Agent Tesla

Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[1][2][3]

ID: S0331
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 29 January 2019
Last Modified: 28 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Agent Tesla can collect account information from the victim’s machine.[5]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Agent Tesla has used HTTP for C2 communications.[5][6]

.003 Application Layer Protocol: Mail Protocols

Agent Tesla has used SMTP for C2 communications.[5][6][2]

Enterprise T1560 Archive Collected Data

Agent Tesla can encrypt data with 3DES before sending it over to a C2 server.[4]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Agent Tesla can add itself to the Registry as a startup program to establish persistence.[1]

Enterprise T1115 Clipboard Data

Agent Tesla can steal data from the victim’s clipboard.[4][1][6][2]

Enterprise T1555 Credentials from Password Stores

Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles.[3]

Enterprise T1140 Deobfuscate/Decode Files or Information

Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.[3]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP.[4][2]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Agent Tesla has used ProcessWindowStyle.Hidden to hide windows.[3]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Agent Tesla has the capability to kill any running analysis processes and AV software.[6]

Enterprise T1105 Ingress Tool Transfer

Agent Tesla can download additional files for execution on the victim’s machine.[4][5]

Enterprise T1056 .001 Input Capture: Keylogging

Agent Tesla can log keystrokes on the victim’s machine.[4][5][6][2]

Enterprise T1185 Man in the Browser

Agent Tesla has the ability to use form-grabbing to extract data from web data forms.[2]

Enterprise T1027 Obfuscated Files or Information

Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult.[1] Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings.[3]

Enterprise T1057 Process Discovery

Agent Tesla can list the current running processes on the system.[6]

Enterprise T1113 Screen Capture

Agent Tesla can capture screenshots of the victim’s desktop.[4][5][1][6][2]

Enterprise T1082 System Information Discovery

Agent Tesla can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.[1][6][3]

Enterprise T1016 System Network Configuration Discovery

Agent Tesla can collect the IP address of the victim machine.[5]

Enterprise T1033 System Owner/User Discovery

Agent Tesla can collect the username from the victim’s machine.[5][1][3]

Enterprise T1124 System Time Discovery

Agent Tesla can collect the timestamp from the victim’s machine.[5]

Enterprise T1204 .002 User Execution: Malicious File

Agent Tesla has been executed through malicious e-mail attachments [2]

Enterprise T1125 Video Capture

Agent Tesla can access the victim’s webcam and record video.[5][4]

Enterprise T1497 Virtualization/Sandbox Evasion

Agent Tesla has he ability to perform anti-sandboxing and anti-virtualization checks.[3]

Groups That Use This Software

ID Name References
G0083 SilverTerrier

[7]

References