Agent Tesla

Agent Tesla is a spyware Trojan written in visual basic.[1]

ID: S0331
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryAgent Tesla collects account information from the victim’s machine.[2]
EnterpriseT1115Clipboard DataAgent Tesla can steal data from the victim’s clipboard.[3][1][4]
EnterpriseT1022Data EncryptedAgent Tesla encrypts the data with 3DES before sending it over the C2 server.[3]
EnterpriseT1089Disabling Security ToolsAgent Tesla has the capability to kill any running analysis processes and AV software.[4]
EnterpriseT1048Exfiltration Over Alternative ProtocolAgent Tesla has routines for exfiltration over SMTP, FTP, and HTTP.[3]
EnterpriseT1203Exploitation for Client ExecutionAgent Tesla exploits CVE-2017-11882 in Microsoft’s Equation Editor to execute a process.[3]
EnterpriseT1056Input CaptureAgent Tesla can log keystrokes on the victim’s machine.[3][2][4]
EnterpriseT1027Obfuscated Files or InformationAgent Tesla obfuscates its code in an apparent attempt to make analysis difficult.[1]
EnterpriseT1057Process DiscoveryAgent Tesla lists the current running processes on the system.[4]
EnterpriseT1060Registry Run Keys / Startup FolderAgent Tesla adds itself to the Registry as a startup program to establish persistence.[1]
EnterpriseT1105Remote File CopyAgent Tesla can download additional files for execution on the victim’s machine.[3][2]
EnterpriseT1113Screen CaptureAgent Tesla can capture screenshots of the victim’s desktop.[3][2][1][4]
EnterpriseT1071Standard Application Layer ProtocolAgent Tesla has used HTTP and SMTP for C2 communications.[2][4]
EnterpriseT1082System Information DiscoveryAgent Tesla collects the system's computer name and also has the capability to collect information on the processor, memory, and video card from the system.[1][4]
EnterpriseT1016System Network Configuration DiscoveryAgent Tesla can collect the IP address of the victim machine.[2]
EnterpriseT1033System Owner/User DiscoveryAgent Tesla collects the username from the victim’s machine.[2][1]
EnterpriseT1124System Time DiscoveryAgent Tesla can collect the timestamp from the victim’s machine.[2]
EnterpriseT1065Uncommonly Used PortAgent Tesla has enabled TCP on port 587 for C2 communications.[1][3]
EnterpriseT1125Video CaptureAgent Tesla can access the victim’s webcam and record video.[2][3]

Groups

Groups that use this software:

SilverTerrier

References