75040817074d319ce7bd",
	"title": "Malware Analysis - Agent Tesla",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1092362,
	"plain_text": "Malware Analysis - Agent Tesla\r\nBy Bar Magnezi\r\nPublished: 2024-06-05 · Archived: 2026-04-05 13:56:23 UTC\r\nSample:\r\ne2f6a376216a6492d6fe3648a969608c\r\nBackgroundPermalink\r\nAgent Tesla is a highly advanced Remote Access Trojan (RAT) favored by cybercriminals and Advanced\r\nPersistent Threat (APT) groups for espionage. It first emerged in 2014 and is known for its ability to steal\r\nsensitive information like credentials and keystrokes, and to capture screenshots. Spread through malicious email\r\nattachments and software vulnerabilities, it is a potent tool for state-sponsored cyber espionage and data theft.\r\nStatic Analysis - Stage 1Permalink\r\nFigure 1: Malware Bazaar Entry\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 1 of 15\n\nFigure 2: VirusTotal Detection\r\nAs seen in Figures 1 and 2, this malware is highly recognizable and detectable by EDRs and antivirus software.\r\nThrough the use of tools such as PEStudio and Detect It Easy, I was able to identify that this malware is packed.\r\nThis observation highlights the sophistication of the malware, as packers are often used to obfuscate the\r\nunderlying code.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 2 of 15\n\nFigure 3: Detect It Easy on First Stage\r\nFigure 4: PEStudio on First Stage\r\nAfter analyzing the file with DNSpy, I identified the malware’s unpacking function. It unpacks itself into memory\r\nand executes as a new process. As shown in Figure 5, I saved the unpacked content to a new file for further\r\nanalysis. In addition, I successfully dumped a DLL that is generated during the malware’s execution.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 3 of 15\n\nFigure 5: Extracting from the memory\r\nFigure 6: Extracting DLL\r\nStatic Analysis - Stage 2Permalink\r\nAfter extracting the dll and the unpacked malware, we have files that lookes like this:\r\nFigure 7: 3 Files that were extracted\r\nAnalyzing its hash on VirusTotal revealed that it’s a new variant that has not been previously analyzed or\r\nuploaded.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 4 of 15\n\nFigure 8: No detection on 2nd Stage\r\nFigure 9: No Detection on the dll\r\nFor quick and precise analysis of both files, I once again utilized Detect It Easy and PEStudio as shown in the next\r\nFigures.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 5 of 15\n\nFigure 10: Detect It Easy 2nd Stage\r\nFigure 11: PEStudio 2nd Stage\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 6 of 15\n\nFigure 12: Detect It Easy on the dll\r\nFigure 13: PEStudio the dll\r\nUsing CAPA, I was also able to identify the specific capabilities and behaviors of the malware, providing deeper\r\ninsights into its functionality.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 7 of 15\n\nFigure 14: CAPA 2nd Stage\r\nDynamic AnalysisPermalink\r\nAnalyzing the second stage in DNSpy revealed the malware’s functionality. I identified keylogger and screen\r\nlogger capabilities, password harvesting, and data extraction from browsers, databases, and more.