Deep Analysis Agent Tesla Malware
By Gameel Ali
Published: 2022-01-21 · Archived: 2026-04-05 15:26:18 UTC
Agent TeslaPermalink
Agent Tesla is a keylogger and information stealer. Security researchers discovered it in late 2014, the malware
was sold in vinous forms and marketplaces and malware is owned by agentTesla.com. the malware has many
features like screen clogging, clipboard logging, screen capturing, extracting stored passwords from many
browsers, it supports all versions of the Windows operating system, and it’s written in .NET
Infect cyclePermalink
Agent tesla infect victim’s machine in cycle infect, it starts with Email attachment and this is the most common
vector to infect victims machine by using social engineering and after satisfying user to enable macro embedded
into an Email attachment. Malware will connect with c2 to download .Net malware into the system. .Net malware
can be packed and obfuscated to evasion anti-viruses and security solutions.
Figure(1): How Malware Infect Machine.
Stage 1Permalink
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 1 of 20

AritfactsPermalink
No. Description info
1 MD5 Hash af98b88c0b5dc353fbe536bd6fb8c4ec
2 SHA1 Hash 91dcc7418323004579a58f6fa3ea4f969127cde6
3 File Size 200 KB
4 VirusTotal Detection 55/70
Identify packedPermalink
From some basic static analysis of the first stage, we can identify that the first stage is packed and we can see that
with Detect it Easy tool to identify entropy of malware in the next figure.
Figure(2): Identify Packed Malware.
UnpackingPermalink
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 2 of 20

To fast the process of unpacking, I will use UNPACME website to unpack the first stage of malware, UNPACME
will only extract packed or encrypted Windows Portable Executable (PE) files that are embedded in the
submission.
Stage 2Permalink
ArtifactsPermalink
No. Description info
1 MD5 Hash ee1aa7d0c4291a2bc16599b15d8664dc
2 SHA1 Hash 5862a0b6f72530d3ece74e4252d10c95f51e1915
3 File Size 216 KB
4 VirusTotal Detection No Match
The malware starts to hide its configuration and uses a function in a lot of places into code to hide its information.
Figure(3): Obfuscation Function.
Then, it uses a decryption function to decrypt a lot of strings that are used by malware as configuration
information to help malware in obfuscating itself and do not show any information about it till the user runs it.
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 3 of 20

Figure(4): Encrypted Array With Decryption Algorithm.
After that, we will use script python to extract the configuration of malware by simulation the process of
decryption of a large array.
encrypted = b'\x98\x9b\x99\xd0\xd7\xd6\xd5\x80\xef\xee\x8d\xc5\xc2\x87\xec\xed\x80\xd6\xd5\x83\xcd\xcc\xc5\xc4\
array = bytearray(encrypted)
for counter,i in enumerate(array):
 bytearray1[counter] = (i ^ counter ^ 170) & 0xff
print(bytearray1)
We can see the output of script (configrution).
201yyyy-MM-dd HH:mm:ssyyyy_MM_dd_HH_mm_ss

---
ObjectLengthChainingModeGCMAuthTagLengthChainingModeKeyDataBlo
DeobfuscationPermalink
I deobfuscate malware by using the de4dot tool to deobfuscate strings and we can take the first token for the first
function and the last token for the last function
Figure(5): First Token and Last Token.
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 4 of 20

We use a python script to print all tokens to use them into command, this command will help us to deobfuscate the
malware.
tokens = ""
for i in range(0x0600022E,0x06000543):
 tokens += " --strtok "+ (hex(i))
tokens2 = tokens.replace("0x", "")
print(tokens2)
After that, we can use this command to run it and we can get to the last stage.
de4dot.exe last_payload --strtype delegate --strtok 600022e --strtok 600022f --strtok 6000230 --strtok 6000231
Final StagePermalink
ArtifactsPermalink
No. Description info
1 MD5 Hash fbc921fbb1639073c30bbb19e68248fc
2 SHA1 Hash 56e6b58a1d42459be3d0f46fe932c1ca12564d21
3 File Size 183 KB
4 VirusTotal Detection No Match
Determine the functionality of malwarePermalink
Agent tesla starts to use some of the global Variables to determine the behaviour and functionality of malware and
the values for these variables can see them in the Configuration of malware and we can see that in the next figure
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 5 of 20

Figure(6): Set Global Variables.
persistencePermalink
Agent tesla malware can achieve persistence by creating itself with the following registry keys and we can see the
results in the next figure
Figure(7): Persistence.
Browser Stealing ActivitiesPermalink
Malware will search for web browsers and we can see that malware has a large list of internet browser that
malware tries to find anything of them on the victim’s machine and if malware finds any browsers and successes
to locate any browser, malware will go to steal stored credentials and send them attacker and we can see that in the
next figure..
Figure(8): Search For Web Browsers.
List Of BrowsersPermalink
Browsers
CocCoc
Pale Moon
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 6 of 20

Firefox
Web-browser
Flock
Lieabao
Iridium
ChromePlus
Chromium
Orbitum
Coowon
360Chrome
Sputnik
Amigo
Opera
7Star
Torch
Yandex
Sleipnir5
Vivaldi
Uran
Centbrowser
Chedot
Brave-browser
Elements
Web browser
BlackHawk
SeaMonkey
CyberFox
QQBrowser
IceCat
Waterfox
Web-bowser
K-Meleon
Chrome
IceDragon
Falkon
UCBrowser
Edge
Citrio
Epic privacy browser
Kometa
Safari
QIP Surf
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 7 of 20

