# SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center SANS Site Network Current Site SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training InfoSec Handlers Diary Blog **isc.sans.edu/diary/rss/28190** ## Agent Tesla Updates SMTP Data Exfiltration Technique **Published: 2021-12-30** **Last Updated: 2021-12-30 00:21:07 UTC** **by** [Brad Duncan (Version: 1)](https://isc.sans.edu/handler_list.html#brad-duncan) [0 comment(s)](https://isc.sans.edu/forums/diary/Agent+Tesla+Updates+SMTP+Data+Exfiltration+Technique/28190/#comments) **_Introduction_** [Agent Tesla is a Windows-based keylogger and RAT that commonly uses SMTP or FTP to](https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla) exfiltrate stolen data. This malware has been around since 2014, and SMTP is its most common method for data exfiltration. Earlier today, I reviewed post-infection traffic from a recent sample of Agent Tesla. This activity revealed a change in Agent Tesla's SMTP data exfiltration technique. Through November 2021 Agent Tesla samples sent their emails to compromised or possibly fraudulent email accounts on mail servers established through hosting providers. Since December 2021, Agent Tesla now uses those compromised email accounts to send stolen data to Gmail addresses. ----- _Shown above: Flow chart of recent change in Agent Tesla SMTP data exfiltration._ **_SMTP exfiltration before the change_** Agent Tesla is typically distributed through email, and the following sample was likely an attachment from malicious spam (malspam) sent on 2021-11-28. SHA256 hash: [bdae21952c4e6367fe534a9e5a3b3eb30d045dcb93129c6ce0435c3f0c8d90d3](https://www.virustotal.com/gui/file/bdae21952c4e6367fe534a9e5a3b3eb30d045dcb93129c6ce0435c3f0c8d90d3) File size: 523,919 bytes File name: Purchase Order Pending Quantity.zip Earliest Contents Modification: 2021-11-28 19:55:50 UTC SHA256 hash: [aa4ea361f1f084b054f9871a9845c89d68cde259070ea286babeadc604d6658c](https://www.virustotal.com/gui/file/aa4ea361f1f084b054f9871a9845c89d68cde259070ea286babeadc604d6658c) File size: 557,056 bytes File name: Purchase Order Pending Quantity.exe Any.Run analysis from 2021-11-29: [link](https://app.any.run/tasks/393a90ed-8b35-41be-8d2d-28cec8facef1/) The packet capture (pcap) from Any.Run's analysis shows a typical SMTP data exfiltration path. The infected Windows host sent a message with stolen data to an email address, and that address was on a mail server established through a hosting provider. ----- _Shown above: Traffic from the Any.Run analysis filtered in Wireshark._ ----- _Shown above: TCP stream of SMTP traffic shows stolen data sent to the compromised_ _email account._ **_Example after the change_** The following Agent Tesla sample was likely an attachment from malspam sent on 2021-1201. [SHA256 hash: 6f85cd9df964afc56bd2aed7af28cbc965ea56e49ce84d4f4e91f4478d378f94](https://www.virustotal.com/gui/file/6f85cd9df964afc56bd2aed7af28cbc965ea56e49ce84d4f4e91f4478d378f94) File size: 375,734 bytes File name: unknown Earliest Contents Modification: 2021-12-01 05:02:06 UTC [SHA256 hash: ff34c1fd26b699489cb814f93a2801ea4c32cc33faf30f32165b23425b0780c7](https://www.virustotal.com/gui/file/ff34c1fd26b699489cb814f93a2801ea4c32cc33faf30f32165b23425b0780c7) File size: 537,397 bytes File name: Partial Shipment.exe ----- [Any.Run analysis from 2021-12-01: link](https://app.any.run/tasks/cd9a5893-f552-4776-9a2a-3bd843bf3213/) The pcap from Any.Run's analysis of this malware sample shows a new data exfiltration path. The infected Windows host sent a message with stolen data to a Gmail address using a compromised email account from a mail server established through a hosting provider. _Shown above: Traffic from the Any.Run analysis filtered in Wireshark._ ----- _Shown above: TCP stream shows stolen data sent to Gmail address using the compromised_ _email account._ **_Final words_** The basic tactics of Agent Tesla have not changed. However, post-infection traffic from samples since 2021-12-01 indicates Agent Tesla using STMP for data exfiltration now sends to Gmail addresses. Based on the names of these addresses, I believe they are fraudulent Gmail accounts, or they were specifically established to receive data from Agent Tesla. -- Brad Duncan brad [at] malware-traffic-analysis.net [Keywords: Agent Tesla](https://isc.sans.edu/tag.html?tag=Agent%20Tesla) [AgentTesla](https://isc.sans.edu/tag.html?tag=AgentTesla) [0 comment(s)](https://isc.sans.edu/forums/diary/Agent+Tesla+Updates+SMTP+Data+Exfiltration+Technique/28190/) Join us at SANS! Attend [with Brad Duncan in starting](https://isc.sans.edu/diary/rss/28190) ----- Top of page × [Diary Archives](https://isc.sans.edu/diaryarchive.html) -----