{
	"id": "a71f2ad4-aa4c-478e-b504-59fae466f18b",
	"created_at": "2026-04-06T00:12:33.361426Z",
	"updated_at": "2026-04-10T03:22:12.311338Z",
	"deleted_at": null,
	"sha1_hash": "b53402a38d0288b105e9216ac8f0e925c17da29c",
	"title": "Agent Tesla Updates SMTP Data Exfiltration Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3223335,
	"plain_text": "Agent Tesla Updates SMTP Data Exfiltration Technique\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 23:11:26 UTC\r\nIntroduction\r\nAgent Tesla is a Windows-based keylogger and RAT that commonly uses SMTP or FTP to exfiltrate stolen data. \r\nThis malware has been around since 2014, and SMTP is its most common method for data exfiltration.\r\nEarlier today, I reviewed post-infection traffic from a recent sample of Agent Tesla.  This activity revealed a\r\nchange in Agent Tesla's SMTP data exfiltration technique.\r\nThrough November 2021 Agent Tesla samples sent their emails to compromised or possibly fraudulent email\r\naccounts on mail servers established through hosting providers.  Since December 2021, Agent Tesla now uses\r\nthose compromised email accounts to send stolen data to Gmail addresses.\r\nShown above:  Flow chart of recent change in Agent Tesla SMTP data exfiltration.\r\nSMTP exfiltration before the change\r\nAgent Tesla is typically distributed through email, and the following sample was likely an attachment from\r\nmalicious spam (malspam) sent on 2021-11-28.\r\nhttps://isc.sans.edu/diary/rss/28190\r\nPage 1 of 5\n\nSHA256 hash: bdae21952c4e6367fe534a9e5a3b3eb30d045dcb93129c6ce0435c3f0c8d90d3\r\nFile size: 523,919 bytes\r\nFile name: Purchase Order Pending Quantity.zip\r\nEarliest Contents Modification: 2021-11-28 19:55:50 UTC\r\nSHA256 hash: aa4ea361f1f084b054f9871a9845c89d68cde259070ea286babeadc604d6658c\r\nFile size: 557,056 bytes\r\nFile name: Purchase Order Pending Quantity.exe\r\nAny.Run analysis from 2021-11-29: link\r\nThe packet capture (pcap) from Any.Run's analysis shows a typical SMTP data exfiltration path.  The infected\r\nWindows host sent a message with stolen data to an email address, and that address was on a mail server\r\nestablished through a hosting provider.\r\nShown above:  Traffic from the Any.Run analysis filtered in Wireshark.\r\nhttps://isc.sans.edu/diary/rss/28190\r\nPage 2 of 5\n\nShown above:  TCP stream of SMTP traffic shows stolen data sent to the compromised email account.\r\nExample after the change\r\nThe following Agent Tesla sample was likely an attachment from malspam sent on 2021-12-01.\r\nSHA256 hash: 6f85cd9df964afc56bd2aed7af28cbc965ea56e49ce84d4f4e91f4478d378f94\r\nFile size: 375,734 bytes\r\nFile name: unknown\r\nEarliest Contents Modification: 2021-12-01 05:02:06 UTC\r\nSHA256 hash: ff34c1fd26b699489cb814f93a2801ea4c32cc33faf30f32165b23425b0780c7\r\nFile size: 537,397 bytes\r\nFile name: Partial Shipment.exe\r\nAny.Run analysis from 2021-12-01: link\r\nThe pcap from Any.Run's analysis of this malware sample shows a new data exfiltration path.  The infected\r\nWindows host sent a message with stolen data to a Gmail address using a compromised email account from a mail\r\nhttps://isc.sans.edu/diary/rss/28190\r\nPage 3 of 5\n\nserver established through a hosting provider.\r\nShown above:  Traffic from the Any.Run analysis filtered in Wireshark.\r\nhttps://isc.sans.edu/diary/rss/28190\r\nPage 4 of 5\n\nShown above:  TCP stream shows stolen data sent to Gmail address using the compromised email account.\r\nFinal words\r\nThe basic tactics of Agent Tesla have not changed.  However, post-infection traffic from samples since 2021-12-\r\n01 indicates Agent Tesla using STMP for data exfiltration now sends to Gmail addresses.  Based on the names of\r\nthese addresses, I believe they are fraudulent Gmail accounts, or they were specifically established to receive data\r\nfrom Agent Tesla.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/28190\r\nhttps://isc.sans.edu/diary/rss/28190\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/28190"
	],
	"report_names": [
		"28190"
	],
	"threat_actors": [],
	"ts_created_at": 1775434353,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b53402a38d0288b105e9216ac8f0e925c17da29c.pdf",
		"text": "https://archive.orkl.eu/b53402a38d0288b105e9216ac8f0e925c17da29c.txt",
		"img": "https://archive.orkl.eu/b53402a38d0288b105e9216ac8f0e925c17da29c.jpg"
	}
}