Powered by: cyberdudebivash.com | cyberbivash.blogspot.com

Executive Summary

Agent Tesla is a long-running, commodity .NET infostealer/keylogger sold via MaaS (Malware-as-a-Service). It remains popular because it’s cheap, easy to build, and flexible: operators toggle modules for credential theft, keylogging, clipboard/cookies theft, screenshots, USB spread, and exfiltration over SMTP/FTP/HTTP(S)/Telegram/Discord. Campaigns are typically malspam-driven (invoice/PO/shipping lures) and increasingly use containerized attachments (ZIP/ISO/IMG/LNK/OneNote/HTML smuggling) to bypass email filters.

This report delivers defender-only coverage: attack chain, TTPs, detections (Sigma/KQL/YARA), IoC patterns, and a controls playbook mapped to ATT&CK—plus a publication-ready block and hashtags for CyberBivash.

1) Threat Overview

• Family: Agent Tesla (multiple “builder” lineages; cracked/repacked variants common)

• Goal: Steal identities (browser passwords, email/FTP/VPN creds, crypto-wallet data), surveil (keylogs/screenshots), and exfiltrate to attacker-controlled relays.

• Why defenders still see it: Persistent malspam ecosystems, builder GUIs, frequent re-obfuscation/packing, and SMTP exfil via compromised mailboxes (blends with normal traffic).

2) Capabilities (common modules)

• Credential theft from Chromium/Gecko browsers, Outlook/Thunderbird, VPN/FTP clients, Wi-Fi profiles, mail clients, some password managers when unlocked.

• Session & cookie theft (bypass MFA by replaying live sessions).

• Keylogger & clipboard grabber (captures typed creds, crypto addresses).

• Screenshots / webcam (occasionally) at configurable intervals.

• Anti-analysis: string encryption, junk code, packers (e.g., ConfuserEx derivatives), VM/DBG checks.

• Persistence: Run/RunOnce keys, Scheduled Tasks, Startup folder, WMI event consumer (less common).

• C2/exfil: SMTP (most frequent), FTP/HTTP(S) POST, Telegram/Discord webhooks, custom panels; optional proxy settings and TLS.

3) Delivery & Attack Chain (typical)

1. Initial Access – Email/Malvertising

   • Lures: Invoices, purchase orders, RFQs, DHL/FedEx, shipping docs, remittances, “scanner/copier” PDFs.

   • Containers: ZIP (w/ EXE or script), ISO/IMG (mount → LNK + decoy), RAR/7z, OneNote (.one), XLL, HTML smuggling (JS builds payload client-side).

2. Execution – LOLBins & Stagers

   • LNK → PowerShell/JScript; mshta/wscript/cscript; regsvr32; rundll32; Add-Type to load .NET assemblies; reflective load of packed Agent Tesla.

3. Discovery & Collection

   • Enumerates installed browsers/mail/FTP/VPN; accesses DPAPI/Keychain to decrypt; scrapes cookies; activates keylogger/screenshot loop.

4. Exfiltration

   • Sends “logs” (often ZIP) via SMTP (AUTH) using hard-coded creds (frequently stolen/throwaway), or uploads over FTP/HTTP(S); many samples use Telegram bots/Discord webhooks.

5. Persistence & Cleanup

   • Adds autoruns; sets hidden attributes; may delete dropper; rotates exfil intervals to avoid throttling.

4) What to Hunt (high-value signals)

4.1 Host & Process clues

• Office/PDF/archiver → scripting engine → network tool chains:

  • WINWORD.EXE / Acrobat.exe / 7zFM.exe → wscript.exe / mshta.exe / powershell.exe → outbound SMTP/HTTP(S).

• Abnormal access to browser artifacts:

  • …\AppData\Local\Google\Chrome\User Data\Default\Login Data

  • …\AppData\Local\Google\Chrome\User Data\Default\Cookies

  • Firefox profile logins.json, key4.db

• Rapid screenshot bursts (temp PNG/JPG in %TEMP% then delete).

