{ "id": "101b3e53-5184-4277-8df5-6301f28fd244", "created_at": "2026-04-06T00:19:25.268503Z", "updated_at": "2026-04-10T03:22:50.121844Z", "deleted_at": null, "sha1_hash": "f7c5029a90d00d9075b804e5e5df874d2d86e4b3", "title": "Threat Bulletin: Exploring the Differences and Similarities of Agent Tesla v2 \u0026 v3", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2181555, "plain_text": "Threat Bulletin: Exploring the Differences and Similarities of\r\nAgent Tesla v2 \u0026 v3\r\nBy VMRay Labs\r\nPublished: 2021-05-11 · Archived: 2026-04-05 22:54:39 UTC\r\nAgent Tesla is a spyware that has been around since 2014. It’s in active development, constantly being updated\r\nand improved with new features, obfuscation, and encryption methods. The malware is sold as a service with a\r\nrelatively cheap licensing model, which makes it particularly easy to use and can explain its distribution on such a\r\nwide scale. At the time of writing two versions of Agent Tesla can still be found in the wild – version 2 and 3.\r\nVersion 3 comes with some updates and additional features and is currently the most prevalent.\r\nAgent Tesla’s most common and successful delivery method is through email, either in the form of spam or more\r\ntargeted campaigns (OPEC+, COVID-19, ISPS), where the malware is bundled as an attachment, usually in the\r\nform of a document or a compressed archive (Figure 1).\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 1 of 13\n\nIn the following Threat Bulletin, we’ll explore the delivery process of an Agent Tesla sample and some of the\r\ndifferences and similarities between different versions of Agent Tesla. With that in mind, we begin by looking into\r\na fairly recent sample of Agent Tesla (v3) delivered as an email attachment (Figure 1).\r\nAgent Tesla – Initial Stages\r\nThe email arrives with an attachment posing as an invoice with the .doc extension but is actually an RTF\r\ndocument. When it’s opened, it exploits CVE-2017-11882 to execute further stages. The shellcode used in the\r\nexploitation of the Equation Editor (eqnedt32.exe) is responsible for downloading and executing the next stage\r\n(Figure 2).\r\nView the VMRay Analyzer Report for Agent Tesla v3 (INVOICE-6754.doc.rtf)\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 2 of 13\n\nInterestingly, with this delivery, the threat actors leverage the CMSTP.exe to launch further stages (Figure 3).\r\nCMSTP is usually used to install Connection Manager service profiles. It takes an .INF file’s path as argument. It\r\ndescribes the profile’s characteristics and the steps to be taken when installing it. This can be abused to start\r\nanother executable by a legitimate, signed binary or used as a UAC bypass. It’s one of the Living Off The Land\r\ntechniques. In this case, the .INF file itself seems to have been taken from a public example (by Tyler Applebaum)\r\n(Figure 4). It extends the installation with a RunPreSetupCommandsSection which allows one to run commands\r\nbefore the profile is installed. The malicious actor leverages this to run the malware.\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 3 of 13\n\nDuring the following steps of the execution, we observe how Agent Tesla makes sure that it’s not easily\r\ndiscovered by adding its image path as an exclusion for Windows Defender (Figure 5). Additionally, it also\r\ndisables the UAC dialog by overwriting the corresponding settings in the registry. Doing this, the user won’t be\r\nnotified or prompted for permission if an elevated (requiring administrator access token) action is taken. Thus,\r\nAgent Tesla is silently installed.\r\nFinally, the actual Agent Tesla payload is extracted and injected using the process hollowing method (Figure 6).\r\nWe have observed many samples using this approach however there were also cases using .NET in-memory\r\nreflective loading or a similar method. The process of delivering and loading Agent Tesla varies greatly but the\r\nactual payload has many similarities even between versions.\r\nAgent Tesla – Execution Flow\r\nEven though Agent Tesla has been in development for at least 7 years, the overall execution flow hasn’t changed\r\nmuch. Some new features were added to the newer versions of Agent Tesla, but the behavior has remained fairly\r\nsimilar. The following section summarizes the high-level execution steps it usually performs. In some cases, we\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 4 of 13\n\nhave observed that the order changes slightly but it doesn’t impact the behavior. It also highlights additions made\r\nin the newer version of Agent Tesla (v3).