Agent Tesla - Distribution Methods
File types, delivery vectors, and hosting infrastructure used to distribute Agent Tesla.
Last updated: 2026-04-18
Understanding how Agent Tesla reaches victims is critical for prevention. This page breaks down the file types used in distribution, the hosting infrastructure serving malicious payloads, and URLs tracked by URLhaus. Data is updated daily.
What Distribution Data Tells You
Shifts in file type distribution often signal changes in delivery tactics. For example, a move from .exe to .msi files may indicate operators adapting to Windows SmartScreen or email gateway filtering. A surge in .js or .vbs files suggests script-based delivery through phishing emails. Monitoring these patterns helps you tune your email security gateway rules and endpoint protection policies to block the current delivery method before it reaches end users.
Hosting Infrastructure
The hosting data below shows which domains and servers are actively distributing Agent Tesla payloads. Add these to your DNS blocklists, web proxy deny rules, and firewall policies. Hosting infrastructure tends to rotate frequently as takedowns occur, so check this page regularly. All URL data is sourced from URLhaus. For hash-based indicators, see the IOC page. For sample details, see Agent Tesla samples.
File Types (148 samples)
Malicious Distribution URLs (60)
https://github.com/Hyperbolic531/Makethen/raw/refs/heads/main/%E6%96%87%E6%A1%A382524.exe http://172.245.95.9/fibulae.afm https://github.com/Hyperbolic531/Makethen/raw/refs/heads/main/HT02528_8w77.js https://github.com/Hyperbolic531/Makethen/raw/refs/heads/main/robin_harker@btconnect.com.exe https://raw.githubusercontent.com/Hyperbolic531/Makethen/refs/heads/main/miahdoo.txt https://i.postimg.cc/R01gW6zd/snake.png https://firebasestorage.googleapis.com/v0/b/jsee-71d18.firebasestorage.app/o/img_170600.png?alt=media&token=0dc575d2-44f3-40b2-ba8e-b397383f766d https://governofederal.io/MSI_115403.png https://arpausa.com.ec/2MQ7RTNC.CL5 https://water.s3.cubbit.eu/bmiSkak.txt https://i.postimg.cc/Y06d8kLH/image4.png https://www.hna-ksa.com/STA/mint.txt https://www.hna-ksa.com/STA/ikp.txt https://grupomcperu.com/elementos/mhdcbdc.txt https://aona.s3.cubbit.eu/igkjakc.txt https://i.postimg.cc/x12dc3zT/image.png https://res.cloudinary.com/dkylpyldt/image/upload/v1775485198/rump_clyv7g.jpg https://res.cloudinary.com/dkylpyldt/image/upload/v1775485483/origin_kaqiyp.jpg http://107.175.246.40/Skifteda.deploy http://107.175.246.40/idfWcHWVXIWe19.bin http://107.175.246.40/rlfOXsZxho57.bin http://107.175.246.40/Hist.deploy http://198.23.177.216/Kugle.pcx https://pub-bc2333d37e9548c4acf40d5cc159c375.r2.dev/mynnepeng.png https://dpaste.com/EG9HNFJBP.txt https://dpaste.com/46DHTVYZ5.txt http://209.54.102.132/Granad244.pcz http://209.54.102.132/Sexister.hhk http://209.54.102.132/ILitOryfRMXTjathX140.bin https://casadoserralheirosaocarlos.com.br/ENCRYPTSS.Ps1 http://38.240.55.52/WE/airgood.Ps1 http://192.210.186.208/web/ENCRYPT.Ps1 https://ameyiando.com/main/ENCRYPT.Ps1 http://107.173.143.118/bgdol.png https://casadoserralheirosaocarlos.com.br/ENCRYPTZ.Ps1 http://107.173.143.118/saxch.png http://107.173.143.118/actiok.png http://107.173.143.118/mynnepeng.png http://107.173.143.118/nderu.png http://fil.ydns.eu/jhuytr/FSAmegn.txt https://casadoserralheirosaocarlos.com.br/ENCRYPTS.Ps1 http://130.12.180.43/files/6962575668/1S3cMox.exe https://three.s3.cubbit.eu/oriv1.7.2.0-venry-1upload.txt https://wpgbf1zg-5500.euw.devtunnels.ms/loader/RANKUP/FREE/FreeFortniteCleaner.zip http://192.3.176.231/22/9sd9fd0809g7sd8f789g73438g97dsf8g798s7df98g.js http://192.3.176.231/21/f9sd9fd0809g7sd8f789g73438g97dsf8g798s7df98g.js http://192.3.176.231/22/e/ec.hta https://wpgbf1zg-5500.euw.devtunnels.ms/rankup/freeclean/RankupServicecleaner.exe https://loader-400.pages.dev/RANKUP/FREE/FreeTempSpoofer.zip https://wpgbf1zg-5500.euw.devtunnels.ms/rankup/freetemp/RankupServiceFreeTemp.exe https://loader-400.pages.dev/RANKUP/FREE/FreeFortniteCleaner.zip https://firebasestorage.googleapis.com/v0/b/hold-8fad5.firebasestorage.app/o/forst%2Fpic9.jpg?alt=media&token=bd25b6e0-4b93-49ad-9e28-5fb1821cb2af https://sae20.s3.cubbit.eu/oriv1.7.2.0upload.txt https://eishin-kk-co.asia/dev/ENCRYPTED.ps1 https://xingyleather.com/2026/ENCRYPT.Ps1 http://77.83.39.134/IK/ENCRYPTED.ps1 https://www.techlearnskill.com/hhhh/ENCRYPTED.ps1 https://files.catbox.moe/c7xnkt.ps1 http://192.109.200.5/webb/CLASSMATE.ps1 http://192.109.200.5/webb/CLALLASS.ps1
Source: URLhaus (abuse.ch). Updated: 2026-04-18
Hosting Infrastructure
| Host | URLs |
|---|---|
| 107.173.143.118 | 5 |
| 107.175.246.40 | 4 |
| github.com | 3 |
| i.postimg.cc | 3 |
| 209.54.102.132 | 3 |
| casadoserralheirosaocarlos.com.br | 3 |
| wpgbf1zg-5500.euw.devtunnels.ms | 3 |
| 192.3.176.231 | 3 |
| firebasestorage.googleapis.com | 2 |
| www.hna-ksa.com | 2 |
| res.cloudinary.com | 2 |
| dpaste.com | 2 |
| loader-400.pages.dev | 2 |
| 192.109.200.5 | 2 |
| 172.245.95.9 | 1 |
| raw.githubusercontent.com | 1 |
| governofederal.io | 1 |
| arpausa.com.ec | 1 |
| water.s3.cubbit.eu | 1 |
| grupomcperu.com | 1 |