Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

The Many Roads Leading To Agent Tesla

Agent Tesla is a common Remote Access Trojan (RAT) discovered in 2014. This threat is capable of keylogging, screen capture, form-grabbing, and stealing credentials from a wide range of FTP, VPN, browser, and email clients. The exfiltration method depends on what the attacker sets on the configuration.

During the past months, we have found a resurgence of this malware being distributed via spam, as a payload of other threats, and as attachments to the malspams themselves. In this blog, we present three recent, yet quite different, spam campaigns leading to this threat. The first two campaigns deliver Agent Tesla via interesting downloader attachments whereas the third one distributes Agent Tesla directly in the malspams. The Agent Tesla samples we observed send the stolen information through SMTP and FTP.

Figure 1
Figure 1: The process flow of spam campaigns leading to Agent Tesla malware


1st CAMPAIGN: Through a PowerPoint Slide Show (PPSX) Loader

The malspams relating to the first campaign contain a PPSX attachment that exploits an old vulnerability - CVE-2017-0199 which allows attackers to perform remote code execution using Windows Object Linking and Embedding (OLE).

Figure 2
Figure 2: The malspam containing a PPSX attachment with CVE-2017-0199


The offending object inside the attachment AS_FedEx_AWB_00117980920AS.ppsx is slide1.xml.rels. It contains a script moniker that, when triggered, executes a PowerShell command.

Figure 3
Figure 3: The PowerShell command at object slide1.xml.rels


Once the PowerPoint file is opened, it initializes the script moniker and runs the encoded PowerShell script. Decoding the PowerShell script reveals that it downloads an executable hosted at discordapp[.]com,  saves it to the %appdata% folder as NPHBEK.exe, then executes it.

Figure 4
Figure 4: Decoded PowerShell command from Fig. 2


The downloaded file %appdata%/NPHBEK.exe is the Agent Tesla malware. It exfiltrates data via SMTP. The data includes the username, computer name, and other system information. In addition to that, stolen data will also be included in the email such as key captures, and stolen credentials.

Attacker’s email address: b*****@wezbrd.xyz
Password: Ma************di
SMTP server: smtp.privateemail.com

Figure 5
Figure 5: The system information sent to the attacker’s email address


2nd CAMPAIGN: Downloaded via a Compiled HTML (CHM) File

A Compiled HTML (CHM) Help file contains a collection of HTML pages with an index compressed into a binary format. This file format is mainly used for documentation and help guides. On rare occasions, this file format is also used by cybercriminals to distribute malware. This second spam campaign has a CHM file contained inside an archive attachment, paving the way to the distribution of Agent Tesla.

Figure 6
Figure 6: The malspam containing the CHM downloader and its display when launched


The CHM attachment 70127_YK90054_Consulta_del_cliente.chm has one HTML object. When the CHM file is executed, the HTML object d5sd00.htm will be loaded by the Microsoft Help Viewer (hh.exe). As the HTML Help window shown in Fig. 6 is displayed, the malicious behavior of the CHM attachment starts to manifest in the background.

Figure 7
Figure 7: The PowerShell command triggered when CHM is executed


The HTML d5sd00.htm contains a Javascript code that will deobfuscate then launch the PowerShell code also enclosed in the HTML file. The PowerShell then retrieves and processes the obfuscated data at hxxp://egen[.]com[.]tr/7F[.]jpg which is again PowerShell code.

Figure 8
Figure 8: The data obtained from the URL shown in Fig. 8 and its deobfuscated code


The second PowerShell code contains 2 binaries – the first is the waves.dll file which is obfuscated and the second is the GZip archive containing the Agent Tesla executable. When this second-stage PowerShell runs, the binary waves.dll will inject the Agent Tesla malware into MSBuild.exe.

In this Agent Tesla sample, the exfiltrated data will be delivered via FTP.

Figure 9
Figure 9: The decrypted Agent Tesla config on the MSBuild.exe memory dump


3rd CAMPAIGN: The “AstraZeneca” Agent Tesla

In the early days of the Coronavirus pandemic, we observed one of the malwares commonly distributed via this theme was Agent Tesla. Recently, we have seen another spam campaign taking advantage of the pandemic.

Figure 10
Figure 10: The malspam containing Agent Tesla and the file property of the executable attachment


Attached to the emails is a RAR or ZIP archive file containing an executable file. The executables we gathered from the malspams are .Net compiled around 700-900KB in size. Statically examining the executables, we noticed the file properties were associated with the company AstraZeneca, one of the Coronavirus vaccine makers.

Figure 11
Figure 11: The executable files obtained from the 3rd campaign


Using the tool DNSpy, we observed that the .Net files shown in Fig. 11 were compiled on the same day the malspams were distributed. As the executables have encrypted data in the next section, we used the tool MegaDumper to extract the objects wrapped in them. The extracted objects are .Net Agent Tesla malware of which some were compiled a month earlier.

Figure 12
Figure 12: The executable in Fig. 10 viewed in DNSpy
Figure 13
Figure 13: The objects dumped, using the MegaDumper tool, from the executable shown in Fig.10


Just like in the first campaign, the data stolen from the infected system will be exfiltrated via SMTP.

Figure 14
Figure 14: The code snippet of the SMTP process performed by Agent Tesla NQAkXoqEDGGPBNdSxedbVXswADUBFbJCdBUnmtC.exe shown in Fig. 13




AS_FedEx_AWB_00117980920AS.ppsx (31586 bytes)
SHA1: 02DA2F8F23D468EF2DB4919566A0B43BDABCD656

70127_YK90054_Consulta_del_cliente.chm (12117 bytes)
SHA1: 7CD8B837D6222CCD48F69211D9FB466A8A90A6EC

Download URLs:

hxxp://egen[.]com[.]tr/7F[.]jpg (879190 bytes)
SHA1: 3605BA5E2ED894A89AA64740774FBA6A822E978F

hxxps://cdn[.]discordapp[.]com/attachments/775445531627356172/793434227491733544/v4[.]exe (1969440 bytes)
SHA1: CD9A58B7B81D9469D495CB4600A55F9E3BAAC33D

Agent Tesla:

Quotation Query for supply of selected list items. Ukraine chamber of commerce.exe (818688 bytes)
SHA1: C30DCD540F949691F17B302BFDD862D86A1D93E5

Application letter.exe (832512 bytes)
Curriculum vitae.exe (832512 bytes)
SHA1: BCB01820699431CF926E297E1C6966527CFE6F32

RFQ.01.11.021.exe (830464 bytes)
SHA1: D4CB60FE478B83DA7D483813DD43B32CCA1812C6

Paymentcopy001#psf.exe (742912 byte)
SHA1: C46AB15FAB1E57C251CFB979454693601CBE035C