Agent Tesla - How to Remove

Last updated: 2026-04-01

Incident Response Guide: Agent Tesla Malware

Incident Triage Steps

Within the first 30 minutes of a suspected Agent Tesla infection, your priority is to determine the scope, identify compromised systems, and assess potential data loss. Agent Tesla is a sophisticated infostealer that typically arrives via phishing emails with malicious attachments (e.g., .doc, .xls, .pdf) or links. It often uses process injection, obfuscated strings, and communicates with command-and-control (C2) servers over HTTP, SMTP, or FTP.

  1. Isolate the Reported System: Immediately disconnect the initially reported endpoint from the network. Do not shut it down, as this will destroy volatile memory evidence crucial for analysis.
  2. Identify Initial Vector: Check the user’s email client or web browser history for the last 24-48 hours. Look for suspicious emails with attachments, particularly those with double extensions (e.g., invoice.pdf.exe), or links to cloud storage URLs. Agent Tesla droppers often masquerade as documents.
  3. Scope the Infection:
    • Endpoint Logs: Query your EDR solution or endpoint logs for recent process creation events. Look for suspicious child processes spawned from explorer.exe, svchost.exe, or Office applications (winword.exe, excel.exe). Agent Tesla payloads often execute from %AppData%, %LocalAppData%, or %Temp%.
    • Network Monitoring: Review proxy logs, DNS queries, and firewall outbound connections from the last 48 hours. Search for connections to suspicious domains (often randomly generated) or IPs on ports 80 (HTTP), 587/465 (SMTP), or 21 (FTP). Agent Tesla frequently exfiltrates data via email to attacker-controlled addresses.
    • Lateral Movement Check: Quickly audit authentication logs (e.g., Windows Event ID 4624) from domain controllers for suspicious logins from the initially infected host, especially using harvested credentials.
  4. Assess Data Exfiltration: Determine if data theft likely occurred. Agent Tesla steals credentials from browsers, email clients, FTP clients, and system information.
    • Check for anomalous outbound traffic volume from the infected host, particularly SMTP traffic not aligned with corporate mail servers.
    • Search for the creation of large temporary files in user profile folders that may have been staged for exfiltration.
    • If SMTP exfiltration is suspected, review mail server logs for outbound messages to unknown addresses from the infected host’s IP.

Evidence Collection

Before any containment or eradication actions, preserve the following forensic evidence. This is critical for understanding the attack and improving defenses.

  1. Volatile Memory: Capture a full memory dump of the infected system(s) using a trusted memory forensic tool. Agent Tesla often resides entirely in memory, injecting into legitimate processes.
  2. Disk Imaging: If possible, take a forensic disk image. If not, collect critical files:
    • Malware Artifacts: Collect files from %AppData%, %LocalAppData%, %Temp%, and C:\ProgramData. Look for recently created executables, DLLs, or heavily obfuscated script files (.vbs, .js).
    • Registry Hives: Export the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run hives. Agent Tesla often establishes persistence via Run keys.
    • Prefetch Files: Collect .pf files from C:\Windows\Prefetch for evidence of execution.
  3. Process and Network Information:
    • Capture a detailed process listing with command-line arguments and loaded DLLs. Look for processes with mismatched names or injecting into explorer.exe.
    • Export a list of all active network connections and listening ports.
  4. Logs: Aggregate and preserve:
    • Windows Event Logs (Application, Security, System).
    • Antivirus/EDR detection and quarantine logs.
    • Full proxy, firewall, DNS, and mail server logs for the infected hosts over the infection period.
  5. Scheduled Tasks: Export the list of scheduled tasks, as Agent Tesla variants may use this for persistence.

Containment Procedures

Contain the threat to prevent further data theft and lateral movement while preserving evidence.

  1. Network Containment:
    • Segment the infected host(s) by placing them in an isolated VLAN or applying strict firewall rules that block all outbound traffic except that required for your investigation.
    • At the network perimeter, update firewall and proxy rules to block communications with identified Agent Tesla C2 domains and IPs. Also, consider blocking outbound SMTP traffic to non-corporate email servers if this was the exfiltration method.
  2. Credential Security:
    • Scope: Reset passwords for all user accounts that were active on the compromised system. This is critical. Agent Tesla harvests credentials from browsers, Windows Credential Manager, and email clients.
    • Force a global logout of these accounts from all services (e.g., email, VPN, cloud apps).
    • Review and revoke any session tokens or API keys that may have been stored on or accessible from the infected system.
  3. Host Containment: On confirmed infected endpoints, use your EDR solution to:
    • Suspend the malicious processes identified during triage.
    • Isolate the endpoint from the network but maintain power for preserved evidence.

Eradication and Recovery

Eradicate the malware and restore systems to a trusted state.

  1. Complete Removal: Follow the detailed, step-by-step procedures in the Agent Tesla Removal Guide for each affected system. This guide provides specific instructions for:
    • Terminating malicious processes.
    • Removing persistent registry keys and scheduled tasks.
    • Deleting all associated files from disk.
  2. System Restoration:
    • For critically infected systems, the most secure path is to wipe and rebuild from a known-clean gold image.
    • If restoring from backups, ensure the backup is from a date prior to the earliest evidence of infection. Do not restore user profile data from the infected period without careful scanning, as it may contain stolen data or malware remnants.
  3. Verification:
    • After cleanup or restoration, perform a full system scan with updated antivirus and EDR tools.
    • Re-examine the locations where Agent Tesla artifacts were found to confirm they are clean.
    • Monitor the system closely for several days for any recurrence of suspicious network activity or processes.

Lessons Learned Checklist

After containment and eradication, conduct a formal review to improve security posture.

  • Initial Infection Vector:
    • How did Agent Tesla initially breach the environment? (e.g., Phishing email, drive-by download)
    • Was the malicious email attachment/link detected by email security filters? If not, why?
  • Control Failures:
    • Why did endpoint protection not prevent execution or detect the malware earlier?
    • Were application allowlisting or macro execution controls in place for Office documents?
    • Did network monitoring fail to alert on anomalous SMTP or HTTP traffic to unknown destinations?
  • Detection Gaps:
    • Are there now detections in place for the specific Agent Tesla behaviors observed (e.g., process injection from Office apps, specific registry persistence)?
    • Can your SIEM platform correlate events to detect the full attack chain (delivery, execution, persistence, exfiltration)?
  • Improvement Actions:
    • Technical: Implement stricter macro policies, enhance network egress filtering for SMTP, deploy credential guard solutions.
    • Process: Update and test the incident response plan. Improve user phishing awareness training based on the lures used.
    • Monitoring: Create new alerts in your SIEM platform based on the IOCs and TTPs from this incident. Review and tune detection rules regularly.

For proactive measures, refer to the Agent Tesla Detection Guide. For general information on this malware family, see the Agent Tesla Overview.

Related

← Agent Tesla Overview Removal Guide How to Detect Protection Guide IOCs Samples All Families