{
	"id": "c38c6dc2-6f26-42af-b699-f80a03929ee8",
	"created_at": "2026-04-06T00:09:09.454223Z",
	"updated_at": "2026-04-10T03:21:17.604633Z",
	"deleted_at": null,
	"sha1_hash": "cd2b0589adf383463b4be02c0ed3907b46e1a455",
	"title": "Agent Tesla: A Lesson in How Complexity Gets You Under the Radar",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 222583,
	"plain_text": "Agent Tesla: A Lesson in How Complexity Gets You Under the\r\nRadar\r\nBy Guy Propper\r\nPublished: 2020-07-02 · Archived: 2026-04-05 14:59:13 UTC\r\nAgent Tesla is a prolific strain of spyware, that is being sold online since 2014. It is advertised in dark-web forums\r\nas a legitimate monitoring software not intended for malicious purposes. However, its extensive password\r\nextraction features are clearly used for malicious purposes by many actors.\r\nDeep Instinct’s Research Team recently came across a very interesting infection chain found in one of our\r\nproduction sites. The uniqueness of the infection chain is due to its long and inordinately complex process;\r\nstarting with an RTF document attached to a phishing email, it ends with the dropping of an Agent Tesla\r\nexecutable on the victim machine. The multiple stages of the infection process include the use of OLE Objects\r\nwithin the RTF document and the execution of obfuscated VBA code contained in OOXML packages within the\r\nOLE Objects. In turn, the VBA code executes Powershell, which finally drops the malicious executable. Dozens\r\nof similar RTF droppers were found to be active very recently, possibly indicating a wide attack wave of Agent\r\nTesla, utilizing this infection process.\r\nThe full infection flow is explained in the following diagram:\r\nInfection flow\r\nPhishing RTF\r\nThe infection chain begins with the execution of an RTF file, which arrives as an attachment in a phishing email.\r\nOnce executed, the user is presented with five consecutive requests to enable macros. The five requests are due to\r\nthe fact that the RTF contains five embedded OLE objects, which each contain an OOXML package. Inside each\r\nOOXML package lies a VBA macro, and when the user enables macros, one of the macros will execute at a time.\r\nhttps://www.deepinstinct.com/2020/07/02/agent-tesla-a-lesson-in-how-complexity-gets-you-under-the-radar/\r\nPage 1 of 5\n\nThe VBA code contained in each of the OOXML packages is rather short and has been designed with many spaces\r\nand line breaks to make reading and organizing the code difficult\r\nA snippet of initial spaced VBA code.\r\nTo hinder static analysis of the code, the main variable used in the code is contained in a specific cell of the\r\nspreadsheet in each OOXML package. The variable is a long obfuscated string, which can be found in\r\nxl/sharedStrings.xml in the OOXML package.\r\nIndeed, static analysis tools such as oletools and oledump did not help in providing any details regarding the\r\nfunctionality of the VBA code. In addition, dynamic analysis of the VBA using ViperMonkey was not successful.\r\nHowever, manual debugging of each of the five VBA code parts revealed that each part is responsible for creating\r\npart of a PowerShell code, which will form the next stage of the infection process.\r\nA snippet of Powershell code created from the execution of the VBA macro in the first OLE Object.\r\nOnce all five parts are run, the resulting Powershell code is executed.\r\nPowerShell execution\r\nThe PowerShell code formed in the previous step is highly obfuscated\r\nobfuscated Powershell, with a large encoded blob\r\nObfuscated Powershell, with a large encoded blob).\r\nhttps://www.deepinstinct.com/2020/07/02/agent-tesla-a-lesson-in-how-complexity-gets-you-under-the-radar/\r\nPage 2 of 5\n\nAfter debugging the code, which is deobfuscated through the function af23a, it is still obfuscated, but its function\r\nbecomes clear – the main purpose of this PowerShell code is to attempt to bypass AMSI, and download a file\r\nusing WebClient().DownloadFile.