Agent Tesla

Agent Tesla is an info stealer, which is being promoted by its creators as a legitimate service. The creators of Agent Tesla have built a website for their tool where they have given multiple disclaimers stating that if they detect that a client is using their tool in a threatening manner, their subscription will be canceled indefinitely. In theory, the users subscribing for Agent Tesla are not allowed to employ it on the computers of unsuspecting individuals with the end goal to collect their data. In practice, however, after malware experts got on their case, they discovered quickly that the disclaimers were nothing but a facade for what was going on behind the curtains.

The support system of Agent Tesla is based on Discord, and the authors of this info stealer were not only terminating accounts for wrongdoing but were helping and teaching their customers how to perform malevolent actions such as exploiting software vulnerabilities, infect legitimate files with the threat, and avoid detection by anti-malware applications actively. It is necessary to underline that this is not some obscure and insignificant operation. It seems that many shady individuals have taken interest in Agent Tesla because more than 6,300 people have subscribed for this info stealer with plans varying from budget at $15 per month to the premium option that would cost $69 per month.

This Week In Malware Episode 35 Part 1: Tesla RAT (Agent Tesla) Malware Gets New Password Stealing Abilities

Agent Tesla is capable of logging keystrokes, form-grabbing attacks, and collecting the copy-paste data of the user. Furthermore, the info stealer is packed with the capability of taking screenshots, as well as recording the desktop of the victim. However, Agent Tesla is specialized in collecting passwords mainly. This piece of malware is able to siphon passwords from FTP software, email applications and Web browsers alike.

Since it is being sold as a service, the authors of Agent Tesla have made sure that their creation has a user-friendly interface and is easy to operate. This would allow them to sell subscriptions to a much wider variety of people as you would not need to be too tech savvy to work with Agent Tesla.

Having in mind the vast capabilities of Agent Tesla to collect information, you can only imagine the damage it can do to you if it worms itself into your system. It is crucial that users online obtain a legitimate anti-malware suite and keep it updated because threats like Agent Tesla are just waiting to exploit you.

Table of Contents

Toggle

Analysis Report

General information

Family Name:	Keylogger.AgentTesla
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: df000f2d0b8650aeadc73ffe479d807a SHA1: 936af3b30f9018451ffb7d744d981d82f5dff5ee File Size: 5.12 KB, 5120 bytes

MD5: 6468d552db2ac36b4727869ccb00d444 SHA1: db66a7280ca8154671e129d474580820825f33de File Size: 7.68 KB, 7680 bytes

MD5: 4486dfc0301d019b4ddd9e0725eadfae SHA1: 3e359d47e3444256e05f57a2fda325aa42c558cb File Size: 9.22 KB, 9216 bytes

MD5: e0981b5536e80704fa5951613a8c0437 SHA1: 1131909c0837d3bbfef0138c7e902706cb17a6c8 File Size: 5.12 KB, 5120 bytes

MD5: 4da1dbdc1ed888a75a8ce77b7de61e72 SHA1: 055f5f46e9ed815e240bcbc804beb076b8d2e945 File Size: 6.14 KB, 6144 bytes

Show More

MD5: 9812908a20dc7f8b05589e93b60e375c SHA1: 708422f4be6ce11a3d1f918aaccca24fe7518deb File Size: 5.12 KB, 5120 bytes

MD5: 0210e1c6687f09ad29976dd644b9f36b SHA1: cd20379adb21163a769fc3bc4969d6c6e73d59f6 File Size: 5.12 KB, 5120 bytes

MD5: 3aa783001332b150ae98721ce0a8662a SHA1: cfdf5673e0db0a66121c8690bbd431faf153ebac File Size: 5.63 KB, 5632 bytes

MD5: 65d957fe1bd35949d73cd7ac9772aa58 SHA1: 54733ad9cdc856ad44e11bc2b23fcf883fc1cab3 SHA256: A9C656692E9AE4ED3687BB2F9BA66162F737E24121A60AB86533458814111665 File Size: 6.10 KB, 6104 bytes

MD5: c9d889b9142dd88cbfd17cf38831df80 SHA1: 6dcf331347c134b616c0196d667aa2f01518b989 SHA256: D86CF9200590DAD14E4AA3C66FBF00B371E1A8C919E9C373F27DCF1C95328FF2 File Size: 5.12 KB, 5120 bytes

MD5: ddb3d9ef7542379fc6c21c572848c542 SHA1: 3f5867578bf230ae41c5388713ddcf7e04068a1d SHA256: 1D94D23427D58B99B4681E1AE69DA5D344DDCD706C4B8124C0E7C807C25A1062 File Size: 5.12 KB, 5120 bytes

MD5: 2fbbb986532413cb725dc67091d0d1f7 SHA1: a86490cb0128f890a259efaf3fc511d0bf517250 SHA256: F925059AF5AAA14493057D2CFD816F9A89BA636297E922F8745746DA16896261 File Size: 5.12 KB, 5120 bytes

