{
	"id": "58a83ca0-d8a4-4266-9bdd-58f0789fb543",
	"created_at": "2026-04-06T00:13:43.970809Z",
	"updated_at": "2026-04-10T03:21:15.233829Z",
	"deleted_at": null,
	"sha1_hash": "fa63075cc09fe60b8af3ff0442f77dac9ca73d57",
	"title": "Catching the RAT called Agent Tesla",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7877644,
	"plain_text": "Catching the RAT called Agent Tesla\r\nBy Ghanshyam More\r\nPublished: 2022-02-03 · Archived: 2026-04-05 19:47:39 UTC\r\nFor the last few years, the Qualys Research Team has been observing an infamous “Malware-as-a-service” RAT (Remote\r\nAccess Trojan) called Agent Tesla.\r\nIt first appeared in 2014, and since then many variants have been deployed. This malware uses multiple techniques for\r\nevading detection as well as making analysis quite difficult. Agent Tesla mainly gets delivered through phishing emails and\r\nhas capabilities such as keylogging, screen capture, form-grabbing, credential stealing, and more. It will also exfiltrate\r\ncredentials from multiple software programs like Google Chrome, Mozilla Firefox, and Microsoft Outlook – making its\r\npotential impact truly catastrophic.\r\nThe malware itself goes through multiple layers of unpacking before deploying its final payload, which is very similar\r\nbehavior to what’s found in families like Formbook. Agent Tesla is dotnet compiled malware and uses a steganography\r\ntechnique. We have observed a sudden increase in the use of this technique.\r\nThis blog reviews Agent Tesla malware’s updated functionality as well as its ongoing evolution.\r\nTechnical Analysis:\r\nAgent Tesla performs two-level unpacking to get its final payload delivered, as shown in this flow chart diagram.\r\nIn the malware sample, the method names and strings have been heavily obfuscated, as shown in fig. 1.\r\nFig.1 Main Payload Obfuscation\r\nAs we can see in fig. 2, the main payload code contains an obfuscated first stage PE dll file where char “@” is added for\r\n“000” at multiple locations. This helps Agent Tesla evade signature-based detection.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla\r\nPage 1 of 9\n\nFig.2 first stage dll Obfuscated Code\r\nThis module is called “representative”, which is a dotnet compiled dll module. After de-obfuscation, the main payload loads\r\nthis first stage dll module in memory.\r\nAgent Tesla uses a steganography technique as shown in fig. 3, where an image contains an embedded PE file. This resource\r\nimage is used by the first stage dll module to extract the second stage dll module.\r\nFig.3 Resource containing PE File\r\nIn the first stage dll, “ResourceManager” is created and data from Bitmap “ApplicationTru” (which is present in the main\r\npayload) is collected as shown in fig. 4 below.\r\nFig. 4 Data from Main Payload Bitmap Collected\r\nAs shown in fig. 5, decryption routines are then carried out on collected data to generate the second stage module named\r\n“CF_Secretaria”.\r\nFig. 5 Decryption Routine for second Stage DLL\r\nIn this decryption routine, K1 points to the decryption key and P1 points to data collected from the “ApplicationTru” bitmap.\r\nThe first stage dll module loads this “CF_Secretaria” in memory, and then it transfers control to it by calling “CallByName”\r\nfunction, as shown in below fig. 6.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla\r\nPage 2 of 9\n\nFig. 6 Call Transfer To 2nd Stage Module\r\nThe second stage dll is heavily obfuscated with a utf8 encoding function name to make analysis difficult (fig. 7).\r\nFig. 7 Second Stage Dll Heavily obfuscated\r\nIn the second stage dll module, “ResourceManager” is created to read its resource “bcf6M”. This resource data contains an\r\nencrypted PE file which is the final payload. On the collected resource data, an initial XOR operation is carried out with the\r\nkey “PnltzRBT”, as shown in fig. 8.