{ "id": "0e050668-0081-4ac9-8a5c-c968332a181c", "created_at": "2026-04-06T00:07:57.926Z", "updated_at": "2026-04-10T03:24:30.264814Z", "deleted_at": null, "sha1_hash": "442d480718424bbb34e0ab79b88d8580e8edd2be", "title": "Inside a .NET Stealer: AgentTesla", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4056900, "plain_text": "Inside a .NET Stealer: AgentTesla\r\nBy Chris Campbell\r\nPublished: 2020-12-04 · Archived: 2026-04-05 14:02:15 UTC\r\nFirst seen in 2014, AgentTesla (S0331) is a .NET platformed stealer that has recently surpassed Emotet and\r\nTrickbot to become one of the most prevalent malware threats. At present it is the #2 most submitted malware\r\nfamily submitted to the ANY.RUN sandbox service, mostly thanks to the Emotet crew appearing to have taken an\r\nearly Christmas vacation. From pray and spray spam runs through to more resourced campaigns targeting critical\r\ninfrastructure sectors, AgentTesla appears to have a wide variety of operators. Up until 2019 it was available\r\nthrough the website of the developer, www.agenttesla[.]com, as moreorless a SaaS subscription that included 24x7\r\nsupport, web management, delivery and packing services, and regular updates:\r\nPredictably, the service was sold with the disclaimer “Agent Tesla is a software for monitoring your personal\r\ncomputer. It is not a malware. Please, don’t use for computers which is not access permission.”, in much the same\r\nfashion as open-source RAT’s and ransomware are cautioned on GitHub as being “for educational purposes\r\nonly”. While cracked and leaked copies of the tool were always available through forums and marketplaces, their\r\navailability has naturally exploded following closure of the official service.\r\nFeatures\r\nAs a SaaS offering with a reported 6300+ customers (source: Krebs on Security), it was fair to expect that the\r\nfeature set and reliability of the tool would continually improve to remain competitive, meet customer\r\nrequirements and stay ahead of defenses. Current features include:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 1 of 17\n\nKeylogging, clipboard scraping and screenshot capture.\r\nCredential theft from a wide selection of browsers, VPN, FTP and email clients, and Windows credential\r\nstores.\r\nFTP, HTTP and SMTP exfiltration.\r\nTor proxying.\r\nOccasionally custom modules have been seen in samples, such as the WiFi credential stealer.\r\nDelivery\r\nLike many varieties of malware, delivery is primarily via email. Compromised email credentials are frequently\r\nused for sending, and messages utilise your garden variety logistics, financial and current event templates. Most\r\noften we observe the AgentTesla payload attached to messages in an archive, but maldoc delivery is also\r\ncommonplace. A full spectrum of payload delivery mechanisms are seen being employed by the maldocs,\r\nincluding links, macros, DDE commands and Office exploits (e.g. CVE-2017-11882 and CVE-2017-8570).\r\nLoaders employ obfuscators/crypters for source protection and almost always .NET reflection to load the\r\nAgentTesla stealer, as will be illustrated in the following samples.\r\nEmail\r\nThe sample that we will first investigate in this post begins with a payment themed message that leverages the\r\nbranding of a Turkish garment company:\r\nAttached to the email is a zip file containing the payload: “swift copy.exe” (sha256:\r\n9d626bb9d442d3762e5366f0fbefae41708936b9c254141fcf3b0a1b80291ebb). The sample is detected by 44 of 71\r\nengines on VirusTotal (report) – so it’s not exactly low key.\r\nTest Environment\r\nThe sample is copied to a 64-bit Windows 7 analysis VM that is running a FileZilla FTP server and has a handful\r\nof dummy accounts set up, including for CoreFTP:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 2 of 17\n\nWe know that this is one of the tools that AgentTesla is capable of stealing credentials from, so it is expected that\r\nthis will prompt the sample to attempt exfiltration.\r\nThe debugger used is dnSpy (https://github.com/dnSpy/dnSpy).\r\nLoader\r\n“PongGame” may seem like an odd choice of namespace for a loader, but this isn’t at all abnormal for the\r\nobfuscators used with AgentTesla. Naming conventions of legitimate programs are often adopted and applied\r\nacross metadata, namespaces, classes, methods and objects.