{
	"id": "8da9799f-8b5c-43c9-9bae-c7ba8657c115",
	"created_at": "2026-04-06T00:22:38.70401Z",
	"updated_at": "2026-04-10T03:21:10.107141Z",
	"deleted_at": null,
	"sha1_hash": "2108d7185ef2b0505db89c89f41082d028d7a413",
	"title": "Analysis of New Agent Tesla Spyware Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1279563,
	"plain_text": "Analysis of New Agent Tesla Spyware Variant\r\nBy Xiaopeng Zhang\r\nPublished: 2018-04-05 · Archived: 2026-04-05 13:26:02 UTC\r\nAnalysis of New Agent Tesla Spyware Variant\r\nRecently, FortiGuard Labs captured a new malware sample that was spread via Microsoft Word documents.  After\r\nsome quick research, I discovered that this was a new variant of the Agent Tesla spyware. I analyzed another\r\nsample of this spyware last June and published a blog about it. In this blog, I want to share what’s new in this new\r\nvariant.\r\nThis malware was spread via a Microsoft Word document that contained an embedded exe file. Figure 1 below\r\nshows what it looks like when you open the Word document.\r\nFigure 1. Opening the malicious Word document\r\nAs you can see, it asks the victim to double click the blue icon to enable a “clear view.” Once clicked, it extracts\r\nan exe file from the embedded object into the system’s temporary folder and runs it.  In this case, the exe file is\r\ncalled “POM.exe”.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 1 of 13\n\nFigure 2. POM.exe is created in a temporary folder\r\nAnalysis of POM.exe\r\nFigure 3. Looking at POM.exe in an analysis tool\r\nIn figure 3 we can see that the malware is written in the MS Visual Basic language. Based on my analysis, it’s a\r\nkind of installer program. When it runs, it drops two files: “filename.exe” and “filename.vbs” into the\r\n“%temp%\\subfolder”. It then exits the process after executing the file “filename.vbs”.  Below, in figure 4, is the\r\ncontent of “filename.vbs”.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 2 of 13\n\nFigure 4. The content of filename.vbs\r\nTo make it run automatically when the system starts, it adds itself (runs filename.vbs) to the system registry as a\r\nstartup program. It then runs “%temp%\\filename.exe”.  \r\nFigure 5. The malware adds itself into the system registry as “RunOnce” item\r\nAnalysis of filename.exe\r\nWhen “filename.exe” starts, like most other malware it creates a suspended child process with the same name to\r\nprotect itself. It then extracts a new PE file from its resource to overwrite the child process memory. Afterwards, it\r\nresumes the execution of the child process. This is when it executes the code of that new PE file, which is the\r\nmain part of this malware.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 3 of 13\n\nFigure 6. Checking to see if the module mscorjit.dll is loaded\r\nLet’s go on to the analysis of the child process. It first checks to see if the environment value of\r\n\"Cor_Enable_Profiling\" is set to 1, and if the modules \"mscorjit.dll\" and \"clrjit.dll\" have been loaded (see figure\r\n6). If one of these checks is true, it exits the process without doing anything.  So far, I have no idea what the\r\npurpose of doing that is, but it is likely anti-something.\r\nIf the process doesn’t exit, it loads a named resource. The resource name is \"__\", which is a string decrypted from\r\na local variable.  Afterwards, by calling the API functions “FindResource” and “LoadResource”, it can read the\r\nresource data to the process memory. Figure 7 shows the “__” resource in CFF Explorer. For sure, the data is\r\nencrypted.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 4 of 13\n\nFigure 7. Encrypted “__” resource\r\nBy decrypting the “__” data, we obtain another PE file, which is a .Net framework program. This is to be loaded\r\ninto the child process memory. It reads sections of the .Net program into memory according to the PE file headers,\r\nimports APIs defined in the import table for .Net programs, relocates offset of the function “_CorExeMain”, as\r\nwell as builds the .Net framework running environment by calling several APIs. Finally, it jumps to the entry point\r\nof the .Net program where it later jumps to “_CorExeMain” – which is the entry point of all .Net programs – to\r\nexecute this .Net program. You can see in figure 8 how it jumps to the “_CorExeMain” function.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 5 of 13\n\nFigure 8. Jumping to the entry point of the .Net program\r\nIn order to further analyze the .Net program, I dumped it from the child process memory into a local file. This\r\nallowed me to launch it independently rather than running it within the child process. This also allowed me to load\r\nit into the .Net program analysis tools to analyze it.\r\nDeep analysis of the .Net program\r\nThe dumped file has an incorrect PE header. I manually repaired it so that it can be executed, debugged, and\r\nparsed by .Net program analysis tools. Figure 8 shows the main function of the .Net program in an analysis tool.\r\nFigure 9. The main function of the .Net program\r\nAs you may have already noticed, it uses some kind of code obfuscation technique to increase the difficulty of\r\ncode analysis. In the following parts, you may see that some of the names of method, class, variable, etc. have\r\nbeen modified to make them understandable.\r\nAll the constant strings in the .Net program are encoded and saved within a large buffer, and every string is\r\nassigned an index. Whenever it needs to use the string, it calls a function with its string index to get the string. If\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 6 of 13\n\nthe string is encoded, it throws the encoded string into another function to get it decoded. In figure 10 we can see\r\nthat it reads the huge string into the big buffer—“Pkky9noglfauhKN1Fjq.QOZ4uWBaWw”.