\r\nAt the beginning of its execution, Agent Tesla often uses certain methods to evade automatic analyses. Some of\r\nthe common evasion techniques include the introduction of an execution delay, which can evade sandboxes that\r\nhave a limited monitoring duration, and checking the user and computer name for certain hard-coded values that\r\ncould indicate it’s being analyzed (Figure 7). The spyware also makes sure that no other processes with the same\r\nname are currently running. It iterates over all processes with the same name and kills any which aren’t the current\r\nprocess.\r\nEach infected system is identified by a unique ID generated from different hardware information. There are\r\ndifferent ways Agent Tesla can achieve this. It applies the MD5 hashing algorithm on a string created by\r\nconcatenating different hardware properties:\r\nSystem Serial Number,\r\nCPU identification value retrieved from the processorID property of the Win32_Processor WMI\r\nmanagement class,\r\nThe MAC address is taken from the MACAddress property of the Win32_NetworkAdapterConfiguration\r\nWMI class. It takes the MAC address of a network adapter that is currently connected.\r\nThe hardware ID is generated at the beginning of the execution but appears to be only used during the HTTP\r\ncommunication.\r\nAnother common “evasion” between versions, that Agent Tesla uses at the beginning of its execution, is the\r\nGetLastInputInfo function. If no input event was detected in the last 10 minutes a configuration variable is set\r\n(Figure 7).\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 5 of 13\n\nIts next step is usually to copy itself to a less obvious location (an installation folder) like %appdata% which is\r\nalso configurable and might not be used at all. The config file also indicates if the file should have the hidden and\r\nsystem attributes set. Persistence is achieved by installing itself as a startup application in the registry. In this case,\r\nAgent Tesla also enables the corresponding startup entry via\r\n\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run by setting the value 02 00 00 00 00\r\n00 (Figure 8).\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 6 of 13\n\nFurthermore, it also deletes the ZoneIdentifier from the base image. A ZoneIdentifier is an Alternate Data Stream\r\ncreated (when a file is downloaded and saved from the internet). This information is used by Windows and various\r\nsecurity products. Deleting it makes the malware look as if it wasn’t downloaded from the internet. Depending on\r\nthe configuration Agent Tesla is able to take screenshots periodically. It uses a timer that will invoke the registered\r\ncallback function according to a specified interval which is also configurable. One difference between versions is\r\nin the choice of protocols the malware can use to exfiltrate the collected information. Version 2 and 3 are both\r\ncapable of using HTTP, SMTP, and FTP. On top of that, v3 comes with another possibility which is sending a\r\ndocument to a Telegram channel (Figure 9).\r\nA new addition that came with Agent Tesla v3 is the ability to collect clipboard data and the external IP of the\r\ninfected host (Figure 10).\r\nView the VMRay Analyzer Report for Agent Tesla v3 (External IP Check)\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 7 of 13\n\nFurthermore, v3 comes with the option to use the Tor proxy for its HTTP communication. This is a newer addition\r\nwhich isn’t found in the previous versions (Figure 11). If the corresponding configuration is set, Agent Tesla first\r\ntries to kill all currently running Tor instances and then download and set up the Tor client.\r\nWith HTTP communication set-up, Agent Tesla starts one of its main tasks – credential-stealing (Figure 12).\r\nAgent Tesla v3 has some additions to the application list that it targets.\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 8 of 13\n\nBoth versions are also able to function as a keylogger. The keylogging functionality is again implemented with the\r\nhelp of timers. The set interval specifies how often the logs are collected and exfiltrated (Figure 13). The hook\r\nitself is installed using the native SetWindowsHookExA function with idHook WH_KEYBOARD_LL which\r\ntakes an application-defined hook.\r\nString and Config Decryption\r\nAll strings that are used by Agent Tesla are encrypted by default and mostly used on demand. The ability to\r\ndecrypt Agent Tesla’s strings, allows one to extract parts of the configuration information like the c2 server, the\r\npasswords used, or other data related to network connections. Appendix B contains a small list of extracted\r\nnetwork information from different Agent Tesla samples.