The sub-techniques beta is now live! Read the release blog post for more info.

Agent Tesla

Agent Tesla is a spyware Trojan written in visual basic.[1]

ID: S0331
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 29 January 2019
Last Modified: 16 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

Agent Tesla collects account information from the victim’s machine.[3]

Enterprise T1115 Clipboard Data

Agent Tesla can steal data from the victim’s clipboard.[2][1][4]

Enterprise T1022 Data Encrypted

Agent Tesla encrypts the data with 3DES before sending it over the C2 server.[2]

Enterprise T1089 Disabling Security Tools

Agent Tesla has the capability to kill any running analysis processes and AV software.[4]

Enterprise T1048 Exfiltration Over Alternative Protocol

Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP.[2]

Enterprise T1203 Exploitation for Client Execution

Agent Tesla exploits CVE-2017-11882 in Microsoft’s Equation Editor to execute a process.[2]

Enterprise T1056 Input Capture

Agent Tesla can log keystrokes on the victim’s machine.[2][3][4]

Enterprise T1027 Obfuscated Files or Information

Agent Tesla obfuscates its code in an apparent attempt to make analysis difficult.[1]

Enterprise T1057 Process Discovery

Agent Tesla lists the current running processes on the system.[4]

Enterprise T1060 Registry Run Keys / Startup Folder

Agent Tesla adds itself to the Registry as a startup program to establish persistence.[1]

Enterprise T1105 Remote File Copy

Agent Tesla can download additional files for execution on the victim’s machine.[2][3]

Enterprise T1113 Screen Capture

Agent Tesla can capture screenshots of the victim’s desktop.[2][3][1][4]

Enterprise T1071 Standard Application Layer Protocol

Agent Tesla has used HTTP and SMTP for C2 communications.[3][4]

Enterprise T1082 System Information Discovery

Agent Tesla collects the system's computer name and also has the capability to collect information on the processor, memory, and video card from the system.[1][4]

Enterprise T1016 System Network Configuration Discovery

Agent Tesla can collect the IP address of the victim machine.[3]

Enterprise T1033 System Owner/User Discovery

Agent Tesla collects the username from the victim’s machine.[3][1]

Enterprise T1124 System Time Discovery

Agent Tesla can collect the timestamp from the victim’s machine.[3]

Enterprise T1065 Uncommonly Used Port

Agent Tesla has enabled TCP on port 587 for C2 communications.[1][2]

Enterprise T1125 Video Capture

Agent Tesla can access the victim’s webcam and record video.[3][2]

Groups That Use This Software

ID Name References
G0083 SilverTerrier [5]

References