\r\nPartially deobfuscated PowerShell code. Red squares are obfuscated strings responsible for AMSI bypass, and\r\nblue square is the download URL\r\nPartially deobfuscated PowerShell code. Red squares are obfuscated strings responsible for AMSI bypass, and\r\nblue square is the download URL\r\nThe AMSI bypass is attempted through the provision of an empty buffer to the AmsiScanBuffer function – the\r\nstrings which are relevant to the bypass are the red squares in the above image and can be deobfuscated using\r\nfunction af23a in the PowerShell script. This has already been attempted in the past by a very similar Agent Telsa\r\ninfection process.[1] The URL which is accessed to download the file, which appears obfuscated as the string\r\n'09411248125b1a495b0d044707560e0753075b040c1b05570c4e5b04501804470217030e580416041950', is de-obfuscated to \"hxxps://cleranoffacem[.]com/nbhyerd/bomb[.]exe\" (blue square in image 4), and the file\r\ndownloaded from this URL is Agent Tesla, which will be overviewed in the following section.\r\nAgentTesla download and execution\r\nThe AgentTesla executable is download from hxxps://cleranoffacem[.]com/nbhyerd/bomb[.]exe to\r\nAppData\\Roaming\\u565.exe. Then, the executable starts performing several tasks:\r\nCreates a scheduled task using schtasks.exe, to execute the AgentTesla executable.\r\nDisables task manager through the registry using reg.exe. The specific command used is “REG add\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableTaskMgr”.\r\nSearches for WIFI passwords using netsh wlan show profile.\r\nTries to steal a variety of credentials: putty/WinSCP, browser, FTP, and Mail credentials.\r\nIt then sends stolen credentials to dir.fb@tolipgoldenplaza.com, including the credentials Golden@#$2019.\r\nAn Earlier Precedent?\r\nIt is interesting to note that a very similar infection flow involving an RTF file that contained five OLE Objects\r\nwas identified in March 2018.[2] In that instance, the file that was dropped following the infection chain was\r\nLokibot. Considering the striking similarity between the two cases, it appears that the attack was either executed\r\nby the same actors or created using the same framework. However, we could not find data to further elucidate the\r\ngreater likelihood of the two options.\r\nIn addition, despite this method being several years old, it is apparently still used effectively in the wild, with\r\ndozens of similar RTF files found in a recent attack wave.\r\nConclusion\r\nThe sophisticated and complex infection chain covered in this article, while not new, is still being used extensively\r\nin the wild. This indicates that a complex attack chain, involving many stages, is not only difficult to analyze but\r\ncan also help attackers evade detection. In this case, evasion may be achieved through the use of multiple stages,\r\nhttps://www.deepinstinct.com/2020/07/02/agent-tesla-a-lesson-in-how-complexity-gets-you-under-the-radar/\r\nPage 3 of 5\n\neach responsible for only a small portion of the attack, making each stage more difficult to detect. In addition, in\r\nthis attack, and many other attacks in recent years, internal Windows tools are being abused by the attackers. In\r\nthis attack, the tools abused were schtasks.exe, reg.exe, and netsh, evidence of the continued trend of attackers to\r\nabuse dual-use tools.\r\nDeep Instinct’s customers are protected from this threat, which is prevented at multiple execution stages. The\r\ninitial RTF dropper was prevented in production pre-execution, using deep learning-based static analysis.\r\nMoreover, this RTF dropper was prevented with Deep Instinct’s prediction model (D-Brain) released more than 20\r\nmonths prior to the appearance of this dropper. If the dropper were to execute, PowerShell execution would be\r\nprevented with Deep Instinct’s script protection, and the Agent Tesla executable is prevented both statically using\r\nthe D-Brain, and dynamically using advanced behavioral analysis protection.