Agent Tesla Malware Detection Guide
Behavioral Indicators
Agent Tesla exhibits several distinct runtime behaviors that can be detected through process monitoring and API hooking. Upon execution, the malware typically injects its payload into a legitimate system process, commonly targeting svchost.exe, explorer.exe, or msiexec.exe. Monitor for process hollowing where a legitimate process is spawned in a suspended state, its memory is unmapped, and malicious code is written into its address space before resumption.
The malware performs extensive credential harvesting. Look for processes making unusual calls to credential access APIs, particularly CredEnumerateW, CredReadW, and CredFree from the Advapi32.dll library. Agent Tesla will attempt to dump credentials from the Windows Credential Manager, browser password stores, and email clients like Outlook, Thunderbird, and Foxmail. It also scrapes saved credentials from FTP clients (FileZilla, WinSCP) and messaging applications.
Keylogging is a core function. Monitor for the installation of global keyboard and mouse hooks via SetWindowsHookEx (often with WH_KEYBOARD_LL or WH_MOUSE_LL). The malware will also capture clipboard data through frequent calls to GetClipboardData. Screen capture activity is another indicator; look for processes taking repeated screenshots using BitBlt or similar GDI functions at regular intervals, often compressing the images in memory before exfiltration.
Finally, Agent Tesla performs system reconnaissance. It will query system information using GetComputerNameW, GetUserNameW, and GetSystemInfo. It enumerates running processes and installed software via registry queries. Unusual spawning of cmd.exe or powershell.exe from the injected process, followed by commands like whoami, systeminfo, or ipconfig, can indicate live discovery.
Network Indicators
Agent Tesla communicates with its command and control (C2) servers using multiple protocols, with SMTP being the most traditional and common. Look for suspicious outbound SMTP traffic on ports 25, 465 (SMTPS), or 587 (SMTP with STARTTLS) originating from a non-mail client process, such as svchost.exe or explorer.exe. The malware often uses hardcoded SMTP credentials within its configuration to send stolen data as email attachments. The subject lines and attachment names may contain strings like "LOG", "REPORT", or the victim’s computer name.
HTTP/HTTPS-based C2 is increasingly prevalent. Beaconing occurs at configurable intervals, often between 5 to 30 minutes. HTTP POST requests are used to exfiltrate stolen data, which is typically Base64 encoded, compressed, or encrypted within the POST body. The User-Agent strings in these requests are often generic (e.g., "Mozilla/5.0") or may be spoofed as a legitimate browser. The URI paths are often short and nonsensical, like "/gate.php", "/panel/login.php", or "/upload/".
DNS queries can also be an indicator. Agent Tesla variants may resolve dynamic DNS domains or newly registered domains (NRDs) with low reputation. The queries often precede the HTTP/S or SMTP communication. The exfiltrated data is highly structured and includes system information, keystroke logs, screenshots, and credential dumps. Network monitoring tools should alert on processes sending large amounts of encoded data to external IP addresses over non-standard ports or to free webmail service domains (like smtp.gmail.com) from an enterprise host not configured for such services.
File System Artifacts
Agent Tesla drops several files to maintain persistence and store logs. The primary payload is often copied to %AppData%, %LocalAppData%, or %ProgramData% directories. Common file paths include:
C:\Users\<username>\AppData\Local\Temp\<random_name>.exeC:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<malicious_name>.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\<malicious_name>.exe
The malware uses deceptive naming conventions to blend in, often masquerading as legitimate software or system components. Names may include strings like "chrome_update.exe", "java.exe", "winlogon.exe", or incorporate spaces and legitimate-sounding vendor names (e.g., "adobe flash player.exe"). Dropped files are typically small, ranging from 50 KB to 300 KB for the loader, with log files (containing keystrokes, screenshots) being larger and growing over time.
Temporary files are created for data staging. Look for files with extensions like .tmp, .dat, or .log in the %Temp% directory. Screenshots are often saved as .bmp or .jpg files with names based on timestamps (e.g., [MM-DD-YYYY].jpg) before being sent to the C2. Timestamps can be a tell; the creation time of the malware executable in a startup folder may be very recent and out of sync with legitimate system files.
Registry and Persistence Mechanisms
Agent Tesla employs multiple methods to achieve persistence across system reboots. The most common is the creation of a Run key in the Windows Registry.
Registry Run Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The value name will often match the deceptive filename (e.g., "Chrome Update"), and the data will point to the full path of the dropped executable.
Scheduled Tasks: The malware frequently creates scheduled tasks to launch itself. Tasks are often configured to run at user logon or at specific intervals. Look for tasks with seemingly legitimate names like "GoogleUpdateTask" or "OneDriveSync" that execute a command pointing to the malicious file in AppData or ProgramData. Use the command-line tool schtasks or a security platform to audit tasks with triggers like "At logon" or "On idle" that run from suspicious locations.
Startup Folder: As noted in file artifacts, a shortcut or copy of the binary is placed in the user or common startup folder. This is a straightforward but effective persistence method.
Service Installation: Some variants attempt to install themselves as a Windows service for higher privilege persistence. Check for newly created services with random or spoofed names (e.g., "SysHelper") in HKLM\SYSTEM\CurrentControlSet\Services\. The ImagePath value will point to the malicious binary.
File Association Hijacking: Advanced variants may modify file associations (e.g., for .txt or .exe files) via registry keys like HKCR\<filetype>\shell\open\command to execute the malware whenever an associated file is opened.
YARA Rule Guidance
When developing YARA rules for Agent Tesla, focus on its consistent embedded strings, configuration blocks, and unique code patterns. Target the cleartext strings used for credential harvesting. Look for hardcoded paths to email client databases, such as "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles" (Outlook) or "\\Thunderbird\\Profiles\\". Strings referencing specific applications like "FileZilla", "WinSCP", "Foxmail", and "Pidgin" are strong indicators.
The malware configuration is often stored within the binary in a structured, but sometimes obfuscated, format. Search for strings related to its C2 settings: "SMTPHost", "SMTPPort", "FromEmail", "ToEmail", "URL", "POST". The presence of both SMTP and HTTP configuration strings in a single binary is highly characteristic of Agent Tesla.
Examine the binary for specific API function names it resolves dynamically or imports. Common imports include Wininet.dll functions (InternetOpenA, InternetConnectA, HttpSendRequestA) for web communication, Advapi32.dll functions for credential access, and User32.dll functions for keylogging (SetWindowsHookEx, GetAsyncKeyState).
Agent Tesla often contains version strings within the binary, such as "AgentTesla" or "Tesla" followed by a version number (e.g., "V3.4", "V4.0"). While these may be obfuscated in later variants, searching for these case-insensitive strings can catch older samples. Finally, look for the specific format of its log file naming convention within strings, such as "[MM-DD-YYYY]" or "LOG_", which it uses to name captured data before exfiltration.
For the latest samples, IOCs, and a full overview, please refer to the dedicated Agent Tesla pages: Current Samples | Current IOCs | Agent Tesla Overview