Register to stream ATT&CKcon 2.0 October 29-30

Agent Tesla

Agent Tesla is a spyware Trojan written in visual basic.[1]

ID: S0331
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery Agent Tesla collects account information from the victim’s machine. [3]
Enterprise T1115 Clipboard Data Agent Tesla can steal data from the victim’s clipboard. [2] [1] [4]
Enterprise T1022 Data Encrypted Agent Tesla encrypts the data with 3DES before sending it over the C2 server. [2]
Enterprise T1089 Disabling Security Tools Agent Tesla has the capability to kill any running analysis processes and AV software. [4]
Enterprise T1048 Exfiltration Over Alternative Protocol Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP. [2]
Enterprise T1203 Exploitation for Client Execution Agent Tesla exploits CVE-2017-11882 in Microsoft’s Equation Editor to execute a process. [2]
Enterprise T1056 Input Capture Agent Tesla can log keystrokes on the victim’s machine. [2] [3] [4]
Enterprise T1027 Obfuscated Files or Information Agent Tesla obfuscates its code in an apparent attempt to make analysis difficult. [1]
Enterprise T1057 Process Discovery Agent Tesla lists the current running processes on the system. [4]
Enterprise T1060 Registry Run Keys / Startup Folder Agent Tesla adds itself to the Registry as a startup program to establish persistence. [1]
Enterprise T1105 Remote File Copy Agent Tesla can download additional files for execution on the victim’s machine. [2] [3]
Enterprise T1113 Screen Capture Agent Tesla can capture screenshots of the victim’s desktop. [2] [3] [1] [4]
Enterprise T1071 Standard Application Layer Protocol Agent Tesla has used HTTP and SMTP for C2 communications. [3] [4]
Enterprise T1082 System Information Discovery Agent Tesla collects the system's computer name and also has the capability to collect information on the processor, memory, and video card from the system. [1] [4]
Enterprise T1016 System Network Configuration Discovery Agent Tesla can collect the IP address of the victim machine. [3]
Enterprise T1033 System Owner/User Discovery Agent Tesla collects the username from the victim’s machine. [3] [1]
Enterprise T1124 System Time Discovery Agent Tesla can collect the timestamp from the victim’s machine. [3]
Enterprise T1065 Uncommonly Used Port Agent Tesla has enabled TCP on port 587 for C2 communications. [1] [2]
Enterprise T1125 Video Capture Agent Tesla can access the victim’s webcam and record video. [3] [2]

Groups That Use This Software

ID Name References
G0083 SilverTerrier [5]

References