\r\nFigure 15: KeyLogger Functions\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 8 of 15\n\nFigure 16: Checks For Browser\r\nFigure 17: Retrieve data from DB\r\nAt this point, I decided to run the malware and observe its effects on the system. To do this, I used Regshot to\r\ncapture the system’s registry before and after running the malware. This allowed me to analyze the changes made\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 9 of 15\n\nto the registry by the malware.\r\nFigure 18: Regshot Change\r\nFigure 19: Regshot Change\r\nThe registry modification indicates that the malware is attempting to disguise itself as a legitimate system process,\r\nwhich could complicate detection and removal efforts.\r\nMalware ConfigurationPermalink\r\nAfter searching through the Assembly Explorer, I was able to extract the malware configuration, as shown in\r\nFigure 17.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 10 of 15\n\nFigure 20: Extracted Malware Configuration\r\nUsing the SMTP credentials, I successfully logged into the attacker’s SMTP server and extracted additional IOCs.\r\nI wrote a Python script to extract the logs, but for privacy reasons, I won’t provide the script here.\r\nThen, I developed an additional Python script to specifically extract emails from the logs.\r\nimport csv\r\nimport re\r\n# Regular expression to match email addresses\r\nemail_regex = r'\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,6}\\b'\r\n# Path to the CSV file\r\ncsv_file_path = 'emails2.csv'\r\n# Set to store unique email addresses\r\nunique_emails = set()\r\n# Open the CSV file for reading with utf-8 encoding\r\nwith open(csv_file_path, mode='r', newline='', encoding='utf-8') as file:\r\n # Create a CSV reader object\r\n csv_reader = csv.reader(file)\r\n # Loop over each row in the CSV file\r\n for row in csv_reader:\r\n # Join all the columns in the row into a single string\r\n row_str = ' '.join(row)\r\n \r\n # Use regular expression to find email addresses in the row string\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 11 of 15\n\nemails = re.findall(email_regex, row_str)\r\n \r\n # Add unique email addresses to the set\r\n unique_emails.update(emails)\r\n# Print the unique email addresses\r\nfor email in unique_emails:\r\n print(email)\r\nUsing this script, I was able to extract more than 80 emails that may be compromised or related to the attacker.\r\nIn addition, running the malware revealed the newly generated processes. Using Wireshark, I captured network\r\nIOCs.\r\nFigure 21: The New Proccess\r\nFigure 22: Using WireShark\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 12 of 15\n\nIOCsPermalink\r\nHash:\r\ne2f6a376216a6492d6fe3648a969608c\r\n5e8a624d975b4d471b6145ae628a2f97\r\nbc19b0a9d487ac8e5d22b40bd6176d2d\r\nURL:\r\nhxxps://account.dyn[.]com\r\napi[.]ipify[.]org\r\nEmails:\r\nmabouamayem@ta***d[.]ae\r\nimran@alb******lic[.]com\r\nshakim@t***d[.]ae\r\nsivaraj.t@tho*****ast[.]com\r\nSuneesh_KS@s**[.]ae\r\nVibin.Davis@a*****air[.]com\r\nsabu@t***ae[.]com\r\nQRWorkshopauh@****[.]ae\r\nreem.albedwawi@e****up[.]com\r\nchiragjoshi@gra*******ves[.]com\r\nanuvind@albu*******ic[.]com\r\nvinodkumar@g*****lf[.]com\r\njessa@ki******ings[.]com\r\nmadhav@ge*****lf[.]com\r\nabdul.samad@e*****up[.]com\r\njbayhon@t****ed[.]ae\r\nRaman.Jha@a****ir[.]com\r\nPurchase3[.]spme@su*****en[.]com\r\nchandrajith@t****e[.]com\r\nsimpson.d@****c[.]ae\r\nsaheer.m@en****up[.]com\r\nWorkshopauh@h***c[.]ae\r\nkausarali@a*****ic[.]com\r\npurchase3.spme@su****en[.]com\r\ncoordinator@t***e[.]com\r\nameen_aziz@go*******lc[.]com\r\nmmerchant52@****o[.]com\r\nDeepanshu.Gupta@****r[.]com\r\nstanveer@t****d[.]ae\r\nibrah.esad@****[.]com\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 