{
	"id": "496197c9-3811-4a5b-9d3d-48afe7aed85b",
	"created_at": "2026-04-06T00:08:58.241739Z",
	"updated_at": "2026-04-10T03:22:50.03955Z",
	"deleted_at": null,
	"sha1_hash": "ce85db1681a9698a5151c04bc481947491ac5e16",
	"title": "Agent Tesla: A Day in a Life of IR",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3033107,
	"plain_text": "Agent Tesla: A Day in a Life of IR\r\nBy Michael Gorelik\r\nArchived: 2026-04-05 15:54:57 UTC\r\nIntroduction\r\nThe Agent Tesla information stealer has been around since 2014. During the last two to three years, it’s also had\r\na significant distribution growth factor partially due to the fact that cracked versions of it have been leaked.\r\nIt has been adapted by many advanced and less-sophisticated adversaries; as a result we can clearly identify a\r\ngrowing number of modified Tesla variants.\r\nThis year marks a significant change from previous years in the distribution techniques that are leveraged for\r\nAgent Tesla. We have seen this information stealer delivered through exploits, COVID-19 phishing campaigns,\r\nintegrating advanced steganography, implementing different innovative obfuscation techniques, and more.\r\nThe following technical analysis covers a single Agent Tesla attack chain investigation after multiple attack\r\nattempts on a Morphisec customer were prevented at the end of October. This was particularly interesting because\r\nof the use of multiple advanced techniques that you rarely see combined into a single chain. Some of these\r\nadvanced techniques that we will cover in this blog include:\r\nUse of a compromised sender email address\r\nDouble use of exploits to deliver the agent downloader\r\nUse of advanced DeepSea obfuscator\r\nUse of double steganography obfuscation to deliver agent loader\r\nUse of Frenchy shellcode and .Net delegation for whitelisting bypass\r\nExecuting the dark stealer from memory\r\nTechnical Details\r\nSpearphishing\r\nThe attack chain started with a phishing email mentioning an RFQ for a new order. This might have triggered\r\nsuspicion for a more security aware employee, but in this case, the victim was used to receiving similar emails and\r\ntook the bait.\r\nFurthermore, the advanced gateway solution designed to prevent or quarantine documents with a suspected DDE\r\nexploit (this will be discussed later) worked, but the user was convinced that the email was legitimate and released\r\nit from quarantine because the user is used to receiving RFQs.\r\nIn this case, the email was sent from a trusted third party through either a compromised email or a vulnerable\r\ndomain that allows spoofing emails.\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 1 of 13\n\nDDE Exploit\r\nThe attached RFQ document is a known macro-less DDE exploit that will download its next stage document from\r\na C2. In order to reduce the risk of detection, the attackers implemented a known technique to avoid the use of\r\n“DDE” as part of the text and to delay the download until after protected mode is disabled.\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 2 of 13\n\nEquation Editor Exploit\r\nDocument.doc implements a second exploit in the chain identified by the following CVEs: CVE-2018-0802,\r\nCVE-2017-11882, a memory corruption vulnerability. The content of this new document automatically replaces\r\nthe content of the original document. While Patches already exist for those vulnerabilities, many endpoints were\r\nstill unpatched due to operational constraints. This reality makes this CVE highly popular even today.\r\nAgent Tesla Loader 1\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 3 of 13\n\nFollowing a successful exploitation of the Microsoft Equation Editor vulnerability, a thin ~500KB loader is\r\ndownloaded from the same C2 by the equation editor process. The loader is slightly obfuscated with a DeepSea\r\nobfuscator.\r\nAs was previously published, the Tesla loader started to abuse steganography techniques to implement its next\r\nstage by hiding its executable in a PNG image; only this time the image looks significantly different.\r\nFirst decryption of the PNG resource:\r\nSurprisingly, the developers of this Tesla loader implemented an additional steganography layer on top of the\r\npreviously described technique to avoid heuristic detection of image resource based on metadata or entropy.\r\nThe leads to a second steganography layer, which already resembles embedded executable images we know:\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 4 of 13\n\nAgent Tesla Loader 2\r\nThe decrypted image is not the final result, instead it leads us to one more loader that is also obfuscated by an\r\nunknown obfuscator.\r\nThis .Net assembly is loaded in memory within vbc.exe (the first loader) as soon as it’s decrypted from the image.\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 5 of 13\n\nThis assembly has multiple functionalities that can be executed based on the predefined configuration parameters,\r\nsuch as:\r\nFinally this second loader implements a basic decryption following the extraction of its byte array from the\r\nresource.