MD5: 13a18b8233876048c4ba20e9cdb3feda SHA1: 903bb873f6ce42a78068c590f4a95a326cccb848 SHA256: 7DD0B5C59432F910B606EFE7859515A1C86446E4C653D6338EFD1656DCC6E736 File Size: 10.75 KB, 10752 bytes

MD5: 8d014a2bdfd8546dda3c451cd195ea18 SHA1: 4e3bc52d469133dbe176b636ce157803de3a5612 SHA256: 870E5259D0D4E716941090BC6BAD399A5BFE6635C9F16B5306CDD91DE8B45F80 File Size: 5.12 KB, 5120 bytes

MD5: 003d14c33aac7e8d53a262ec5b9862bc SHA1: 10248a0bd3aa989a72187969532f4597a9b6a572 SHA256: 9D6AF2C0572A2FC766FFD941899E158BED78097014F4F30B3D4F31DF3FE047A4 File Size: 9.22 KB, 9216 bytes

MD5: 7b92834667b865bf62fa8b19be3f1c07 SHA1: cc45c1438f4b0623ea3f8aafe18a8a56025058fc SHA256: B77F6998FB1022EC2BA4967344234135FF54DDA6BBF19A3D99DDF219A27C030D File Size: 5.12 KB, 5120 bytes

MD5: e7349050d70f0dd6adff8a6a40d696a8 SHA1: f31500906faa206ae17e6dddf98838ceaa0208bc SHA256: 03316A3074BD69CBD86E0327597983EFD14556A333F8AC6B2B07C0E0467CB1C3 File Size: 5.63 KB, 5632 bytes

MD5: 5128005f6b81dc7701efc43fd5ad36ff SHA1: 77746d3f2cadce1789c36e7b96c3d0f3fe94da95 SHA256: 2567935E2414DE4992C477EA63839A26CBBCBE30CBB41E9F0F8554CC8483EBB9 File Size: 9.22 KB, 9216 bytes

MD5: 4cb09be28078d31c76a812c8be753868 SHA1: efc0875aaccc19dea052d04b967eb87b4ff97984 SHA256: 789928E8083A7BF518CFD1AE79895B29AC6B9B32A6E6386124D3BB85835C167E File Size: 9.22 KB, 9216 bytes

MD5: 5de8d37bc7731857e8ab859ae5403046 SHA1: 7aba80caf0118e471b35983beb307cfd20e1a67c SHA256: 4EABE800B3D4142C041C2A1630987B886EED03B054DD18291A7DED016CB7328F File Size: 5.12 KB, 5120 bytes

MD5: 4d7a8b31621716a00193041d881c326f SHA1: 3b323e3986a92a1c1ab9faa9110af0923bab3a46 SHA256: 7C749D02D5A80E88F177B2560D9211C274364597880DE7ED3C690B55F06048FB File Size: 5.12 KB, 5120 bytes

MD5: 138832a930889de7e01cfb23b8834fee SHA1: a3431fdd2e0c1f14d7fc1f0dd34a991926de05b4 SHA256: B56CC909B21B28DBF8E8520AC86B2DB7A5688BBE0DECE5AF9B1A8F24D9E69B41 File Size: 5.12 KB, 5120 bytes

MD5: 050b97e8468e752a843be64a5c729a15 SHA1: c195e7831176d91170a5cc8ff716562d1fbecda5 SHA256: 62234585EB2026BF7A3EF785B2CF1BD0FE78CE637F2766A92E48589B04109FBF File Size: 7.68 KB, 7680 bytes

MD5: ebd1e206d1e731c8c14563fa53439420 SHA1: 8d033a9dba6cfc07039565052d136c0f6ec276ec SHA256: D4871A7E5AEABE70F48D7FEFFEEDD2F5EA20BE332111886B07E37EC36F5D9D05 File Size: 20.99 KB, 20992 bytes

MD5: a7e0862bb9477773a830e12e15a17f28 SHA1: 62fff1dc80536e96439aa3304f8e05644d1a12db SHA256: E75F202F8EC18ACD8D3D5887D9C690F7FA84F1FAD98858E1B5A2207BC064894A File Size: 5.12 KB, 5120 bytes

MD5: 99c492d81cba60cd11e6685be6fa1955 SHA1: ecc9c1b307e8cb244a50044c4e636e2e5148cebd SHA256: 69A5A52C3FC3F4EE6C7E1533E7E69297455A543A1B3646D3FE2D13637508F765 File Size: 6.66 KB, 6656 bytes

MD5: 2c010f0ab5817c9e88909f304e386709 SHA1: 135de057cd2d693225dc469089863841266722f4 SHA256: 3910AE9CA32BF3278457CA23B846F09D4D49A2D835B58E7A0C92DA838F43EBB1 File Size: 10.75 KB, 10752 bytes

