{
	"id": "ebaefd0c-d544-4812-bd99-0118fd1a688c",
	"created_at": "2026-04-06T00:08:14.269615Z",
	"updated_at": "2026-04-10T03:31:13.799631Z",
	"deleted_at": null,
	"sha1_hash": "3d2eebf575f78fd38fbfba63d2f2bfaaffe923b1",
	"title": "Unfolding Agent Tesla: The Art of Credentials Harvesting. Dropper Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 129237,
	"plain_text": "Unfolding Agent Tesla: The Art of Credentials Harvesting.\r\nDropper Analysis\r\nBy Osama Ellahi\r\nPublished: 2024-08-15 · Archived: 2026-04-05 14:20:07 UTC\r\nAnalysis of Agent Tesla, A Close Look at Password Theft Technique\r\n— Part — 1 — Dropper Analysis\r\nExecutive Summary\r\nAgent Tesla is a very detailed form of malware that typically infiltrates systems through deceptive emails. Once\r\nexecuted, it goes through multiple stages, using various droppers to disguise its presence. The malware’s primary\r\ngoal is to steal sensitive information, such as passwords, from web browsers, email, VPN, and FTP clients. It then\r\nsecretly transmits this stolen data to the attacker’s email through a compromised email server.\r\nThis highlights the importance of being cautious with email attachments to prevent falling victim to such\r\nmalicious activities.\r\nMalware Flow\r\nAgent Tesla starts its malicious journey through a phishing email. The initial carrier is an {EXE} file, known as\r\nthe dropper. Inside this executable file, there is a second stage {DLL} that gets loaded into its modules.\r\nSubsequently, a third stage {DLL} is loaded, followed by a fourth stage {DLL}. This fourth {DLL} is crucial, as\r\nit contains the actual Agent Tesla binary, which is also an {EXE} file.\r\nUpon execution, this fourth-stage binary extracts the Agent Tesla payload, decrypts it, and injects the Agent Tesla\r\nbinary into its own running process. In simpler terms, it activates the malicious code within itself. The final stage\r\nbinary is responsible for harvesting credentials from various sources, including browsers, email clients,\r\nVPN clients, and FTP clients.\r\nOnce it successfully collects passwords from the system, the malware takes the next step by sending this stolen\r\ndata to the attacker’s email address. To achieve this, it utilizes a compromised email server, completing the\r\nmalicious cycle initiated by the phishing email.\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137\r\nPage 1 of 3\n\n|\r\n|\r\nTo read this full blog click on following link. We shifted this blog to personal blogging website.\r\nhttps://breachnova.com/blog.php?id=29\r\n|\r\nGet Osama Ellahi’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n|\r\n|\r\nParts\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137\r\nPage 2 of 3\n\nPart — 1 — Dropper Analysis\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137\r\nPart — 2 — Browsers Stealing\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-2d565c68db0d\r\nPart — 3- Discovery \u0026 Exfiltration\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-7a77f69435ee\r\nPart — 4 — Stealing FileZilla\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-d30da9c36988\r\nPart — 5 — Stealing The BAT! EMAIL CLIENT\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-c3fe4854775b\r\nPart — 6 — Stealing Outlook Credentials\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-de3737f9d66e\r\nPart — 7 — Stealing Trillian Credentials\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-afa2dd6e9de7\r\nPart — 8 — Stealing MailBird Credentials\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-e5501af1c942\r\nPart — 9 — Stealing WinSCP Credentials\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-55e7b2c64d60\r\nPart — 10 — Stealing Core FTP LE Credentials\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-cdce40f6a747\r\nPart — 11 — Stealing WinSCP Credentials\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-db9bb6698041\r\nPart — 12 — Stealing FTP Navigator Credentials\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-59818a3686a3\r\nPart — 13 — Stealing FTP Commander Credentials\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-7d01a41d554b\r\nPart — 14 — Stealing FTP Getter Credentials\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-fe5ff29cc93c\r\nSource: https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137\r\nhttps://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137"
	],
	"report_names": [
		"unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434094,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d2eebf575f78fd38fbfba63d2f2bfaaffe923b1.pdf",
		"text": "https://archive.orkl.eu/3d2eebf575f78fd38fbfba63d2f2bfaaffe923b1.txt",
		"img": "https://archive.orkl.eu/3d2eebf575f78fd38fbfba63d2f2bfaaffe923b1.jpg"
	}
}