• New autoruns (Run/RunOnce/Scheduled Tasks) referencing user-writable paths (AppData\Roaming).

4.2 Network/egress clues

• SMTP to foreign providers (port 587/465) from user endpoints (not mail relays).

• HTTP(S) POST to low-reputation VPS; multipart/form-data with logs.zip, keylogs.txt.

• Telegram/Discord API from corporate endpoints (if not sanctioned).

• Odd user-agent strings (statically coded, e.g., “Mozilla/5.0 AgentTesla …”).

4.3 Email gateway clues

• Attachment mashups: INV####.zip → INV####.iso → INV####.lnk → powershell -enc …

• HTML attachments containing large JS blobs (smuggling).

• Content referring to shipping terms, SWIFT, TT payment, remittance copy, PI/PO.

5) MITRE ATT&CK Mapping (representative)

• Initial Access: T1566 Phishing; T1189 Drive-by Compromise

• Execution: T1059 Command/Scripting; T1218 Signed Binary Proxy Exec (mshta/regsvr32)

• Persistence: T1060/T1547 Autoruns; T1053 Scheduled Task

• Credential Access: T1555 Credentials from Web Browsers; T1040 Keylogging; T1003 OS Credential Dumping (occasionally)

• Collection: T1113 Screen Capture; T1119 Automated Collection

• Exfiltration: T1041 Exfil over C2; T1071.002/003 Application Layer Protocol (SMTP/HTTP)

• Defense Evasion: T1027 Obfuscated/Encrypted Files; VM/DBG Checks

6) IoC Patterns (safe exemplars)

Exact domains rotate quickly; treat these as patterns and feed current intel from your sources.

Filenames / Paths

• %TEMP%\logs.zip, %TEMP%\keylogs.txt, %APPDATA%\Microsoft\<random>\*.exe

• LNK displays doc icon but runs: powershell.exe -ExecutionPolicy Bypass -enc <base64>

Registry / Tasks

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<random> → AppData EXE

• Task names mimicking drivers/services (e.g., “Windows System Host”, “Office Update Helper”)

SMTP Traits

• AUTH to free mail providers; subjects like “Keylogger report from %USERNAME%”, “Daily Logs”; attachment ZIP with host/user in name.

Network

• Telegram api.telegram.org/bot<token>/sendDocument

• Discord https://discord.com/api/webhooks/...

• HTTP POST multipart to /gate.php, /panel/upload.php

7) Detections (drop-in starters)

7.1 Sigma (process chain)

title: Office/Archive Spawns Scripting with Network Egress
logsource: { product: windows, service: sysmon }
detection:
  parent:
    EventID: 1
    ParentImage|endswith:
      - '\WINWORD.EXE'
      - '\EXCEL.EXE'
      - '\POWERPNT.EXE'
      - '\Acrobat.exe'
      - '\7zFM.exe'
  child:
    Image|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
      - '\powershell.exe'
  condition: parent and child
level: high

7.2 Sigma (browser DB access by scripts)

title: Suspicious Access to Browser Secrets by Script Host
logsource: { product: windows, service: sysmon }
detection:
  sel:
    EventID: 11
    Image|endswith:
      - '\powershell.exe'
      - '\wscript.exe'
      - '\python.exe'
    TargetFilename|contains:
      - '\Login Data'
      - '\Cookies'
      - '\logins.json'
      - '\key4.db'
  condition: sel
level: high

7.3 KQL (SMTP from endpoints)

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (25,465,587) and InitiatingProcessFileName !in ("outlook.exe","thunderbird.exe")
| summarize count() by DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl, bin(Timestamp, 30m)
| where count_ > 5

7.4 YARA (very generic, strings are placeholders—tune per feed)

rule AgentTesla_Generic
{
  meta:
    author = "CyberDudeBivash"
    description = "Generic heuristics for Agent Tesla .NET packers"
  strings:
    $s1 = "System.Net.Mail.SmtpClient" nocase ascii
    $s2 = "KEYLOGS" ascii
    $s3 = "Cookies" ascii
    $s4 = /Discord\/api\/webhooks|api\.telegram\.org\/bot/ nocase
  condition:
    uint16(0) == 0x5A4D and 2 of ($s*)
}

Tune these with your TI feed; prefer behavior detections over brittle hashes.