\r\nHere is an example: “XtL6rF5GoidQVxdCxi.R6ybT342I(Pkky9noglfauhKN1Fjq.Y3LpEpC6nY(3172));”\r\n“3172” is the string index.\r\nThe “Pkky9noglfauhKN1Fjq.Y3LpEpC6nY” function picks up the string of index 3172 from that large buffer. In\r\nthis case, it’s \"hyNN5z+7qAsS695lDXLuHg==\".\r\n“XtL6rF5GoidQVxdCxi.R6ybT342I” is the decoding function. After decoding, we get the string\r\n“True\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00”.  i.e. “True”.\r\nFigure 10. Reading strings in the large buffer\r\nWhen the main function is called, it first pauses 15 seconds by calling “Thread::Sleep()” function. This allows it to\r\npotentially bypass sandbox detection.\r\nAs my analysis in the previous blog showed, Agent Tesla is a spyware. It monitors and collects the victim’s\r\nkeyboard inputs, system clipboard, screen shots of the victim’s screen, as well as collects credentials of a variety\r\nof installed software. To do that it creates many different threads and timer functions in the main function. So far,\r\nthrough my quick analysis, this version is similar to the older one. As I did not find much change, I won’t talk\r\nabout it more here but simply refer you to the previous blog analysis.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 7 of 13\n\nHowever, the way of submitting data to the C\u0026C server has changed. It used to use HTTP POST to send the\r\ncollected data. In this variant, it uses SMTPS to send the collected data to the attacker’s email box.\r\nBased on my analysis, the commands used in the SMTP method include “Passwords Recovered”, “Screen\r\nCapture”, and “Keystrokes”, etc.  The commands are identified within the email’s “Subject” field.  For example:\r\n“System user name/computer name Screen Capture From: victim’s IP”\r\nHere’s an example to show you how it sends the collected credential data to the attacker’s email address. Figure\r\n10 shows the email content that will be sent out with my PC information along with the collected credentials. It\r\nenables an SSL function and uses TCP port 587. The “Body” field is the collected data in HTML format. The\r\n“Subject” field contains the command “Passwords Recovered\" which tells the recipient that this email contains\r\ncredentials.\r\nFigure 11. Email content with collected data\r\nThe attacker registered a free zoho email account for this campaign to receive victims’ credentials. Figure 11,\r\nbelow, shows the SMTP server and its login information. You can see the attacker’s SMTP credential “UserName”\r\nand “Password” as well as the SMTP server.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 8 of 13\n\nFigure 12. Attacker’s SMTP credential\r\nWhen the email is sent out through the Wireshark tool, we were able to capture the packets shown in figure 12,\r\nbelow.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 9 of 13\n\nFigure 13. Collected data submission using SMTPS in wireshark\r\nAs I explained above, the collected data in the mail body is in html format. I copied the html content into a local\r\nhtml file and was able to open it in the IE brower to see what the malware had harvested from my test enviroment.\r\nIn figure 13, you can see the screenshot of my PC information along with the related credentials in an IE browser.\r\nFigure 14 Harvested Credentials\r\nDaemon program\r\nIt also drops a daemon program from the .Net program’s resource named “Player” into the “%temp%” folder and\r\nrun it up to protect “filename.exe” from being killed. \r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 10 of 13\n\nFigure 15. Dropping the daemon program and running it\r\nThe daemon program’s name is made up of three random letters, as you can see in figure 15. It’s also a .Net\r\nprogram and its main purpose is very clear and simple. Figure 16 shows the daemon program’s entire code in an\r\nanalysis tool. \r\nYou can see that the main function receives a command line argument (for this sample, it’s the full path to\r\n“filename.exe”.) and saves it to a string variable called “filePath”. It creates a thread, and in the thread function it\r\nchecks to see if the file “filename.exe” is running in each 900 millisecond. It runs it again whenever the\r\n“filename.exe” is killed.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 11 of 13\n\nFigure 16. Daemon program code\r\nSolution\r\nThe file “PPSATV.doc” has been detected as “W32/VBKrypt.DWSS!tr”, and “POM.exe” has been detected as\r\n“W32/VBKrypt.DWSS!tr” by FortiGuard AntiVirus service.\r\nWe have informed  Zoho of the email account which is being used in this AgentTesla campaign.\r\nIoC:\r\nSample SHA256:\r\nPPSATV.doc\r\n13E9CDE3F15E642E754AAE63259BB79ED08D1ACDA93A3244862399C44703C007\r\nPOM.exe\r\nA859765D990F1216F65A8319DBFE52DBA7F24731FBD2672D8D7200CC236863D7\r\nfilename.exe\r\nB4F81D9D74E010714CD227D3106B5E70928D495E3FD54F535B665F25EB581D3A\r\nRandom name daemon program\r\nC2CAE82E01D954E3A50FEAEBCD3F75DE7416A851EA855D6F0E8AAAC84A507CA3\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 12 of 13\n\nCheck out our latest Quarterly Threat Landscape report for Q4 of 2017 for more details about recent threats.\r\nSign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat\r\nIntelligence Service.\r\nSource: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html"
	],
	"report_names": [
		"analysis-of-new-agent-tesla-spyware-variant.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434958,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2108d7185ef2b0505db89c89f41082d028d7a413.pdf",
		"text": "https://archive.orkl.eu/2108d7185ef2b0505db89c89f41082d028d7a413.txt",
		"img": "https://archive.orkl.eu/2108d7185ef2b0505db89c89f41082d028d7a413.jpg"
	}
}