\r\nThe loader imports System.Reflection, indicating .NET reflection is likely used to load additional modules during\r\nunpacking:\r\nBefore stepping through the execution, we review the program resources, of which there are two that stand out. It\r\nis well known that AgentTesla makes heavy use of steganography, so it is safe to assume the single image\r\n(XDDVe) will at some point be passed through a decoding routine. However, there is no reference to it in the\r\nloader:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 3 of 17\n\nThere is also a long string that is preceded with TVqQ which is base64 for “MZ”, the magic number for the MS-DOS EXE format:\r\nA reference to this is seen in method “dddddddddddd”, where the value of this resource converted from a URL\r\nstring token to a byte array using System.Web.HttpServerUtility.UrlTokenDecode, and the byte array then loaded\r\nas an assembly. A breakpoint is set prior to the assembly being invoked and execution is run through to this:\r\nSecond Stage\r\nThis unpacked assembly is MARCUS.dll and the method that will first be invoked is Jarico.Buta. The DLL is also\r\nobfuscated and has relatively few classes:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 4 of 17\n\nA breakpoint is set on Jarico.Buta and execution is continued through to here:\r\nShortly after this is an image object is returned by a method that takes a resource name and project name as\r\nparameters. Breaking at this point shows that the project and resource are the loader and image:\r\nThe image is run through several decoding methods which produces an additional executable:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 5 of 17\n\nStepping through a little further we see the executable is named “IDvurjJAoNJbsjjolQx” and the entry point is the\r\nMain method:\r\nThird Stage\r\nIDvurjJAoNJbsjjolQx is an obfuscated executable with a sizable resource named “YMh2sbk1276”:\r\nNo direct reference to this is found, however a method is found where a resource is loaded into a byte array, so a\r\nbreakpoint is set after the array has been formed:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 6 of 17\n\nThe value of \\uE00C confirms that the loaded resource is what was expected. Contents of this resource are passed\r\nthrough several decoding routines to produce another executable:\r\nUnpacked Stealer\r\nThe memory section is dumped to disk and the resulting file – the AgentTesla stealer – is opened in a new dnSpy\r\nsession. While still a little obfuscated, the source is relatively easy to read through:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 7 of 17\n\nIn this sample, configuration items are extracted from a specific position (i.e. offset and length) within a UTF8\r\nbyte array and converted to string format:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 8 of 17\n\nWe can also set a breakpoint prior to HTTP POSTs or email messages being sent to obtain the respective config\r\n(i.e. HTTP request or SMTP credentials):\r\nImports are made for the kernel functions required by the keylogger:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 9 of 17\n\nAnd below these is the method that implements the keylogger:\r\nAnother Loader\r\nThis second sample illustrates a couple of different aspects of .NET malware: anti-tamper measures and\r\npersistence.\r\nUpon loading the sample into dnSpy and jumping to the module initialiser, we are presented with decompiler\r\nerrors intentionally resulting from the anti-decompiler measures implemented by the obfuscator:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 10 of 17\n\nAttempting to run the sample also fails and the method at the entry point of the program appears to be empty.\r\nWhile it is possible to remove these protections with dnSpy by editing the IL instructions, a much faster method is\r\nsimply running the payload and dumping the unpacked assemblies with a tool such as MegaDumper\r\n(https://github.com/CodeCracker-Tools/MegaDumper):\r\nHollows Hunter (https://github.com/hasherezade/hollows_hunter) is also a useful tool in similar situations.\r\nThis produced two executables and a handful of DLLs:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 11 of 17\n\nThe smaller executable is AgentTesla and the larger is a loader.