\r\nFig. 8 Initial Decryption Routine for Final Payload\r\nInitial decryption logic is the same as is used for the second stage dll module extraction… but with a different key. After\r\ninitial decryption routines, further decryption is carried out where data is decrypted with a 16 bytes XOR key. This key is\r\npresent at the start of the previously decrypted buffer. After this decryption, the malware delivers the final payload (fig. 9).\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla\r\nPage 3 of 9\n\nFig.9 Further Decryption Routine for Final Payload\r\nAfter this process, code injection is carried out in the main process (fig. 10).\r\nFig. 10 Code Injection in Main Process\r\nAfter performing a process hollowing into the current process, it starts stealing computer information.\r\nAgent Tesla collects information like computer name, TCP hostname, DNS client, domain, and more (fig. 11).\r\nFig.11 Computer Name and TCP Settings\r\nThe malware contains a predefined list of browsers, and it checks for their presence on the system (fig. 12).\r\nFig. 12 Browser Data Lookup\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla\r\nPage 4 of 9\n\nIf these browser directories are found, it collects a list of all the files and folders present in them. Then it checks for the\r\n“User data” directory and, if found, next checks for the “Login Data” file that contains mail ids and password information of\r\nstored profiles. Fig. 13 shows code checking for the presence of browsers information.\r\nFig.13 Browser Information\r\nAgent Tesla also checks for browser cookies and collects information about them. Fig. 14 shows profile collected\r\ninformation for the Edge browser.\r\nFig. 14 Collected Profile Information for Edge Browser\r\nThe sample also has capabilities to capture keystrokes. Fig. 15 shows the code that can be used in Keylogging.\r\nFig. 15 KeyLogging\r\nIt can also steal clipboard data (fig. 16).\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla\r\nPage 5 of 9\n\nFig. 16 Stealing ClipboardData\r\nAgent Tesla also has the capability to capture a screenshot and send it in jpeg format. As can be seen in the code, the\r\ncollected image is encoded and then converted to base64 format.\r\nFig. 17 Capturing a ScreenShot\r\nFurther, it also steals FTP credentials and sends them through the STOR method (fig. 18).\r\nFig. 18 FTP Credential Stealing\r\nIt searches for the “Open-VPN” “config” directory to steal credentials of it (fig. 19).\r\nFig. 19 OpenVPN Config Stealing\r\nAgent Tesla also has the capability to check for the NordVPN configuration and steal its credentials.\r\nIt can search for “recentservers.xml” of FileZilla to get information about recent FTP server connections.\r\nIt also steals information such as IMAP Password, POP3 Password, HTTP Password, and SMTP Password. For this, it\r\nchecks Microsoft Outlook registry entries as shown below (fig. 20).\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla\r\nPage 6 of 9\n\nFig. 20 Outlook Reg Lookup for Credentials\r\nThe sample encrypts data before communicating with its command \u0026 control server and uses the TOR client for keeping its\r\ncommunication and connection anonymous. It may download the TOR client from the TOR website (fig. 21).\r\nFig. 21 Using TorClient for C2C Communication\r\nStolen data is then exfiltrated over SMTP (fig. 22).\r\nFig. 22 Data Exfiltration Over SMTP\r\nThe email subject line contains the combination of OS and Computer name, and the body contains system information along\r\nwith the stolen credential information.\r\nFor persistence, the sample drops its copy at c:\\ %insfolder%\\%insname% and creates a run entry (fig. 23).