The Magnificence of Agent Tesla

Plasma ball

The Agent Tesla Remote Access Trojan (RAT) family of malware has had a long-standing presence in the threat landscape. This malicious software is sold as a remote access service for targeted systems, as such, the authors are constantly updating their malicious code to evade detection efforts. Attackers/customers of the service are also continuously developing and expanding their infrastructure to enhance their distribution/infection rates. Through analysis of one sample associated with such a campaign to send malicious files, we will see how they currently function and what new additions have been introduced into the latest versions.  

So Tesla’s Agent mainly spreads through email attachments; we will start by analyzing the MS document, which is the first step in infecting the user.

File TypeMicrosoft Windows Document
SHA256 at InQuest Labs 6883bdd8e0cac72d9332c300430511716028bb65c4b7458751655149b9ab25e7 
Image 1: 6883bdd8e0cac72d9332c300430511716028bb65c4b7458751655149b9ab25e7 –

This document exploits an old vulnerability CVE-2017-11882. This vulnerability is prevalent among the developers of Agent Tesla; although considered quite ancient in comparison to other documented vulnerabilities, it has proven to be an effective attack vector based on the rate of infection amongst targeted victims.


 Image 2: 9c25441b84bdc3fd16820274148e66a989aedacf05671575dd6f4e533ea47e7f                 Microsoft_Office_Word_Macro-Enabled_Document1.docm

When unpacking the document, we find another file attachment that is generally not flagged malicious. It is this file that will be launched when the entire document is opened. This is done to bypass antivirus solutions. When launched, the document checks the environment in which the document is opened. If it detects a sandbox environment tasked for automatic document verification, then it does not perform its malicious functions.

The primary purpose of this document is to download and run an executable file from a remote server.


This is the address where the executable file is downloaded and then launched. Let’s take a deeper look at the .exe file.

File Type PE-32 Nullsoft  install file.

The executable is the installer NSIS. We need to extract the files contained within the executable. Because the payload is often encrypted, we need to obtain the extracted contents for analysis. When executed, this file extracts two additional executable files.

File Type PE-32 

Agent Tesla Payload.

File Type PE-32 .NET executable 

The developers of Agent Tesla regularly make changes to the functionality of their malware both to expand features and maintain low initial detection rates.


Image 3: A string deobfuscation function is used at runtime.

A dictionary (consisting of 11985 elements) is needed by a function to restore strings at runtime. This obfuscation interferes with analysis and takes time for the analyst to analyze the sample comprehensively.

Image 4: End of the list of deobfuscation list values.
Image 5: User screenshots capture function.
Image 6: The image shows how the program selects keystrokes.
Image 7: Email via Smtp connection function.

As with previous versions, Agent Tesla supports sending victim information via email to campaign operators.

Agent Tesla continues to remain a serious threat that spreads mainly through spam attachments, including legitimate accounts that have been compromised. The spyware module, along with stealing screenshots and keystrokes; is also capable of stealing passwords from popular web browsers.



How Effective Is Your Email Security Stack?

Did you know, 80% of malware is delivered via email? How well do your defenses stand up to today’s emerging malware? Discover how effectively your email provider’s security performs with our Email Attack Simulation. You’ll receive daily reports on threats that bypassed your defenses as well as recommendations for closing the gap. Free of charge for 30 days.

Get My Email Attack Simulation