\r\nVersion 2\r\nAgent Tesla v2’s encrypted strings are usually located in the .text segment of the PE file. To be exact, they start\r\n0x50 bytes past the beginning of the section. The strings are encrypted using AES in CBC mode (Figure 14). Each\r\nstring is encrypted with its own Key and IV. Strings are stored in an array of objects, where each object is an array\r\nof units. The decryption routine takes an encoded offset into the array which is then decoded at runtime to extract\r\nthe corresponding string.\r\nInvestigating the object in dnSpy shows that the static object array corresponds to the token 0x04000001 (Figure\r\n15 left). It describes the Field table (0x4) and its first row (0x000001). Each element in the array is described by\r\nits own token (Figure 15 right). dnSpy already provides us with the corresponding RVA and file offset. However,\r\nthis information can also be extracted manually from the FieldRVA table in the metadata stream of the PE file by\r\nlooking up the corresponding row number. This information would allow to statically parse the file and its\r\nmetadata, extract the RVAs and decrypt the strings without assuming any offsets.\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 9 of 13\n\nVersion 3\r\nAgent Tesla v3 changes how the strings are encrypted. AES is no longer used for decryption. Instead, the\r\nencrypted strings are stored in a byte array which is decrypted by XORing the value with the current array offset\r\nand a hard-coded key. This decryption takes place when the class is constructed, i.e., the array and the decryption\r\nloop (Figure 16 left) are implemented inside a class constructor. The decrypted strings are stored without any\r\nseparators as a single blob of characters. When a particular string is required, a function that takes the offset and\r\nlength of the string as parameters is used (Figure 16 right). This also means that it’s harder to statically extract\r\ninformation from the strings and requires, e.g., parsing of the actual decoding function wherever it’s used and\r\nextracting its arguments.\r\nConclusions\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 10 of 13\n\nUnderstanding a malware family, its usual delivery methods, and the techniques used can be very beneficial from\r\nan incident response standpoint. The research of a family can give the blue team enough information to start an\r\ninternal investigation if a breach is suspected. They can better assess the initial impact of such a breach, can look\r\nfor indicators and start their initial analysis from there and expand outwards.\r\nReferences\r\nhttps://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/\r\nhttps://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/\r\nhttps://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/\r\nhttps://docs.microsoft.com/de-de/windows-server/administration/windows-commands/cmstp\r\nhttps://docs.microsoft.com/en-us/dotnet/standard/metadata-and-self-describing-components\r\nhttps://attack.mitre.org/techniques/T1218/003/\r\nhttps://gist.github.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1#file-uacbypass-inf\r\nhttps://attack.mitre.org/techniques/T1055/012/\r\nhttps://blog.f-secure.com/detecting-malicious-use-of-net-part-1/\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\r\nhttps://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr\r\nhttps://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/\r\nAppendix A\r\nIOCs\r\nAgent Tesla Payloads – Hashes\r\n88F94C1E8A555D84BF7AD2E0FE21D82D33F1976786267AF93808CC050D039BD9\r\n1B91B0EDA8B823353154334C5031ECA8F9CB8E022BBC2DCB47494AFB33A1C9CF\r\nD5454DC627980449EADC9DF01A94A38DD7DD32090713FB9C1C3A93FDD316A78B\r\n8FD0DCAE134D32EB666D576A85756E35C022810BC767263CF9A12A5F52801409\r\nAB056BF16EDC280DF3D80740C132B7B8667EC1F69CB225FAC2E3017C2CE5F802\r\nED59B3FC26DE2B31E908F025C23D01EB8ED9834B2BDD740745E1DC0737E443B9\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 11 of 13\n\nED59B3FC26DE2B31E908F025C23D01EB8ED9834B2BDD740745E1DC0737E443B9\r\nE409F3663952399F60A9A112D3B05B5648E8F73D41E167121279EBDB17E8173B\r\n505FC5FAAE424387A6036FA41C02EB83E44DC4A6CA60BC0125EFFFCB49D5AD8C\r\n1B91B0EDA8B823353154334C5031ECA8F9CB8E022BBC2DCB47494AFB33A1C9CF\r\nD3806488B3DDA1092E3F53EC8A18EE68EE1C34CC4241CDFDB8171DD0CF9F4F57\r\nAppendix B\r\nSome of the extracted configurations presented in the MWCP format.