Agent Tesla Malware Analysis: Inside the .NET RAT’s Data Theft Capabilities
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Agent Tesla is a .NET-based remote access trojan offered through a malware-as-a-service model and aimed at Windows systems. It is designed to steal credentials, browser-stored information, and user communications through capabilities such as keylogging and screenshot capture. The malware supports several exfiltration channels, including SMTP, FTP, and HTTP traffic routed through the Tor network.
Investigation
The article explains how Agent Tesla operates from initial spear-phishing delivery through persistence and eventual data theft. It highlights use of the SetWindowsHookEx API for keylogging and describes the malware’s focus on browser data and email client storage locations. The analysis also shows how the malware uses the Tor browser to help conceal exfiltration traffic.
Mitigation
Organizations should deploy strong email security controls to block malicious attachments such as .chm files and macro-enabled documents. Monitoring for unauthorized registry changes in Run keys and Winlogon\Shell values is also important. In addition, blocking known exfiltration methods and watching for unusual Tor-related network activity can help reduce the impact of compromise.
Response
If Agent Tesla is detected, isolate the affected Windows host immediately to stop further exfiltration. Perform forensic analysis to identify the original infection source, such as a phishing email or weaponized attachment. Review registry locations and startup folders for persistence mechanisms, and remove temporary files or artifacts associated with the malware.
graph TB %% Class Definitions Section classDef technique fill:#99ccff %% Blue color for MITRE Techniques classDef malware fill:#ff9999 %% Red color for Malware classDef file fill:#cccccc %% Grey color for Files and Artifacts classDef action fill:#ccffcc %% Green color for Actions/Processes %% Initial Access Phase action_phishing[“<b>Technique</b> – <b class=’technique’>T1566.001 Phishing: Spearphishing Attachment</b><br/><b>Description</b>: Emails containing malicious attachments<br/>such as .gz, .chm, or macro-enabled Word docs.”] class action_phishing action file_payloads[“<b class=’file’>Malicious Attachments</b><br/><b>Types</b>: .gz archives, .chm files, or Word documents<br/>containing macros.”] class file_payloads file action_phishing –>|delivers| file_payloads %% Execution and Loading Phase technique_obfuscation[“<b class=’technique’>T1027.009 Obfuscated Files or Information: Embedded Payloads</b><br/><b>Description</b>: Obfuscated scripts used to download<br/>additional payloads.”] class technique_obfuscation technique malware_agent_tesla[“<b class=’malware’>Malware</b> – <b class=’malware’>Agent Tesla</b><br/><b>Description</b>: .NET-based information stealer<br/>loaded directly into system memory.”] class malware_agent_tesla malware technique_reflective[“<b class=’technique’>T1620 Reflective Code Loading</b><br/><b>Description</b>: Loading the final payload<br/>directly into system memory to avoid disk detection.”] class technique_reflective technique file_payloads –>|triggers| technique_obfuscation technique_obfuscation –>|loads_via| technique_reflective technique_reflective –>|instantiates| malware_agent_tesla %% Reconnaissance Phase technique_sysinfo[“<b class=’technique’>T1082 System Information Discovery</b><br/><b>Description</b>: Collecting username, computer name,<br/>and OS version.”] class technique_sysinfo technique technique_hostinfo[“<b class=’technique’>T1592 Gather Victim Host Information</b><br/><b>Description</b>: Collecting specific data regarding<br/>the victim host.”] class technique_hostinfo technique malware_agent_tesla –>|performs| technique_sysinfo malware_agent_tesla –>|performs| technique_hostinfo %% Persistence Phase technique_registry[“<b class=’technique’>T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</b><br/><b>Description</b>: Modifying Windows Run registry keys,<br/>Winlogon Shell, and dropping binaries in Startup folder.”] class technique_registry technique file_startup_bin[“<b class=’file’>Persistence Binary</b><br/><b>Location</b>: Dropped into the Startup folder.”] class