13 of 15\n\nmuhammedsigma786@*****[.]com\r\nDinakaran.Umamaheswaran@a*****ir[.]com\r\nhameed@alb*****lic[.]com\r\nismailpt@t****e[.]com\r\nServiceauh@h***c[.]ae\r\nnews@ncx[.]ni****e[.]ae\r\nThameem.Mohammed@a****ir[.]com\r\nsaeed9797seead@****[.]com\r\nMohamed.Abdhul@a****ir[.]com\r\nthiemokho.doucoure@e****up[.]com\r\nMuhammed.Shihabuddin@s***[.]ae\r\nSreenidhi.Gadihalli@a****ir[.]com\r\nlahiru.r@****c[.]ae\r\nomajdalawi@t****d[.]ae\r\nNaushad.Ahmad@e****p[.]com\r\nSyed.Oli@a****ir[.]com\r\nwahmed@t***ed[.]ae\r\nPurchaseauh@h***c[.]ae\r\nnabdulsalam@t****d[.]ae\r\npurchaseauh@h****c[.]ae\r\nkrisanth.c@g*****f[.]com\r\nqc1@g****em[.]com\r\nserviceauh@h***c[.]ae\r\nanita.singh@c*****st[.]com\r\nJules.v@h***c[.]ae\r\nSaadiyat.DCP1@a****r[.]com\r\ndinakaran.umamaheswaran@a*****r[.]com\r\nmohamed.halan@g****lf[.]com\r\nMailer-Daemon@box2229[.]b****t[.]com\r\ninfo@a*****c[.]com\r\nsales@p**st[.]com\r\nmustafa@a****ic[.]com\r\nAmrou.Askar@a****ir[.]com\r\nummer.mohammed@****[.]com\r\nashiq.mehmood@e****up[.]com\r\nramesh@a****ic[.]com\r\nanup.p@h***c[.]ae\r\nvinup.s@g****f[.]com\r\nmohan@g****f[.]com\r\nInderjeet.Arora@a****ir[.]com\r\nBheemrao.Kumar@a***ir[.]com\r\nttaylor@t****cy[.]us\r\narul@g****f[.]com\r\nQRworkshopauh@h****c[.]ae\r\nanand.bodas@******[.]com\r\ngulfe@g****c[.]ae\r\ninfo@a****ms[.]com\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 14 of 15\n\npurchase@p***t[.]com\r\nkhozem@a*****lic[.]com\r\ndwi.endah@en****p[.]com\r\njoyson.lobo@ca****st[.]com\r\nravindrarao@t****e[.]com\r\nYara RulePermalink\r\nrule AgentTeslaRule {\r\n meta:\r\n description = \"Searches for AgetTesla variant\"\r\n author = \"0xMrMagnezi\"\r\n date = \"2024-06-05\"\r\n \r\n strings:\r\n $hex_sequence = { 24 61 38 31 37 33 65 61 33 2D 38 36 32 64 2D 34 62 37 65 2D 62 36 36 62 2D 65 30 37 63\r\n$ascii = \"PY718E785ZXFG4844GPE4Z\"\r\n $wide = \"PY718E785ZXFG4844GPE4Z\" wide\r\n $nocase = \"PY718E785ZXFG4844GPE4Z\" nocase\r\n $wide_nocase = \"PY718E785ZXFG4844GPE4Z\" wide nocase\r\n \r\n condition:\r\n $hex_sequence or $ascii or $wide or $nocase or $wide_nocase\r\n}\r\nSource: https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/\r\nPage 15 of 15\n\n  https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/    \nFigure 2: VirusTotal Detection     \nAs seen in Figures 1 and 2, this malware is highly recognizable and detectable by EDRs and antivirus software.\nThrough the use of tools such as PEStudio and Detect It Easy, I was able to identify that this malware is packed.\nThis observation highlights the sophistication of the malware, as packers are often used to obfuscate the\nunderlying code.      \n   Page 2 of 15   \n\nhttps://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/  \nFigure 10: Detect It Easy 2nd Stage \nFigure 11: PEStudio 2nd Stage \n  Page 6 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/"
	],
	"report_names": [
		"AgentTesla"
	],
	"threat_actors": [],
	"ts_created_at": 1775434738,
	"ts_updated_at": 1775791207,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/039f288dc47e5ec6f45c75040817074d319ce7bd.pdf",
		"text": "https://archive.orkl.eu/039f288dc47e5ec6f45c75040817074d319ce7bd.txt",
		"img": "https://archive.orkl.eu/039f288dc47e5ec6f45c75040817074d319ce7bd.jpg"
	}
}