Email Stealing ActivitiesPermalink
Malware will search on Victim’s machine for different email clients and if malware finds them, will steal
credentials and send them to the attacker and we can see that in the next figure.
Figure(9): Search For Emails.
FTP Utility Stealing ActivitiesPermalink
Malware searches about FTP utilities to steal login credentials and if malware finds any FTP utilities, it attempts
to get all information and can also target other information to a specific application, we can see the results in the
figure.
Figure(10): Search For FTP Utilities.
VPN Stealing ActivitiesPermalink
Malware can search about VPN on Victim’s machine, if malware finds any VPN, it will steal VPN credentials and
by using these credentials, malware can download tools and remote server applications and we can see that in the
next figure.
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 8 of 20

Figure(11): Search For VPN Activities.
Windows credentialsPermalink
Malware can search about Windows Credentials on Victim’s machine, if malware finds any windows credentials,
it will send them to the attacker and we can see that in the next figure
Figure(12): Search For Windows Credentials Activities.
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 9 of 20

VNC programs credentialsPermalink
Malware can search about VNC on Victim’s machine, if malware find any VNC, it will steal VNC credentials and
we can see that in the next figure
Figure(13): Search For VNC Activities.
ExfiltrationPermalink
Malware can search about VNC on Victim’s machine, if malware find any VNC, it will steal VNC credentials, we
can see that in the figure
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 10 of 20

Figure(14): Exfiltration.
CommunicationsPermalink
Malware can communicate with attackers over HTTP, FTP and SMTP and malware also can use Telegram to
communicate with the attacker and we can see more information in the next lines
HTTPPermalink
Sending compromised data to C@C and we can see the results in the next figure
Figure(15): HTTP Communication.
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 11 of 20

FTPPermalink
Malware can upload data to send it to the attacker and we can see the results in the next figure
Figure(16): FTP Communication.
SMTPPermalink
Malware Compromises email and after that utilizes it to exfiltrate information to a mail server that manages by the
attacker and we can see that in the next figure
Figure(17): SMTP Communication.
TelegramPermalink
Telegram Sends the exfiltrated data to a private Telegram chat room.
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 12 of 20

Downloading and running filesPermalink
Downloading and running files from [hxxp://CsQCyR.com] and we can see that in the next figure
Figure(18): Downloading and running files.
FingerprintingPermalink
The malware gathers information from the infected machine and we can see the following data that malware tries
to collect.
Computer Name, User NamePermalink
the malware collects ComputerName and UserName and we can see that in the next figure.
Figure(19): Get ComputerName And UserName.
External IPsPermalink
Malware makes an HTTP request “hxxps://api.ipify.org” to get External IP and we can see that in the next figure.
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 13 of 20

Figure(20): Get External IPs.
MemoryPermalink
Malware can collect information about Memory and we can see that in the next figure..
Figure(21): Collect Information For Memory.
ProcessorPermalink
Malware get information about the processor and we can see that in the next figure
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 14 of 20

Figure(22): Collect Information For Porecessor.
UninstallPermalink
Malware can uninstall itself and we can see that in the next figure.
Figure(23): Malware Able to Uninstall itself.
cookies For BrowsersPermalink
The malware attempts to get cookies from a list of browsers after collecting the cookies, it communicates with
C@C and sends them to the attacker and we can see the results in the next figure
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 15 of 20

Figure(24): cookies For Browsers.
Cookies For SQLitePermalink
The malware collects Cookies for SQLite to send them to the attacker over C@C and we can see that in the next
Figure(25): Cookies For SQLite.
Cookies For FTP ApplicationPermalink
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 16 of 20

The malware collects UserNames and PassWords for any FTP application and we can see that in the next figure
Figure(26): Cookies For FTP Application.
Search UserName, Password for BrowserPermalink
Malware searches for UserName and Password and we can see that in the next figure
Figure(27): Collect UserNames, Passwords For Browsers.
ScreenshotsPermalink
Malware captures images from the infected machine and sends these images to c@c
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 17 of 20

Figure(28): Malware Takes Screenshots.
KeystrokesPermalink
Keystrokes are recorded and sent to the C2 server and we can see that in the next figure.
Figure(29): Keystrokes.
clipboardPermalink
Malware Adds the specified window to the chain of clipboard viewers. So malware harvests data from the system
clipboard and we can see that in the next figure.
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 18 of 20

Figure(30): clipboard.
TORPermalink
Malware uses the Tor anonymizing network client and Tor is free and open-source software for enabling
anonymous communication. It directs Internet traffic through a free, worldwide, volunteer overlay network,
consisting of more than six thousand relays.
Figure(31): TOR.
Deleting ADS (Zone identifier)Permalink
Malware can delete ADS (Zone identifier) and we can see that in the next figure
Figure(32): Deleting ADS (Zone identifier).
SummeryPermalink
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 19 of 20

StealingPermalink
FTP services credentials
30 different web browsers (logins/pass, cookies)
Windows credentials
Mail clients credentials
VPN clients credentials
Chat clients credentials
VNC programs credentials
CapabilitiesPermalink
Persistence: “Software\Microsoft\Windows\CurrentVersion\Run”
“SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run”
Using “hxxps://api.ipify.org” to get External IP
Downloading and running files from hxxp://CsQCyR.com
PC name, processor, RAM, others…
Uninstalling itself
Deleting ADS (Zone identifier)
Taking screenshots
Keylogging
Socket communication
Web communication
clipboard data
Tor browser client
referencesPermalink
https://www.youtube.com/watch?v=BM38OshcozE&t=2177s
https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware
Source: https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
Page 20 of 20

  https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/  
  Figure(20): Get External IPs. 
MemoryPermalink    
Malware can collect information about Memory and we can see that in the next figure..
  Figure(21): Collect Information For Memory.
ProcessorPermalink    
Malware get information about the processor and we can see that in the next figure
  Page 14 of 20