8) Incident Response Playbook (Agent Tesla suspected)

1. Isolate host (network quarantine).

2. Preserve evidence (RAM + disk; collect autoruns, tasks, prefetch, browser DBs).

3. Hunt organization-wide for the email lure, attachment hashes, and SMTP egress patterns.

4. Invalidate sessions (SaaS/SSO), rotate credentials (email/FTP/VPN/cloud), and revoke OAuth tokens.

5. Eradicate persistence; reimage when feasible.

6. Block current C2/SMTP accounts, Telegram/Discord webhooks; submit to filtering vendors.

7. Lessons learned: gate risky attachments, strengthen ASR, add detections, run a tabletop.

9) Control Stack That Actually Works

Email & Web

• Block dangerous attachment types (EXE, JS/JSE, VBS/VBE, CHM, SCR, MSI, ISO/IMG, LNK, XLL, HTA, shortcut inside archives).

• Detonate attachments in sandbox; flatten Office/PDF.

• DMARC p=reject, brand impersonation detection, URL isolation for finance/execs.

• Detect HTML smuggling (download triggered by in-page JS).

Endpoint (Windows)

• ASR rules: block Office from creating child processes, block executable content from email/web clients, block credential stealing via LSASS, block abuse of WMI/PSExec.

• EDR/XDR with script-control & tamper protection; application allow-listing for high-risk roles.

• Disable Office macros from the internet; enable Protected View/Attack Surface Reduction.

Identity

• Password manager policy (no browser save), FIDO2/WebAuthn for admins/finance, Conditional Access & token-binding/DPoP where supported.

• Short TTLs for sessions; step-up on risk; continuous access evaluation.

Network & Cloud

• Egress allow-lists; block SMTP/Telegram/Discord from user subnets.

• TLS inspection for outbound POST with archive signatures; DLP for high-entropy archives.

• For cloud-hosted mail: monitor abnormal SMTP AUTH from end-user IPs.

10) KPIs & Metrics

• >95% coverage of ASR rules on Windows endpoints.

• 0 direct SMTP from user subnets (except sanctioned mail clients).

• 100% phishing-resistant MFA for admin/finance; 0 legacy protocols.

• <4h time-to-invalidate sessions for impacted users (measured in drills).

• Quarterly attachment-type audit; monthly sandbox efficacy test.

11) CyberBivash Publishing Block 

Title: Agent Tesla Malware Threat Analysis: How Commodity Infostealers Still Win
Meta Description (≤160 chars): Deep dive on Agent Tesla: delivery lures, credential theft, SMTP/HTTP exfil, detections, and a control stack that actually stops it.
Slug: /agent-tesla-malware-threat-analysis-credential-theft
Excerpt: Agent Tesla remains a top infostealer because it’s cheap, flexible, and email-driven. This CyberDudeBivash report maps the attack chain, shows what to hunt (Office→script→SMTP), and provides drop-in Sigma/KQL/YARA plus a hardened control set (ASR, sandboxing, egress allow-lists, MFA).

#AgentTesla #Infostealer #Keylogger #SMTPExfil #HTMLSmuggling #ASR #EDR #EmailSecurity #ThreatIntel #CyberDudeBivash

Affiliate-Ready CTAs (swap in your links):

• 1Password Business — rapid credential rotation & vault policies

• Malwarebytes / Bitdefender EDR — behavior detections for stealers & RATs

• Cloudflare Zero Trust — block Telegram/Discord/SMTP egress from endpoints

• NordVPN/Proton (Teams) — isolate admin planes & remote access