\r\nConfigs\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘smtp.arles-cz.co’}, ’email_address’: [‘panel1@arles-cz.co’],\r\n‘password’: [‘fP******’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘mail.otecfundacionredes.cl’}, ’email_address’:\r\n[‘pillar@otecfundacionredes.cl’], ‘password’: [‘sg**********’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘smtp.fnsst.com’}, ’email_address’: [‘kings@fnsst.com’],\r\n‘password’: [‘ma*******’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘mail.shyamindofab.com’, ‘toemail’:\r\n‘spencer@haohuatlre.com’}, ’email_address’: [‘anurag.aggarwal@shyamindofab.com’], ‘password’:\r\n[‘an*********’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘chat_id’: ‘1063661839’, ‘token’:\r\n‘bot16********:AAF2v81NoI*************************’, ‘method’: ‘sendDocument’}, ‘c2_address’:\r\n[‘https://api.telegram.org’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘mail.prinutrition.com’}, ’email_address’:\r\n[‘forrest@prinutrition.com’], ‘password’: [‘fo*****’]}\r\n{‘version’: [2], ’email_address’: [‘arinzelog@asustech.ml’], ‘password’: [‘721*************’], ‘other’: {‘smtp’:\r\n‘bh-58.webhostbox.net’, ‘toemail’: ‘arinze@asustech.ml’}}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘mail.bodrumosmanlialuminyum.com’}, ’email_address’:\r\n[‘foreigntrade@bodrumosmanlialuminyum.com’], ‘password’: [‘bd***************’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘mail.gcclatinoamerica.com’, ‘toemail’:\r\n‘sanetbehin.co@gmail.com’}, ’email_address’: [‘jobs@gcclatinoamerica.com’], ‘password’: [‘4r**********’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘smtp.yandex.com’}, ’email_address’:\r\n[‘donkraus6@yandex.com’], ‘password’: [‘Chi*****’]}\r\n{‘version’: [2], ’email_address’: [‘lori@stalexinc.com’], ‘password’: [‘stl*****’], ‘other’: {‘smtp’:\r\n‘mail.stalexinc.com’}}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘mail.privateemail.com’}, ’email_address’:\r\n[‘levels@sgsdivinq.com’], ‘password’: [‘m*****’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘smtp.gmail.com’}, ’email_address’:\r\n[‘kmarshal234@gmail.com’], ‘password’: [‘Jes*****’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘peopleinpower.biz’, ‘toemail’:\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 12 of 13\n\n‘royalcrown@peopleinpower.biz’}, ’email_address’: [‘erudite@peopleinpower.biz’], ‘password’:\r\n[‘D***************’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘hisensetech.ml’, ‘toemail’: ‘yugo@hisensetech.ml’},\r\n’email_address’: [‘yugolog@hisensetech.ml’], ‘password’: [‘721*************’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘chat_id’: ‘1464755657’, ‘token’: ‘bot14********:AAHvvJmG-W*************************’, ‘method’: ‘sendDocument’}, ‘c2_address’: [‘https://api.telegram.org’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘smtp.rulkeroil.com’}, ’email_address’: [‘info@rulkeroil.com’],\r\n‘password’: [‘sta*******’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘mail.electro-plomb.cf’, ‘toemail’: ‘henryfocux2@gmail.com’},\r\n’email_address’: [‘pauline.nguimfack@electro-plomb.cf’], ‘password’: [‘ZA**********’]}\r\n{‘version’: [2], ’email_address’: [‘norvicfertility.clinic@blc.com.np’], ‘password’: [‘B**********’], ‘other’:\r\n{‘smtp’: ‘mail.blc.com.np’, ‘toemail’: ‘norvicfertility.clinic@blc.com.np’}}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170}, ‘ftp’: [‘ftp://ftp.travels-plan.com/’, ‘travelsplan’, ‘3p**********’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘smtp.vivaldi.net’}, ’email_address’: [‘leemoney@vivaldi.net’],\r\n‘password’: [‘Reb**********’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘mail.yusufgroups.com’}, ’email_address’:\r\n[‘ebbah_yusuf@yusufgroups.com’], ‘password’: [‘@@**********’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘mail.akdogulojistik.com’}, ’email_address’:\r\n[‘servet@akdogulojistik.com’], ‘password’: [‘Ak************’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘sixjan.club’}, ’email_address’: [‘salesdept@sixjan.club’],\r\n‘password’: [‘{D**********’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘mail.privateemail.com’}, ’email_address’:\r\n[‘jfoster@barranttandbarrettlaw.com’], ‘password’: [‘@M********’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘mail.ckclegal.com’}, ’email_address’:\r\n[‘feeling@ckclegal.com’], ‘password’: [‘S1**********’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘smtp.arroweuorpe.com’}, ’email_address’:\r\n[‘mbonaccorsi@arroweuorpe.com’], ‘password’: [‘Q*******’]}\r\n{‘version’: [3], ‘other’: {‘xor_key’: 170, ‘smtp’: ‘mail.gruptruck.com’}, ’email_address’:\r\n[‘alper@gruptruck.com’], ‘password’: [‘dg**********’]}\r\nSource: https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nhttps://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/" ], "report_names": [ "threat-bulletin-agent-tesla" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434765, "ts_updated_at": 1775791370, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f7c5029a90d00d9075b804e5e5df874d2d86e4b3.pdf", "text": "https://archive.orkl.eu/f7c5029a90d00d9075b804e5e5df874d2d86e4b3.txt", "img": "https://archive.orkl.eu/f7c5029a90d00d9075b804e5e5df874d2d86e4b3.jpg" } }