file_startup_bin file malware_agent_tesla –>|establishes| technique_registry technique_registry –>|drops| file_startup_bin %% Collection and Credential Access Phase technique_keylogging[“<b class=’technique’>T1056.001 Input Capture: Keylogging</b><br/><b>Description</b>: Using SetWindowsHookEx API to log keystrokes.”] class technique_keylogging technique file_log[“<b class=’file’>Log File</b><br/><b>Path</b>: %temp%\log.tmp”] class file_log file technique_cookies[“<b class=’technique’>T1539 Steal Web Session Cookie</b><br/><b>Description</b>: Parsing SQLite databases in browsers<br/>(Chrome, Firefox, Edge) to extract cookies.”] class technique_cookies technique technique_forge[“<b class=’technique’>T1606.001 Forge Web Credentials: Web Cookies</b><br/><b>Description</b>: Extracting passwords and session data.”] class technique_forge technique technique_account_disc[“<b class=’technique’>T1087 Account Discovery</b><br/><b>Description</b>: Extracting details from email clients<br/>(Outlook, Thunderbird) and FTP tools (FileZilla).”] class technique_account_disc technique malware_agent_tesla –>|executes| technique_keylogging technique_keylogging –>|writes_to| file_log malware_agent_tesla –>|targets| technique_cookies malware_agent_tesla –>|targets| technique_forge malware_agent_tesla –>|performs| technique_account_disc %% Exfiltration Phase technique_exfil_alt[“<b class=’technique’>T1048 Exfiltration Over Alternative Protocol</b><br/><b>Description</b>: Sending stolen data via SMTP, FTP, or HTTP.”] class technique_exfil_alt technique technique_auto_exfil[“<b class=’technique’>T1020 Automated Exfiltration</b><br/><b>Description</b>: Using Tor to anonymize network traffic.”] class technique_auto_exfil technique file_tor[“<b class=’file’>Tor Browser</b><br/><b>Location</b>: %appdata%\tor.zip”] class file_tor file malware_agent_tesla –>|exfiltrates_via| technique_exfil_alt malware_agent_tesla –>|utilizes| technique_auto_exfil technique_auto_exfil –>|downloads| file_tor
Attack Flow
Detections
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Agent Tesla Keylogging and Persistence Detection [Windows Process Creation]
View
Agent Tesla Persistence via Run Key and Winlogon Shell Modification [Windows Registry Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary has gained initial access and seeks to establish persistence to maintain access to the victim’s machine. To simulate Agent Tesla, the attacker performs two distinct actions:
- They modify the
HKCUSoftwareMicrosoftWindowsCurrentVersionRunkey to execute a malicious payload every time the user logs in. - They attempt a more aggressive technique by modifying the
WinlogonShellregistry value, replacing the standardexplorer.exewith a malicious executable to hijack the entire user shell environment. These actions are chosen to test the detection’s ability to catch both standard and high-impact registry persistence.
- They modify the
-
Regression Test Script:
# Simulation script for Agent Tesla Persistence TTPs $maliciousPath = "C:WindowsTempagent_tesla_sim.exe" Write-Host "[*] Creating dummy payload at $maliciousPath" New-Item -Path $maliciousPath -ItemType File -Force Write-Host "[*] Simulating T1547.001: Modifying Run Key" $runKey = "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun" New-ItemProperty -Path $runKey -Name "AgentTeslaPersistence" -Value $maliciousPath -PropertyType String -Force Write-Host "[*] Simulating T1547.014: Modifying Winlogon Shell" $winlogonKey = "HKCU:SoftwareMicrosoftWindows NTCurrentVersionWinlogon" New-ItemProperty -Path $winlogonKey -Name "Shell" -Value "explorer.exe, $maliciousPath" -PropertyType String -Force Write-Host "[+] Simulation complete. Check SIEM for alerts." -
Cleanup Commands:
# Cleanup script to remove persistence and dummy files Write-Host "[*] Cleaning up registry keys..." Remove-ItemProperty -Path "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun" -Name "AgentTeslaPersistence" -ErrorAction SilentlyContinue Remove-ItemProperty -Path "HKCU:SoftwareMicrosoftWindows NTCurrentVersionWinlogon" -Name "Shell" -ErrorAction SilentlyContinue Write-Host "[*] Deleting dummy payload..." Remove-Item -Path "C:WindowsTempagent_tesla_sim.exe" -Force -ErrorAction SilentlyContinue Write-Host "[+] Cleanup complete."