MD5: 6181ef677df8b47777b331623ae79d21 SHA1: 8339ba0a7bce1fd3e40ef2e15674224424ec0820 SHA256: 24448FE142A0516827BF7AE878C2256C1194E4050EB54A9FB89CB3F66DF7B40A File Size: 5.63 KB, 5632 bytes

MD5: b934179f427f623d578c91125201e5dd SHA1: 275632cf46ec62defa874585e3da27b795f0d42d SHA256: 3421EA6E8AEA6593AF1850369879247F2FCF23205675860D04C157A8907E00C8 File Size: 1.49 MB, 1485824 bytes

MD5: d28b45693d398a042a4003d5b27fa739 SHA1: c9a1425d4a269a67e6eef73c2c647df949da76bf SHA256: 739E69D048DA6D3A84418F428F0C6E23C4A7995AAEB9C65C1706CA661A433436 File Size: 6.14 KB, 6144 bytes

MD5: 8e124f4b614c0eb676b6517f1d8b4308 SHA1: 99078e7bc18ae37c165a5037036eb06fb4cfbb64 SHA256: 19A042A541439CE6B12FFB970C4AD19698CA4361E86AB3865699BBC05D800AB4 File Size: 9.73 KB, 9728 bytes

MD5: 1292ad596449bd331d12f847afc3baf0 SHA1: e00710bcb344d276535e573ee866de5a51f623e4 SHA256: 4E144722467072A0BE5AECA66FA4A590FD77DB93921FCDF07AF00448F09EB4B1 File Size: 5.63 KB, 5632 bytes

MD5: 99c480da93d74eec959f62ef7aeb38d6 SHA1: 1e73d658c4f88406d3352cb5112ceeba081e3487 SHA256: EAE18F5BA61A1B212B1A45838612B965FECBF206C2AF1E852F7A619047FF99D2 File Size: 9.73 KB, 9728 bytes

MD5: 6ed295779981350e04be985348e46e42 SHA1: c0d66c72e769bb15b94bcd70db544f47ee490c7a SHA256: CC6991679BABFFAE06D25766B14540CC1CC2598BA512184BE136C79C8167697D File Size: 7.17 KB, 7168 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File is .NET application
• File is 32-bit executable
• File is 64-bit executable
• File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
• File is either console or GUI application

Show More

• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Assembly Version	1.0.0.0
Company Name	HP HP Inc.
File Description	ConsoleApp1 GnbotsGameInstaller
File Version	1.0.0.0
Internal Name	ConsoleApp1.exe GnbotsGameInstaller.exe
Legal Copyright	Copyright © 2019 Copyright © 2020 Copyright © 2021 Copyright © 2022 Copyright © 2023 Copyright © 2024 Copyright © 2025 Copyright © HP 2024 Copyright © HP 2025 Copyright © HP Inc. 2018 Show More Copyright © HP Inc. 2023
Original Filename	ConsoleApp1.exe GnbotsGameInstaller.exe
Product Name	ConsoleApp1 GnbotsGameInstaller
Product Version	1.0.0.0

Digital Signatures

i

Digital Signatures

This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.

Signer	Root	Status
DESKTOP-QLR3C5D\MEBS	DESKTOP-QLR3C5D\MEBS	Self Signed

File Traits

• .NET
• Confuser
• Installer Version
• x64
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	2
Potentially Malicious Blocks:	0
Whitelisted Blocks:	0
Unknown Blocks:	2

Visual Map

? ?

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• Eorezo.EB
• MSIL.Agent.FSDA
• MSIL.AgentTesla.NA
• MSIL.Brute.GF
• MSIL.Bulz.RL

Show More

• MSIL.ClipBanker.RAG
• MSIL.Downloader.RRA
• MSIL.Heracles.RH
• MSIL.Inject.CCA
• MSIL.Injector.XT
• MSIL.Krypt.GDSC
• MSIL.Krypt.GDSF
• MSIL.Krypt.GDSG
• MSIL.Krypt.GHFC
• MSIL.Krypt.TDJ
• MSILZilla.HB
• Wacatac.AR

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\downloads\example.txt	Generic Write,Read Attributes
c:\users\user\downloads\test.zip	Generic Write,Read Attributes

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask	￿	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask	￿	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing		RegNtPreCreateKey

Show More

HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask	￿	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask	￿	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory	%windir%\tracing	RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
User Data Access	GetComputerName GetComputerNameEx GetUserDefaultLocaleName GetUserObjectInformation
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
Network Info Queried	GetAdaptersAddresses GetNetworkParams
Other Suspicious	AdjustTokenPrivileges
Network Winsock2	WSASend WSASocket WSAStartup WSAttemptAutodialName
Network Winsock	bind closesocket freeaddrinfo getaddrinfo setsockopt
Network Winhttp	WinHttpOpen
Encryption Used	BCryptOpenAlgorithmProvider
Syscall Use	ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection Show More ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadToken ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWriteFile UNKNOWN