• Demystify Cyber

Agent Tesla

Updated: Mar 23

Demystify Cyber analysed the payload from a malicious email campaign from 9 January 2022 that contains an attachment called Purchase Order, that installs malware called Agent Tesla on the system.


Agent Tesla is malware as a service delivered in malspam (malcious spam emails). Agent Tesla is a remote access trojan, which is .Net based, and used to steal credentials, keystrokes, clipboard data, and other information from the infected system. The malware communicates the stolen data back to its command and control server. Agent Tesla was first discovered in 2014 and has had various iterations. It was very active last year with faked COVID mask offers. It is usually delivered in emails with malicious attachments, such as zip files.

The campaign analysed used faked purchase orders as bait.

Subject- Purchase Order

Sender address (various) – usually spoofed to appear as ‘Purchasing Department’

Body of email – ‘below is attached our new purchase order kindly please process’ (saw some variations of this but essentially along the same lines)

The samples Demystify Cyber analysed in this recent campaign use Telegram to communicate back to a C2.


Remind user’s to not open attachments from emails of which they cannot verify the legitimacy

Use a reputable and up to date anti-virus and have it enabled

Consider using access control/least privilege to prevent a user’s infected computer spreading malware throughout the system

Mitre ATT&CK

1. Initial access

Malicious attachment in an email (purchase order(dot)exe)

2. Execution

T1047: Windows Management Instrumentation – queries BIOS and processor (could be trying to detect sandbox or VM)

· WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

· WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

3. Persistence

T1574.002: DLL Side-Loading – tries to load missing DLL

  • Section loaded: xboxlivetitleid.dll

  • Section loaded: cdpsgshims.dll

  • Section loaded: wlanhlp.dll

T1547.001: Registry Run Keys / Startup Folder – creates an auto start reg key

  • · Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VOGUEDAED

  • · Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce VOGUEDAED

4. Privileged Escalation

T1055: Process Injection – allocates memory

  • Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write

  • Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and write

5. Evasion

T1562.001: Disable or Modify Tools – changes MS security settings

  • Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

T1140: Deobfuscate/Decode Files or Information – code in .NET calls to encrypt function

  • Cryptographic APIs: 'CreateDecryptor'

  • Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

T1564.002: Hidden Users – hides user accounts

  • REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v

  • REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0

6. Discovery

T1087: Account Discovery – queries the users Code function: 24_2_05F958F4 GetUserNameW,

T1083: File and Directory Discovery – enumerates all the files on the infected system

T1018: Remote System Discovery – reads the files C:\Windows\System32\drivers\etc\hosts

7. Collection and C2

T1114: Email Collection – tried to email out the data

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

T1102: Web Service – uses the API of Telegram

  • api.telegram[.]org


Written by A. Turner

© A. Turner 2021 https://www.demystifycyber.com.au/

Provided for general information and education purposes

75 views0 comments

Recent Posts

See All

BLUF First seen in 2016 delivered in malicious emails, Remcos is a remote access trojan (RAT). Remcos has wide ranging function such as monitoring and recording the audio and video of an infected mach

Below is a summarised analysis of an executable sample Demystify Cyber obtained and analysed on 3 October 2021. BLUF RedLine Stealer is a data and credential theft malware sold in underground markets

Demystify Cyber analysed the payload from a malicious email received in September 2021. The attachment dropped malware known as Loki-Bot. BLUF Loki-Bot is a trojan that was first seen in the wild in a