\r\nIOCs\r\nRTF: ce212984a9ed60ef6015bfb2f930a0f501a2f6f373c9fa68af54fe8f68d4de9e\r\nAgent Tesla download URL: hxxps://cleranoffacem[.]com/nbhyerd/bomb[.]exe\r\nAgent Tesla: 756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b\r\nSimilar RTF files\r\n840a22c718e33120f6e47c310497148ca903912a46458fbf9f21edc8976074ce\r\n842ad0c1407a7c87c9f76a7a55d56f36dfef501495f56dbad4d28f04b807b63a\r\nb0f8dd641769a080b640dbaa2666b5982344642335372ee4680fa5a6e771991d\r\nce212984a9ed60ef6015bfb2f930a0f501a2f6f373c9fa68af54fe8f68d4de9e\r\nc03f438d814bd52be15b47743b44519263aaeded731dcfac7e9070628a41d70a\r\n20ae23fa54d2f997c50f85b9977899255822fbe200e17d933b430561adcd1e12\r\n859a9f0c613775907c2cda4d946159e7991ee6f9be430fe5658e95e7e5a0388b\r\na60c7244206b635d18c244028c1b1dc4c07da716e0ff78529692bc667f117195\r\n2bbc9c51a29557cf8934de723236bf2f5683391d3d57d7d86410221d30b53bd3\r\n3fe1d15c026ad8fa1c510ac3d4982f38be59e84cef34119fff0aad6fad35bc54\r\nf11ee07c633a0ad6a88ec9cb3e798dda02d6459b5eb35eb00d403d8445b0c554\r\n402f2be1b65ae460898ccbf47a475430cc5c64c548228481ad062934f6a85aa2\r\neec9b14da6a2745f089361002429d13b044d66dedf944e951b39f9d243ae3df9\r\n786f2eaa675e1ee953a159eb4a4ccb734b1adf16ede28dd7b801df9a612a4167\r\nhttps://www.deepinstinct.com/2020/07/02/agent-tesla-a-lesson-in-how-complexity-gets-you-under-the-radar/\r\nPage 4 of 5\n\nfd26d992e3014118d345027e8a3c482519d75ef0fda12241d244e3a80abeda67\r\n2f9d34c9752df5565c79ed5d0dab3e4c48f5c3de22f54180388a90e3e0b30c9a\r\nd8be93b858f4ddfe0f6dab717e269665a56d862b86781da908fafa31be2ec509\r\n518eb357618f85a419cdeba49b45f8a98441a6a2df1edebb2376cd0a0e98f56f\r\n256777b273432143492346edc89f678e386cb4569e8fd48645e28245977f5856\r\n6d0636869e65966bbb79fb58a0af016e9af41420978a43b5c2eb1ed462a24724\r\na114858d777f74faafadca52424a9fca33426dc5f3c4777453348e359115ac6d\r\nbf36d5e468b5c654a47ebf07b4a0ef9e192307674960f7fdf22d6e3cb3e85177\r\n6189ddb04b9bbb45474ed48c6685d316c06458da3d9b430727ade08cc344f235\r\ndc1b5e7c4aeb32c2370fc03983502639d31c2c4fdecdb12b6248351daa38129a\r\nd7f2a3ec1aae489bc44b7819ce6f4e5029282b8f8d2064fccfe1804278c38d11\r\nd6779d721788c2826a9cd43cb01c3279c8aaca4a3210c5331125c08a9be32557\r\n1a8ee2fcf777abbcc6d3eda5a52f5cdb2269cc8a6e7e339b01c04d47138bb702\r\na16cdca08584f03a1deaefa94393914bb317e80bd2a2b9f5da7c0b4355a1fddd\r\n52f2e17287a2f975d30fdda43b44c67b5f70a168ccf97696b7d95a962d46dd7a\r\n167760bf97f12f6ef1d66ca2db17a5a0ed2d594f86f3d8716c83e7d66d502f3e\r\n0d873ad2a42333ee77bb18bb92c920afe94fe3c108de28fc4bb89901eb12161c\r\n8ac06f7b667d0ae9fc2e0940efba2d580af0dab54825275b7f85cb5ac37c6f05\r\ne5ade604474407fc742a5b99996b1aae86695493eb71d5fc2478fb78238a0799\r\nc4d7f76ca3ccc9a7f8763e4688cc2660a1164674f14c86fd384153b5e2fa566f\r\nb2c6e93875ed9728da141566603ad47a71a82d3867313744ceca367158c2b20c\r\n356c459692775dae1f20998c5d39f51a4b94ac01de509fa609844eee8adab19f\r\n[1] https://r00tten.com/in-depth-analysis-rtf-file-drops-agent_tesla/\r\n[2] https://twitter.com/DissectMalware/status/977087605719302144\r\nSource: https://www.deepinstinct.com/2020/07/02/agent-tesla-a-lesson-in-how-complexity-gets-you-under-the-radar/\r\nhttps://www.deepinstinct.com/2020/07/02/agent-tesla-a-lesson-in-how-complexity-gets-you-under-the-radar/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.deepinstinct.com/2020/07/02/agent-tesla-a-lesson-in-how-complexity-gets-you-under-the-radar/"
	],
	"report_names": [
		"agent-tesla-a-lesson-in-how-complexity-gets-you-under-the-radar"
	],
	"threat_actors": [],
	"ts_created_at": 1775434149,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cd2b0589adf383463b4be02c0ed3907b46e1a455.pdf",
		"text": "https://archive.orkl.eu/cd2b0589adf383463b4be02c0ed3907b46e1a455.txt",
		"img": "https://archive.orkl.eu/cd2b0589adf383463b4be02c0ed3907b46e1a455.jpg"
	}
}