\r\nModules\r\nIn this case, the level of obfuscation is much lower than the previous sample, so more insight into the capabilities\r\ncan be gleamed thanks to cleaner class, method and attribute names (e.g. DPAPI, HttpToSocks5Proxy,\r\nSafariDecrypter, TorBrowser, VaultCli, etc):\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 12 of 17\n\nWhile the previous sample used the simple method of storing the configuration as plaintext in a UTF8 byte array,\r\nthis instead stores an encrypted configuration as a list of unsigned integer arrays:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 13 of 17\n\nPersistence\r\nAmong the functions of the loader is setting up persistence via scheduled task. The bytes of the current assembly\r\nare first written to a path under %APPDATA%:\r\nA scheduled task XML configuration is then formed, referencing the path of the dropped executable, and written\r\nout to a temporary text file:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 14 of 17\n\nThe configuration is passed to schtasks.exe which sets up the scheduled task according to the XML:\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 15 of 17\n\nIn effect, the scheduled task will run gnFZsnV.exe upon logon. Scheduled tasks aren’t a particularly stealthy\r\nmethod of persistence, so should a suspected victim of AgentTesla be triaged, the scheduled task will be\r\nhighlighted by Sysinternals AutoRuns (https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns):\r\nDetection and Mitigation\r\nMail: Given the predominant method of delivery is mail, robust mail filters, external sender warnings and\r\nend-user education form a significant part of defense against AgentTesla.\r\nNetwork: Depending on the capabilities of your firewall IPS, blocking traffic to known Tor nodes or traffic\r\nidentified as Tor, combined with SMTP whitelisting, will help to prevent exfiltration. If your firewall\r\nsupports TLS inspection, do it. FortiGate, ForcePoint and Palo Alto all have signatures for AgentTesla.\r\nPublic IP lookups using the ipify service are also a potential indicator.\r\nEndpoint: Detection of AgentTesla is not difficult. Reputable EDR products, such as Defender ATP and\r\nSentinelOne, will have you sleeping easy. There are also a number of hardening steps that can be taken to\r\nprevent the impact of maldocs, including blocking the execution of macros and ASR rules to block Office\r\nchild processes.\r\nSamples\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 16 of 17\n\nswift copy.exe (SHA256: 2ba9db3110899e60daeecb086d4f53adc1cfab127820db3d230c383e74f7172c):\r\nhttps://tria.ge/201201-lbk71xggyx\r\nexe (SHA256: bd648199b17ff21db3d45cfd10eb3b70fdcbdf42c405061025de6cd1a59c212e):\r\nhttps://tria.ge/201201-3yr3d6cakn\r\nWant More?\r\nIf you enjoyed this blog post and want to follow other interesting malware finds that I make, I regularly share\r\nthem on Twitter: @phage_nz\r\nIf you'd like to find out more about how Inde can help detect this security threat, you can contact us here.\r\nChris Campbell\r\nChris was that notoriously disobedient kid who sat at the back of the class and always seemed bored, but\r\nsomehow still managed to ace all of his exams. Obsessed with the finer details and mechanics of everything in\r\nboth the physical and digital realms, Chris serves as the Technical Director within the Inde Security Team. His\r\nventures into computer security began at an early age and haven't slowed down since. After a decade spent across\r\nsecurity and operations, and evenings spent diving into the depths of malware and operating systems, he brings a\r\nwealth of knowledge to Inde along with a uniquely adversary focused approach to defence. Like many others at\r\nInde, Chris likes to unwind by hitting the bike trails or pretending to be a BBQ pitmaster. He is also heavily\r\ninvolved in the leadership of security events, trust groups and research projects.\r\nSource: https://www.inde.nz/blog/inside-agenttesla\r\nhttps://www.inde.nz/blog/inside-agenttesla\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.inde.nz/blog/inside-agenttesla" ], "report_names": [ "inside-agenttesla" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434077, "ts_updated_at": 1775791470, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/442d480718424bbb34e0ab79b88d8580e8edd2be.pdf", "text": "https://archive.orkl.eu/442d480718424bbb34e0ab79b88d8580e8edd2be.txt", "img": "https://archive.orkl.eu/442d480718424bbb34e0ab79b88d8580e8edd2be.jpg" } }