Malware Analysis — AgentTesla By 0xMrMagnezi Published: 2024-02-15 · Archived: 2026-04-05 23:45:04 UTC 3 min read Feb 15, 2024 Agent Tesla is a widely-used remote access Trojan (RAT) known for its keylogging and data exfiltration capabilities, often used in cyber espionage and information theft. In this report I will Analyze an AgentTesla Sample that was uploaded to MalwareBazaar. Press enter or click to view image in full size https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825 Page 1 of 8 MalwareBazaar — Initial Sample Stage 1- As usual I downloaded the file and extracted it using the password “infected”. Press enter or click to view image in full size .BAT file Just from looking at it I noticed that I’m dealing with JS and PowerShell code. I assumed that trying to deobfuscate this .BAT file would be a waste of time. So I ran it in order to capture the PowerShell script that was being executed. Press enter or click to view image in full size https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825 Page 2 of 8 Capture of the PowerShell code As I suspected the PS was starting under the cmd.exe (.BAT) , so I extracted it from the command line. Also its important to note that the original BAT file was deleted after execution. Stage 2- Press enter or click to view image in full size Obfuscated PowerShell code that was extracted from the command line After a little bit of dirty work I managed to Deobfuscate the PS code. Press enter or click to view image in full size Deobfuscated PowerShell code https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825 Page 3 of 8 In summary this script downloads a new file (.JPG) and executes it. Stage 3- I decided to get that file on my own terms without executing it , so I curled to this path and saved the output as “out”. Press enter or click to view image in full size Curl to the attacker JPG path This out file contained another obfuscated PowerShell , so I had to do more deobfuscation. Press enter or click to view image in full size Obfuscated PowerShell The first Var — “u8yee” was going through manipulation in which at the end it swapped “A” with “00”. https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825 Page 4 of 8 Press enter or click to view image in full size Using CyberChef to decode Press enter or click to view image in full size After some cleaning and deobfuscation of the code In summary the first function is decompressing any byte array that its getting as an argument. Get 0xMrMagnezi’s stories in your inbox Join Medium for free to get updates from this writer. Remember me for faster sign in The next 2 Vars — “y74gh00rffd” and “eSQy” are also going through manipulation just like before , just a bit different. The letters “EV” are being replace by “0x” which is representation of Hex. In addition to this replacement the output of this byte array is being passed to the Decoding functions. Press enter or click to view image in full size https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825 Page 5 of 8 First Byte Array Decode Press enter or click to view image in full size Second Byte Array Decode I knew this process was a success as soon as I saw the “MZ” in the beginning of the file — Indication of DOS Executable. I saved those 2 new files as .BIN files. Stage 4- Press enter or click to view image in full size https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825 Page 6 of 8 Finding out that One file is EXE and the other is DLL — Both written in .NET While Debugging this executable in DNSPY I noticed that I'm dealing with Info Stealer / Key Logger with more features and capabilities. The Data is being sent using SMTP. Press enter or click to view image in full size Finding SMTP Password to the attacker Press enter or click to view image in full size Finding The Information about the computer that is being sent to the attacker https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825 Page 7 of 8 Press enter or click to view image in full size The Mail Addresses that were found. Source: https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825 https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825 Page 8 of 8