Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Many Roads Leading To Agent Tesla

Agent Tesla is a common Remote Access Trojan (RAT) discovered in 2014. This threat is capable of keylogging, screen capture, form-grabbing, and stealing credentials from a wide range of FTP, VPN, browser, and email clients. The exfiltration method depends on what the attacker sets on the configuration.

During the past months, we have found a resurgence of this malware being distributed via spam, as a payload of other threats, and as attachments to the malspams themselves. In this blog, we present three recent, yet quite different, spam campaigns leading to this threat. The first two campaigns deliver Agent Tesla via interesting downloader attachments whereas the third one distributes Agent Tesla directly in the malspams. The Agent Tesla samples we observed send the stolen information through SMTP and FTP.


Figure 1
Figure 1: The process flow of spam campaigns leading to Agent Tesla malware



1st CAMPAIGN: Through a PowerPoint Slide Show (PPSX) Loader

The malspams relating to the first campaign contain a PPSX attachment that exploits an old vulnerability - CVE-2017-0199 which allows attackers to perform remote code execution using Windows Object Linking and Embedding (OLE).


Figure 2
Figure 2: The malspam containing a PPSX attachment with CVE-2017-0199


The offending object inside the attachment AS_FedEx_AWB_00117980920AS.ppsx is slide1.xml.rels. It contains a script moniker that, when triggered, executes a PowerShell command.


Figure 3
Figure 3: The PowerShell command at object slide1.xml.rels


Once the PowerPoint file is opened, it initializes the script moniker and runs the encoded PowerShell script. Decoding the PowerShell script reveals that it downloads an executable hosted at discordapp[.]com,  saves it to the %appdata% folder as NPHBEK.exe, then executes it.

The downloaded file %appdata%/NPHBEK.exe is the Agent Tesla malware. It exfiltrates data via SMTP. The data includes the username, computer name, and other system information. In addition to that, stolen data will also be included in the email such as key captures, and stolen credentials.


Attacker’s email address: b*****
Password: Ma************di
SMTP server:


Figure 5
Figure 5: The system information sent to the attacker’s email address



2nd CAMPAIGN: Downloaded via a Compiled HTML (CHM) File

A Compiled HTML (CHM) Help file contains a collection of HTML pages with an index compressed into a binary format. This file format is mainly used for documentation and help guides. On rare occasions, this file format is also used by cybercriminals to distribute malware. This second spam campaign has a CHM file contained inside an archive attachment, paving the way to the distribution of Agent Tesla.


Figure 6
Figure 6: The malspam containing the CHM downloader and its display when launched


The CHM attachment 70127_YK90054_Consulta_del_cliente.chm has one HTML object. When the CHM file is executed, the HTML object d5sd00.htm will be loaded by the Microsoft Help Viewer (hh.exe). As the HTML Help window shown in Fig. 6 is displayed, the malicious behavior of the CHM attachment starts to manifest in the background.


Figure 7
Figure 7: The PowerShell command triggered when CHM is executed


The HTML d5sd00.htm contains a Javascript code that will deobfuscate then launch the PowerShell code also enclosed in the HTML file. The PowerShell then retrieves and processes the obfuscated data at hxxp://egen[.]com[.]tr/7F[.]jpg which is again PowerShell code.


Figure 8
Figure 8: The data obtained from the URL shown in Fig. 8 and its deobfuscated code


The second PowerShell code contains 2 binaries – the first is the waves.dll file which is obfuscated and the second is the GZip archive containing the Agent Tesla executable. When this second-stage PowerShell runs, the binary waves.dll will inject the Agent Tesla malware into MSBuild.exe.

In this Agent Tesla sample, the exfiltrated data will be delivered via FTP.


Figure 9
Figure 9: The decrypted Agent Tesla config on the MSBuild.exe memory dump



3rd CAMPAIGN: The “AstraZeneca” Agent Tesla

In the early days of the Coronavirus pandemic, we observed one of the malwares commonly distributed via this theme was Agent Tesla. Recently, we have seen another spam campaign taking advantage of the pandemic.


Figure 10
Figure 10: The malspam containing Agent Tesla and the file property of the executable attachment


Attached to the emails is a RAR or ZIP archive file containing an executable file. The executables we gathered from the malspams are .Net compiled around 700-900KB in size. Statically examining the executables, we noticed the file properties were associated with the company AstraZeneca, one of the Coronavirus vaccine makers.

Using the tool DNSpy, we observed that the .Net files shown in Fig. 11 were compiled on the same day the malspams were distributed. As the executables have encrypted data in the next section, we used the tool MegaDumper to extract the objects wrapped in them. The extracted objects are .Net Agent Tesla malware of which some were compiled a month earlier.


Figure 12
Figure 12: The executable in Fig. 10 viewed in DNSpy
Figure 13
Figure 13: The objects dumped, using the MegaDumper tool, from the executable shown in Fig.10


Just like in the first campaign, the data stolen from the infected system will be exfiltrated via SMTP.


Figure 14
Figure 14: The code snippet of the SMTP process performed by Agent Tesla NQAkXoqEDGGPBNdSxedbVXswADUBFbJCdBUnmtC.exe shown in Fig. 13




AS_FedEx_AWB_00117980920AS.ppsx (31586 bytes)
SHA1: 02DA2F8F23D468EF2DB4919566A0B43BDABCD656

70127_YK90054_Consulta_del_cliente.chm (12117 bytes)
SHA1: 7CD8B837D6222CCD48F69211D9FB466A8A90A6EC

Download URLs:

hxxp://egen[.]com[.]tr/7F[.]jpg (879190 bytes)
SHA1: 3605BA5E2ED894A89AA64740774FBA6A822E978F

hxxps://cdn[.]discordapp[.]com/attachments/775445531627356172/793434227491733544/v4[.]exe (1969440 bytes)
SHA1: CD9A58B7B81D9469D495CB4600A55F9E3BAAC33D

Agent Tesla:

Quotation Query for supply of selected list items. Ukraine chamber of commerce.exe (818688 bytes)
SHA1: C30DCD540F949691F17B302BFDD862D86A1D93E5

Application letter.exe (832512 bytes)
Curriculum vitae.exe (832512 bytes)
SHA1: BCB01820699431CF926E297E1C6966527CFE6F32

RFQ.01.11.021.exe (830464 bytes)
SHA1: D4CB60FE478B83DA7D483813DD43B32CCA1812C6

Paymentcopy001#psf.exe (742912 byte)
SHA1: C46AB15FAB1E57C251CFB979454693601CBE035C


Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More