{
	"id": "f5f55237-a598-4c10-8855-65cded96b944",
	"created_at": "2026-04-06T00:12:28.642468Z",
	"updated_at": "2026-04-10T13:11:29.219274Z",
	"deleted_at": null,
	"sha1_hash": "9888c3a4031458de1841668fe9cf5f554e128b5b",
	"title": "Trojan Agent Tesla – Malware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1651009,
	"plain_text": "Trojan Agent Tesla – Malware Analysis\r\nPublished: 2020-04-05 · Archived: 2026-04-05 13:08:44 UTC\r\nSkip to content\r\nHash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25\r\nFamily : Agent Tesla\r\nDownloaded Sample Link: Click here\r\nSignature: Microsoft Visual C# v7.0/ Basic.NET\r\nFilename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe\r\nVirusTotal score:\r\nMalware behavior:\r\nSteal browser information (URL, Usernames, Passwords)\r\nSteal passwords for email clients.\r\nSteal FTP Clients\r\nSteal download manager passwords.\r\nCollect OS and hardware information.\r\nBrowser Information:\r\nhttps://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/\r\nPage 1 of 9\n\nWhen I debug the malware executable, Initially it creates a SQLite database to store collected information from\r\nvictims machine.\r\nBelow are the tables getting created.\r\nTables created:\r\nmeta\r\nlogins\r\nsqlite_sequence\r\nstats\r\ncompromised_credentials\r\nfound it collected browsers data (Google chrome), that includes accessed URLs and related usernames and\r\npasswords.\r\nhttps://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/\r\nPage 2 of 9\n\ndatabase table logins stores all browser related information. Below are the table columns.\r\nhttps://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/\r\nPage 3 of 9\n\nApart from this, malware also look for all different types of browsers to steal data from it.\r\nIt look for below browsers:\r\nOpera Browser\r\nYandex Browser\r\n360 Browser\r\nIridium Browser\r\nComodo Dragon\r\nCool Novo\r\nChromium\r\nTorch Browser\r\n7Star\r\nAmigo\r\nBrave\r\nCentBrowser\r\nChedot\r\nCoccoc\r\nElements Browser\r\nEpic Privacy\r\nKometa\r\nhttps://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/\r\nPage 4 of 9\n\nOrbitum\r\nSputnik\r\nUran\r\nVivaldi\r\nCitrio\r\nLiebao Browser\r\nSleipnir 6\r\nQIP Surf\r\nCoowon\r\nBelow screenshot taken while debugging malware.\r\nMalware also look for below email clients. I haven’t install any of them on my machine during analyzing this.\r\nEmail Clients:\r\nhttps://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/\r\nPage 5 of 9\n\nOutlook\r\nThunderbird\r\nFoxmail\r\nOpera Mail\r\nPocomail\r\nClaws-mail\r\nPostbox\r\nFTP Clients:\r\nMalware grabs credentials from FTP clients as well. Below list.\r\nFileZilla\r\nCore FTP\r\nSmartFTP\r\nFTPGetter\r\nFlashFXP\r\nIt also makes FTP web request. (Remote Server couldn’t find)\r\nhttps://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/\r\nPage 6 of 9\n\nIt uses smtp client to send information over the network using port 587 which indicates sending data from smtp\r\nclient to a particular smtp Server through mail attachments.\r\nhttps://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/\r\nPage 7 of 9\n\nMalware executable also make HTTPWebRequest which must be downloading SMTP client to transfer data to\r\nremote SMTP server.\r\nhttps://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/\r\nPage 8 of 9\n\nunfortunately, it didn’t make any connection to any remote server address.\r\nSummary:\r\nSteal Browser Information including urls, usernames and passwords.\r\nSteal email client credentials.\r\nSteal credentials of FTP servers.\r\nComputer information.\r\nThank you.\r\nSource: https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/\r\nhttps://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/"
	],
	"report_names": [
		"trojan-agent-tesla-malware-analysis"
	],
	"threat_actors": [
		{
			"id": "0661a292-80f3-420b-9951-a50e03c831c0",
			"created_at": "2023-01-06T13:46:38.928796Z",
			"updated_at": "2026-04-10T02:00:03.148052Z",
			"deleted_at": null,
			"main_name": "IRIDIUM",
			"aliases": [],
			"source_name": "MISPGALAXY:IRIDIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75455540-2f6e-467c-9225-8fe670e50c47",
			"created_at": "2022-10-25T16:07:23.740266Z",
			"updated_at": "2026-04-10T02:00:04.732992Z",
			"deleted_at": null,
			"main_name": "Iridium",
			"aliases": [],
			"source_name": "ETDA:Iridium",
			"tools": [
				"CHINACHOPPER",
				"China Chopper",
				"LazyCat",
				"Powerkatz",
				"SinoChopper",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434348,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9888c3a4031458de1841668fe9cf5f554e128b5b.pdf",
		"text": "https://archive.orkl.eu/9888c3a4031458de1841668fe9cf5f554e128b5b.txt",
		"img": "https://archive.orkl.eu/9888c3a4031458de1841668fe9cf5f554e128b5b.jpg"
	}
}