Trojan Agent Tesla – Malware Analysis
Published: 2020-04-05 · Archived: 2026-04-05 13:08:44 UTC
Skip to content
Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25
Family : Agent Tesla
Downloaded Sample Link: Click here
Signature: Microsoft Visual C# v7.0/ Basic.NET
Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe
VirusTotal score:
Malware behavior:
Steal browser information (URL, Usernames, Passwords)
Steal passwords for email clients.
Steal FTP Clients
Steal download manager passwords.
Collect OS and hardware information.
Browser Information:
https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/
Page 1 of 9

When I debug the malware executable, Initially it creates a SQLite database to store collected information from
victims machine.
Below are the tables getting created.
Tables created:
meta
logins
sqlite_sequence
stats
compromised_credentials
found it collected browsers data (Google chrome), that includes accessed URLs and related usernames and
passwords.
https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/
Page 2 of 9

database table logins stores all browser related information. Below are the table columns.
https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/
Page 3 of 9

Apart from this, malware also look for all different types of browsers to steal data from it.
It look for below browsers:
Opera Browser
Yandex Browser
360 Browser
Iridium Browser
Comodo Dragon
Cool Novo
Chromium
Torch Browser
7Star
Amigo
Brave
CentBrowser
Chedot
Coccoc
Elements Browser
Epic Privacy
Kometa
https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/
Page 4 of 9

Orbitum
Sputnik
Uran
Vivaldi
Citrio
Liebao Browser
Sleipnir 6
QIP Surf
Coowon
Below screenshot taken while debugging malware.
Malware also look for below email clients. I haven’t install any of them on my machine during analyzing this.
Email Clients:
https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/
Page 5 of 9

Outlook
Thunderbird
Foxmail
Opera Mail
Pocomail
Claws-mail
Postbox
FTP Clients:
Malware grabs credentials from FTP clients as well. Below list.
FileZilla
Core FTP
SmartFTP
FTPGetter
FlashFXP
It also makes FTP web request. (Remote Server couldn’t find)
https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/
Page 6 of 9

It uses smtp client to send information over the network using port 587 which indicates sending data from smtp
client to a particular smtp Server through mail attachments.
https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/
Page 7 of 9

Malware executable also make HTTPWebRequest which must be downloading SMTP client to transfer data to
remote SMTP server.
https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/
Page 8 of 9

unfortunately, it didn’t make any connection to any remote server address.
Summary:
Steal Browser Information including urls, usernames and passwords.
Steal email client credentials.
Steal credentials of FTP servers.
Computer information.
Thank you.
Source: https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/
https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/
Page 9 of 9