{
	"id": "dc366f93-ed08-40a1-b8da-870f55071260",
	"created_at": "2026-05-05T02:45:44.362896Z",
	"updated_at": "2026-05-05T02:46:36.820457Z",
	"deleted_at": null,
	"sha1_hash": "1a90679efaf24ccfdb1d9219abeee8aaac23fe07",
	"title": "Emerging Threat: AgentTesla – A Review and Detection Strategies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47471,
	"plain_text": "Emerging Threat: AgentTesla – A Review and Detection Strategies\r\nBy Anish Bogati\r\nArchived: 2026-05-05 02:27:29 UTC\r\nIt has been spreading rapidly in the wild with CISA listing it in the Top Malware Strains list for the year 2021 and\r\nit still is in the top 10 list on MalwareBazaar as of March 2023.\r\nThe operators of AgentTesla are providing Malware-as-a-Service with various pricing options for different\r\nversions of the malware. During the year 2017, the malware’s website was available on the public internet (now\r\non the dark web), and advertising about the RAT capabilities with various price ranges and features.\r\nThe price shown above has likely been changed. It is provided for reference purposes purely to show that\r\nAgentTesla provides multiple buying options and operates a business-like model. AgentTesla has been used in\r\nnumerous campaigns by multiple threat actors as it is available to be bought at various price ranges with various\r\ncapabilities and support from the operators. In 2022, CERT-UA  discovered AgentTesla being deployed in their\r\nstate organization systems through phishing attachments [T1566.001]. Besides Ukraine, the AgentTesla malware\r\nwas also seen being deployed in a data theft campaign by threat actors tracked as Aggah against East European\r\ncountries.\r\nInfection Chain\r\nIt all starts with phishing attachments, whereby victims are lured to execute malicious attachments. It can range\r\nfrom LNK files to Office documents with malicious macros or payload to exploit vulnerabilities such as CVE-2017-0199 (Remote code execution vulnerability in Microsoft Office Application and WordPad) and CVE-2017-\r\n11882 (Remote code execution vulnerability in Microsoft office).\r\nOnce the initial payload is executed, it tries to connect to the malware distribution site and download other stages\r\nof payload, and finally downloads AgentTesla into the system. The initial payload can also directly download the\r\nmalware without dropping other payloads. After AgentTesla is in the system, various actions are performed such\r\nas persistence, credential harvesting, and exfiltration.\r\nFor persistence techniques the malware schedules tasks [T1053] or places itself in startup folders or under registry\r\nRun keys [T1547.001]. In the case of data collection, what we have observed is that it has a predefined list of\r\nbrowsers, mail, and VPN client. Based on whichever mentioned services and application is present in the system,\r\nit tries to retrieve data from them. For exfiltration, we found various samples of AgentTesla utilizing various\r\nprotocols and applications such as SMTP, FTP, Telegram, and Discord.\r\nWe go into full detail on how the malware is being distributed, and the infection chain and provide an analysis of\r\nits capabilities in the attached report. We uncover some of the TTPs from the analysis of malware and case studies.\r\nAfter understanding its capabilities we have provided detection rules to detect the malware at various stages\r\nthrough its known behavior which is available to download as part of guardsix’s latest release, as well as through\r\nguardsix’s download center (https://servicedesk.guardsix.com/hc/en-us/articles/115003928409).\r\nhttps://www.logpoint.com/en/blog/agentteslas-capabilities-review-detection-strategies/\r\nPage 1 of 2\n\nguardsix Emerging Threats Protection Service provides the service subscribers with customized investigation and\r\nresponse playbooks, tailored to your environment. Contact the global services team here.\r\nThe report contains the analysis, detection, and mitigation using guardsix SIEM+SOAR can be downloaded from\r\nthe link.\r\nSource: https://www.logpoint.com/en/blog/agentteslas-capabilities-review-detection-strategies/\r\nhttps://www.logpoint.com/en/blog/agentteslas-capabilities-review-detection-strategies/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.logpoint.com/en/blog/agentteslas-capabilities-review-detection-strategies/"
	],
	"report_names": [
		"agentteslas-capabilities-review-detection-strategies"
	],
	"threat_actors": [],
	"ts_created_at": 1777949144,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1a90679efaf24ccfdb1d9219abeee8aaac23fe07.pdf",
		"text": "https://archive.orkl.eu/1a90679efaf24ccfdb1d9219abeee8aaac23fe07.txt",
		"img": "https://archive.orkl.eu/1a90679efaf24ccfdb1d9219abeee8aaac23fe07.jpg"
	}
}