Agenttesla

Malware updated 5 hours ago (2024-11-21T11:31:36.968Z)
Download STIX
Preview STIX
AgentTesla is a well-known Remote Access Trojan (RAT) and infostealer malware that has been used in numerous cyber-attacks. It is often delivered through malicious emails or downloads, and once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware's delivery methods have varied, including the use of a dropper executable variant and the TicTacToe dropper sample. In some instances, AgentTesla has been deployed as the final payload of commodity malware campaigns, leveraging tools like DBatLoader (also known as ModiLoader), which has been observed since 2020. In October 2024, Check Point Research highlighted a significant rise in infostealer malware, with AgentTesla and Lumma Stealer topping the list of prevalent threats. The Positive Technologies researchers documented an infection chain for AgentTesla where victims downloaded an Excel document exploiting a vulnerability in outdated versions of Microsoft Office, leading to the injection of AgentTesla. Other tools and malware utilized by the same cybercrime group include FormBook, Remcos, LokiBot, GuLoader, Snake Keylogger, and XWorm. Despite advancements in cybersecurity, AgentTesla has remained resilient, moving to the top of the Malware-as-a-Service (MaaS) market. One notable method of AgentTesla's operation involves using Telegram bots for data exfiltration. This approach provides security, anonymity, ease of use, stealth, and resilience, making it an attractive choice for cybercriminals. In one case, a victim was tricked into downloading a ZIP archive containing a sample of AgentTesla communication via a Command and Control (C2) server on Telegram. In another instance, an old version of Acrobat Reader was exploited, where opening a PDF triggered the automatic execution of malicious JavaScript, leading to the injection of AgentTesla malware via PowerShell into Regsvcs.exe. This script then decrypts and executes a binary, in the form of a .NET DLL file, injecting the AgentTesla payload into legitimate processes to evade detection.
Description last updated: 2024-11-21T10:34:53.685Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Dcrat is a possible alias for Agenttesla. DcRAT is a malicious software (malware) known as a Remote Access Trojan (RAT), which has been utilized in a widespread campaign to exploit computer systems. The malware infiltrates systems through deceptive methods, including downloads from fake Google Meet and OnlyFans sites. When a user interacts
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Spam
Loader
Discord
Windows
Rat
Telegram
Phishing
Downloader
Trojan
Remcos
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lokibot Malware is associated with Agenttesla. LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal informationUnspecified
6
The njRAT Malware is associated with Agenttesla. NjRAT is a remote-access Trojan (RAT) that has been in use since 2013, often deployed in both criminal and targeted attacks. This malware can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, NjRAT can steal personal information, dUnspecified
5
The Redline Malware is associated with Agenttesla. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. RedLine has been favored by threat actorUnspecified
5
The Xworm Malware is associated with Agenttesla. XWorm is a sophisticated piece of malware designed to infiltrate and exploit computer systems, often without the user's knowledge. It can be delivered through various means such as suspicious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operatiUnspecified
4
The Formbook Malware is associated with Agenttesla. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms oUnspecified
3
The NanoCore Malware is associated with Agenttesla. NanoCore is a notorious Remote Access Trojan (RAT) first discovered in 2013. It targets Windows operating system users and operates by opening a backdoor on an infected computer to steal information. NanoCore has maintained a top five position for six consecutive months, taking the third spot in DecUnspecified
2
The Raccoon Malware is associated with Agenttesla. Raccoon is a malicious software (malware) developed by Russian-speaking coders, first spotted in April 2019. It was designed to steal sensitive data such as credit card information, email credentials, cryptocurrency wallets, and more from its victims. The malware is offered as a service (MaaS) for $Unspecified
2
The NETWIRE Malware is associated with Agenttesla. NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing atUnspecified
2
The DarkComet Malware is associated with Agenttesla. DarkComet is a Remote Access Trojan (RAT) that opens a backdoor on infected computers, allowing unauthorized access and data theft. This malware has been classified among the top five Command and Control (C2) families, indicating its widespread usage by cybercriminals. DarkComet, along with other esUnspecified
2
The AsyncRAT Malware is associated with Agenttesla. AsyncRAT is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. It has recently risen to prominence, raUnspecified
2
Source Document References
Information about the Agenttesla Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
9 hours ago
Checkpoint
6 months ago
SANS ISC
7 months ago
BankInfoSecurity
7 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
InfoSecurity-magazine
9 months ago
Fortinet
9 months ago
CERT-EU
10 months ago
Secureworks
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago
MITRE
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Checkpoint
a year ago
CERT-EU
a year ago