Agent Tesla - How Does It Work in 2022?

Agent Tesla is able to track and collect keystrokes, take screenshots, and obtain credentials used in various system applications.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, Trojan Scanner.

Agent Tesla

GRIDINSOFT TEAM
Agent Tesla is able to track and collect keystrokes, take screenshots, and obtain credentials used in various system applications (eg Google Chrome, Mozilla Firefox, Microsoft Outlook, IceDragon, FILEZILLA, etc.)

Agent Tesla is malicious software (hereinafter referred to as malware) that performs the functions of a keylogger (keylogger), information stealer (stealer) and is an advanced remote access trojan (RAT) written in languages ​​used in Microsoft .Net (C #, Visual Basic .NET, C++/CLI, etc.). Currently, the SSP is able to track and collect keystrokes, take screenshots, and retrieve credentials used in various system applications (eg Google Chrome, Mozilla Firefox, Microsoft Outlook, IceDragon, FILEZILLA, etc.). Agent Tesla appeared in 2014 and served as a keylogger and password stealer. This spyware is commercial, a license for its use can be purchased on the developers' website (it is indicated that Agent Tesla should be used only within the limits defined by law).

The data that Agent Tesla transmits to attackers from an infected device is encrypted with the Rijndael algorithm (Advanced Encryption Standard (AES), a symmetric block encryption algorithm) and further encoded with a non-standard base64 function. The information transmitted to the command and control (C&C) server is constantly updated, according to the set timer, as well as the program itself, when updated, the previous instance is destroyed.

Various network protocols are used to transfer data to the command and control server, namely smtp, http, ftp. To identify an infected device, the command-and-control server transmits such identifiers as computer name, user name, drive serial number, and others. A dynamic address change mechanism is used to determine the address/domain name of the command and control server.

For stable and constant work in the system, Agent Tesla is registered in autoload, registry and task scheduler.

How to avoid infection by Agent Tesla?

Agent Tesla malware is not an easy one to identify. The most robust way to stay safe is to exhibit caution when opening suspicious emails or visiting unknown links. Above all, one must be careful to download attachments in emails from unknown senders and try to identify scams.

Indicators of compromise in 2022

SHA256: 549BD25AE59EA6BD846D4ADE0CFDA021A48D887BA83209BD651A8F754E0B3419
SHA256: FFA7EDD5252C336F515FA20A38614FB21D69AEA7A282BAA24A7B91FED8962831
SHA256: 4C5FED31576F3794C65C90668DA4380AE9F16B6552EB2E820D8A7FB1CC98E89F
SHA256: 73C2ED14D89BC88F0F44F81DE2125BCDF509AE678F8E547815BF88B100C7D164
SHA256: FD5162D43BAB3B520E5EE2277360563D33C120C595DE366B3F32BA2AE19256B1
SHA256: 7F2FF2707522F96EA98A858BB895BCF72B9FDC1F457FD5AB892312BEE7DD6882
SHA256: DA935E2D8D4F241EAEFA9E024AD88A6A02B3F39196E0A169F477D3B5638884B0
SHA256: A6189C5B3ADA0B652E4AC87C3ED67A64AC16C6FD8F73EF650D5A6193DF8BF8AF
SHA256: F1F0AD851087C3FA057D82028FD5242AF6D73D6F5CF89BDF207E414EA952DF04
SHA256: E42292302FA24020BDFB2650FEB315D1C075D81A10BE0C7993A5915EFA5C1979
SHA256: EB13648DBA7AD4A185D571C8048C06A893266AE850516A6B5DB246E56B619D3A
IP: 5.23.51.236
IP: 89.252.128.115
IP: 103.21.58.15
IP: 141.98.6.75
IP: 198.54.117.218
IP: 198.54.117.216
IP: 65.254.34.162
IP: 141.8.192.151
IP: 199.79.62.18
IP: 198.12.123.178
IP: 77.245.159.9
IP: 103.21.59.198
IP: 174.136.29.110
IP: 45.56.79.23
IP: 192.186.233.163
IP: 206.221.182.74
IP: 204.11.56.48
IP: 203.170.87.169
IP: 198.54.126.23
IP: 109.234.162.66
searchkn1.sima-land.ru
www.theirdomain.com
www.theyseek.com
cdn.adshexa.com
t.tr2q.com
activandalucia.com
mail.activandalucia.com
mail.gestoriasampol.com
dlwordpress.com
www.spbutoto.com
www.goo.com
fastkeysautomation.com
totalvirus.com
www.brandimise.com
www.onlymobilepro.com
api.downloadmr.com
www.jimasun.online
www.furrylamb.com
www.clvilworksnsw.com
www.metaphilippines.com