\r\nFig. 23 run Reg Entry\r\nIndicators of Compromise (IOCs):\r\nSHA256\r\nInitial File: 7f7323ef90321761d5d058a3da7f2fb622823993a221a8653a170fe8735f6a45\r\n1st Payload: c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565\r\n2nd Payload: ad9a0f051fba2363abeab5b9a9d169572db48256307e826751c6a3140c60eef1\r\n3rd Payload: 148043d39c826025b65a0405e34acb08bb7e44a0566c13b4030412b734076438\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla\r\nPage 7 of 9\n\nAgent Tesla TTP Map:\r\nInitial\r\nAccess\r\nExecution Persistence\r\nprivilege\r\nEscalation\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery Collection\r\nCommand\r\nand\r\nControl\r\nPhishing:\r\nSpear\r\nphishing\r\nAttachment\r\n(T1566.001)\r\nScheduled\r\nTask/ Job\r\n(T1053)\r\nBoot or\r\nLogon\r\nAutostart\r\nExecution\r\n(T1547)\r\nBoot or\r\nLogon\r\nAutostart\r\nExecution\r\n(T1547)\r\nDeobfuscate/\r\nDecode Files\r\nor\r\nInformation\r\n(T1140)\r\nCredentials\r\nfrom\r\nPassword\r\nStores:\r\nCredentials\r\nfrom Web\r\nBrowsers\r\n(T1555.003)\r\nAccount\r\nDiscovery:\r\nLocal\r\nAccount\r\n(T1087.001)\r\nArchive\r\nCollected\r\nData(T1560)\r\nApplicatio\r\nLayer\r\nProtocol:\r\nMail\r\nProtocols\r\n(T1071.00\r\nProcess\r\nInjection\r\n(T1055)\r\nObfuscated\r\nFiles or\r\nInformation\r\n(T1027)\r\nInput\r\nCapture:\r\nKeylogging\r\n(T1056.001)\r\nSystem\r\nInformation\r\nDiscovery\r\n(T1082)\r\nClipboard\r\nData(T1115)\r\nApplicatio\r\nLayer\r\nProtocol:\r\nWeb\r\nProtocols\r\n(T1071.00\r\nScheduled\r\nTask/ Job\r\n(T1053)\r\nProcess\r\nInjection\r\n(T1055)\r\nUnsecured\r\nCredentials:\r\nCredentials\r\nfrom Files\r\n(T1552.001)\r\nSystem\r\nNetwork\r\nConfiguration\r\nDiscovery\r\n(T1016)\r\nInput\r\nCapture:\r\nKeyLogging\r\n(T1056.001)\r\nUnsecured\r\nCredentials:\r\nCredentials\r\nin Registry\r\n(T1552.002)\r\nSystem\r\nOwner/ User\r\nDiscovery\r\n(T1033)\r\nMan in the\r\nBrowser\r\n(T1185)\r\nScreen\r\nCapture\r\n(T1113)\r\nVideo\r\nCapture\r\n(T1125)\r\nMitigation or Additional Important Safety Measures\r\nKeep software updated\r\nAlways keep your security software (antivirus, firewall, etc.) up to date to protect your computer from new variants\r\nof malware.\r\nRegularly patch and update applications, software, and operating systems to address any exploitable software\r\nvulnerabilities.\r\nDo not download cracked/pirated software as they risk backdoor entry for malware into your computer.\r\nAvoid downloading software from untrusted P2P or torrent sites. In most cases, they are malicious software.\r\nBeware of emails\r\nDon’t open attachments and links from unsolicited emails. Delete suspicious looking emails you receive from\r\nunknown sources, especially if they contain links or attachments. Cybercriminals use ‘Social Engineering’ techniques\r\nto lure users into opening attachments or clicking on links that lead to infected websites.\r\nDisable macros for Microsoft Office\r\nDon’t enable macros in document attachments received via emails. A lot of malware infections rely on your actin to\r\nturn ON macros.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla\r\nPage 8 of 9\n\nConsider installing Microsoft Office Viewers. These viewer applications let you see what documents look like\r\nwithout even opening them in Word or Excel. More importantly, the viewer software doesn’t support macros at all, so\r\nthis reduces the risk of enabling macros unintentionally.\r\nHaving minimum required privileges\r\nDon’t assign Administrator privileges to users. Most importantly, don’t stay logged in as an administrator unless it is\r\nstrictly necessary. Also, avoid browsing, opening documents or other regular work activities while logged in as an\r\nadministrator.\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla"
	],
	"report_names": [
		"catching-the-rat-called-agent-tesla"
	],
	"threat_actors": [],
	"ts_created_at": 1775434423,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa63075cc09fe60b8af3ff0442f77dac9ca73d57.pdf",
		"text": "https://archive.orkl.eu/fa63075cc09fe60b8af3ff0442f77dac9ca73d57.txt",
		"img": "https://archive.orkl.eu/fa63075cc09fe60b8af3ff0442f77dac9ca73d57.jpg"
	}
}