Agent Tesla Malware Removal Guide

Signs of Infection

Agent Tesla is a sophisticated infostealer that leaves multiple detectable artifacts. Key indicators of infection include:

File System Artifacts:

• Executables or DLLs with random, alphanumeric names (e.g., jhdfg734.exe, winsys64.dll) in user profile directories (%AppData%, %LocalAppData%, %Temp%) or system folders (C:\Windows\System32, C:\Windows\SysWOW64).
• Log files containing stolen data, often with .txt, .log, or .dat extensions, stored in the same directories.
• Recently created files with names mimicking legitimate software (e.g., chrome_update.exe, adobe_flash.exe).

Process Behaviors:

• Unknown processes with high CPU usage for short bursts (data exfiltration) or persistent memory presence.
• Processes spawning from suspicious locations (temporary folders) or with parent processes like explorer.exe or svchost.exe when not typical.
• Multiple instances of the same suspicious process or processes that re-spawn shortly after termination.

Network Signs:

• Outbound connections to SMTP servers (ports 25, 465, 587), FTP servers (port 21), or web panels (HTTP/HTTPS) from non-email client processes.
• DNS requests for domains with random subdomains or newly registered domains associated with Agent Tesla C2 infrastructure.
• Unusual traffic patterns, such as periodic small data uploads (exfiltrated keystrokes, credentials) to external IPs.

Registry & Persistence:

• Run keys created in HKCU\Software\Microsoft\Windows\CurrentVersion\Run or HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
• Scheduled tasks with random names or disguised as system updates.
• Services installed with random display names or binary paths pointing to user directories.

Immediate Containment Steps

Within the first 15 minutes of detecting Agent Tesla, take these steps to limit damage:

1. Network Isolation: Immediately disconnect the infected host from the network. Disable both wired and wireless adapters via the OS or network switch to prevent further data exfiltration and C2 communication.
2. Process Termination: Use a trusted process manager from a clean source (e.g., a pre-installed EDR agent console or a clean USB toolkit) to identify and terminate malicious processes. Look for processes with the suspicious file names and locations noted above. Note the full image path and PID for later analysis.
3. Credential Rotation Priorities:
   • High Priority: Immediately reset credentials for any accounts accessed from the infected machine, starting with domain administrator, local administrator, and any accounts with access to sensitive data (finance, HR, source code).
   • Medium Priority: Reset credentials for email accounts, VPN access, and internal application logins used on the host.
   • Broad Communication: Inform users of a potential credential leak and mandate a password change for all domain accounts, enforcing a strong password policy.
4. Preserve Evidence: Before cleaning, if possible, take a forensic disk image or memory dump for later analysis. At minimum, document all identified IOCs: file paths, process names, registry keys, and any network destinations.

Manual Removal Process

Follow this step-by-step process to remove Agent Tesla. Perform these steps from a known-clean system or in a safe mode environment.

Step 1: Terminate Malicious Processes.

• Boot into Safe Mode with Networking to prevent most persistence mechanisms from loading.
• Open the Task Manager or a command prompt with administrative privileges.
• End all processes identified during the detection phase. Use the command taskkill /f /im [process_name.exe].
• Be thorough; Agent Tesla may have multiple processes or watchdogs.

Step 2: Delete Persistence Mechanisms.

• Registry Run Keys: Open the Registry Editor (regedit). Navigate to and delete any suspicious entries in:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
• Scheduled Tasks: Open Task Scheduler. Review the task library and delete any tasks with random names, unfamiliar authors, or actions that point to suspicious .exe or .vbs files in user temp directories.
• Services: Open the Services console (services.msc). Look for services with random display names or paths pointing to %AppData% or %Temp%. Stop the service, set its startup type to Disabled, and record its binary path for deletion in the next step.

Step 3: Remove Dropped Files.

• Navigate to and delete all files and folders identified as malicious. Common locations include:
  • %AppData%
  • %LocalAppData%
  • %Temp%
  • %UserProfile%\Downloads
  • C:\Windows\System32\
  • C:\Windows\SysWOW64\
• Use the command prompt with del /f /s /q [file_path] for stubborn files. Empty the Recycle Bin.

Step 4: Clean Registry Entries.

• Beyond Run keys, search for and remove any other registry entries created by the malware. Common locations include classes and recent file lists. Use caution and back up the registry before making changes.
• A common Agent Tesla artifact is a registry value used for configuration or status tracking, often found in HKCU\Software\ or HKLM\SOFTWARE\ under a randomly named key.

Verifying Removal

After manual removal, confirm the system is clean.

1. Full System Scan: Perform a full, deep scan with an updated endpoint security solution. Use a dedicated anti-malware scanner from a trusted vendor as a secondary check.
2. Log Analysis: Review system logs (Event Viewer) for recent errors related to the deleted files or services. Check Security logs for failed logon attempts that may indicate stolen credentials were used.
3. Autorun Analysis: Use a trusted autorun monitoring tool to verify no remaining persistence points reference the deleted files.
4. Network Traffic Monitoring: Before reconnecting the host to the production network, place it on an isolated segment with a network monitoring tool or SIEM sensor. Monitor for any residual outbound calls to known Agent Tesla C2 IPs or domains. Allow the host to run for 24-48 hours while monitoring for beaconing activity.
5. File Integrity Check: Use built-in system file checker (sfc /scannow) to ensure critical system files were not replaced by the malware.

Post-Removal Security Hardening

To prevent reinfection via Agent Tesla’s common vectors:

1. Email Security Configuration: Strengthen email gateway filters to block emails with executable attachments (.exe, .scr, .js, .vbs) and double file extensions. Implement strict SPF, DKIM, and DMARC policies to reduce spoofing.
2. Application Control Policies: Deploy application allowlisting via Group Policy or an EDR solution to prevent execution of binaries from %AppData%, %LocalAppData%, and %Temp% directories. Allow only signed, trusted applications.
3. Enhanced Monitoring Rules: Create specific alerts in your SIEM or EDR platform for:
   • Process creation from temporary directories.
   • Outbound network connections to SMTP/FTP servers from non-standard processes.
   • Creation of registry run keys or scheduled tasks by non-admin users.
   • Multiple failed logon attempts followed by a success (indicative of credential reuse).
4. Policy Updates:
   • Update acceptable use policies to prohibit the download and execution of unauthorized software.
   • Mandate and enforce the use of Multi-Factor Authentication (MFA) for all remote access and privileged accounts.
   • Implement a regular credential rotation policy, especially for administrative accounts.
5. User Training: Conduct regular phishing awareness training focusing on identifying malicious attachments and links, the primary delivery method for Agent Tesla.

For the most current technical indicators, please refer to the Current Agent Tesla IOCs. To understand how common security tools identify this threat, see the Detection Rate. For more general information, visit the Agent Tesla Overview.