\r\nAs soon as the next stage has been extracted, it is injected into a legitimate RegAsm application using delegation\r\nand a known hollowing technique, which is implemented by the Frenchy shellcode framework.\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 6 of 13\n\nFrenchy Shellcode Loader\r\nAs the hollowing mechanism is implemented by native code using a known Frenchy shellcode framework, there\r\nwas a need to implement a code injection technique that was less likely to be picked up by some vendors. Instead\r\nof using a regular “CreateThread” type of method for redirecting the flow to an allocated shellcode, attackers use\r\ndelegation to achieve the same thing – this is definitely not a new technique but it is less popular than a simple\r\ncallback native function.\r\nThe executed shellcode is identified as a Frenchy shellcode. Morphisec Labs has tracked many Tesla variants that\r\nuse Frenchy shellcode since January 2020 (although with a lot fewer staging layers). The shellcode maps “known”\r\nDLL sections into memory to avoid monitoring by runtime hooking, then it creates the target process in suspended\r\nmode (RegAsm). It then maps a section into the legitimate process and it copies the previously de-crypted\r\nexecutable into this section. Finally it executes the resume thread with new context that leads to the execution of\r\nthe Dark stealer.\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 7 of 13\n\nDecrypted Tesla Dark Stealer\r\nThe final payload that runs within the RegAsm is the main Agent Tesla Dark Stealer module, it is also obfuscated\r\nusing an unknown obfuscator.\r\nAll the different configuration strings such as browser names can easily be extracted by simple xor manipulation\r\nof the executable bytes.\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 8 of 13\n\nThe decrypted strings have been uploaded to pastebin.\r\nVirusTotal graph analysis on the IP reveals additional downloaders and multiple different Equation Editor exploits\r\ndownloaded within the last couple of months.\r\nHere is the MITRE ATT\u0026CK matrix with the techniques deployed by this Agent Tesla attack highlighted for\r\nreference.\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 9 of 13\n\nConclusion\r\nAgent Tesla may be an older information stealer, given its launch in 2014, but recent upgrades that allow it to\r\nevade detection make it more powerful than ever. The attack described above makes it abundantly clear that Agent\r\nTesla remains a force, especially given the addition of the above described techniques that make this infostealer\r\ncapable of bypassing modern security controls to deliver its payload.\r\nMorphisec customers can remain confident, however, that they are protected against Agent Tesla through the zero\r\ntrust security power of Automated Moving Target Defense.\r\nBlog IOCs\r\n8267259394D54FC644A18AAA8A8A5D0C68624B6D (PO – RFQ # 097663899 NEW ORDER.docx)\r\nhxxp://192.3.141[.]134/document.doc\r\nhxxp://192.3.141[.]134/bub.exe (vbs.exe)\r\nEF4C32312CE60C3CAB620AF37D77E793FA245A4F\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 10 of 13\n\nOlder IOCs\r\n216.170.126[.]109\r\nhxxp://bsskillthdyemmulatorsdevelovercomun6bfs.duckdns[.]org/document/invoice_557711.doc\r\nef9b7e4604bd2c6755e2d7de3c65e5b04169c8e46e568058a29b94a4c6a7feee\r\nc602d323aab8dad524c191d31311f1e5acd24375ef72fdce83daaee592096dcd\r\ndf7aab11877cbf24a6a53fdf6b73dc72f16be4063803f5864db16d1e246c4e97\r\n555eefb79aa7973b4d497202383f8d15889157a8e8d0d858d53ea23ef4821b3d\r\n140103ff9a664823d2e532a35ba7ac8309d071875b4d06b5f6b275fd7fbc090a\r\nAbout the author\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 11 of 13\n\nMichael Gorelik\r\nChief Technology Officer\r\nMorphisec CTO Michael Gorelik leads the malware research operation and sets technology strategy. He has\r\nextensive experience in the software industry and leading diverse cybersecurity software development projects.\r\nPrior to Morphisec, Michael was VP of R\u0026D at MotionLogic GmbH, and previously served in senior leadership\r\npositions at Deutsche Telekom Labs. Michael has extensive experience as a red teamer, reverse engineer, and\r\ncontributor to the MITRE CVE database. He has worked extensively with the FBI and US Department of\r\nHomeland Security on countering global cybercrime. Michael is a noted speaker, having presented at multiple\r\nindustry conferences, such as SANS, BSides, and RSA. Michael holds Bsc and Msc degrees from the Computer\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 12 of 13\n\nScience department at Ben-Gurion University, focusing on synchronization in different OS architectures. He also\r\njointly holds seven patents in the IT space.\r\nSource: https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nhttps://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir"
	],
	"report_names": [
		"agent-tesla-a-day-in-a-life-of-ir"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434138,
	"ts_updated_at": 1775791370,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ce85db1681a9698a5151c04bc481947491ac5e16.pdf",
		"text": "https://archive.orkl.eu/ce85db1681a9698a5151c04bc481947491ac5e16.txt",
		"img": "https://archive.orkl.eu/ce85db1681a9698a5151c04bc481947491ac5e16.jpg"
	}
}