Agenttesla

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
AgentTesla is a well-known Remote Access Trojan (RAT) that has been utilized in numerous cybercrime activities. It is often delivered through malicious emails or suspicious downloads, and once inside the system, it can steal personal information, disrupt operations, or even hold data for ransom. The malware has been observed to be dropped by various other malware strains, such as TicTacToe and DBatLoader, the latter of which has been active since 2020 and is known to abuse cloud services to stage and retrieve additional payloads. Despite advancements in cybersecurity, AgentTesla has remained unaffected and moved to the top of the Malware-as-a-Service (MaaS) market. The infection chain for AgentTesla often involves the victim downloading an Excel document that exploits vulnerabilities in outdated versions of Microsoft Office. In older versions of Acrobat Reader, opening a PDF triggers the automatic execution of malicious JavaScript, leading to the injection of AgentTesla malware via PowerShell into Regsvcs.exe. This PowerShell script then decrypts and executes a binary in the form of a .NET DLL file, injecting the AgentTesla payload into legitimate processes to evade detection. AgentTesla has also been observed leveraging Telegram bots for data exfiltration. The combination of security, anonymity, ease of use, stealth, and resilience makes Telegram bots an appealing choice for AgentTesla’s data exfiltration tactics. Despite the shifting landscape of malware, with families like AsyncRAT, Qbot, RedLine, and others taking the lead in various quarters, AgentTesla continues to pose a significant threat due to its persistent evolution and widespread use in cybercrime activities.
What's your take? (Question 1 of 5)
8ff3f908-4ef9-47de-96f9-0f91001783f9 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Dcrat
2
DcRAT is a malicious software that has been used in various cyberattacks throughout 2023 and into 2024. The malware, distributed through fake OnlyFans content, deceptive Google Meet sites, and spoofed Skype and Zoom websites, downloads a DcRAT payload when users click on certain elements. This Remot
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Spam
Rat
Discord
Loader
Windows
Telegram
Phishing
Trojan
Remcos
Downloader
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LokibotUnspecified
6
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
RedlineUnspecified
5
RedLine is a notorious malware, discovered in March 2020, that has been used extensively by threat actors to export personal information such as credentials, cryptocurrency wallets, and financial data to its command-and-control infrastructure. The malware infiltrates systems via suspicious downloads
njRATUnspecified
4
NjRAT is a malicious software, or malware, that has been used in both criminal and targeted attacks since 2013. This remote-access Trojan (RAT) is capable of identifying remote hosts on connected networks (T1018) and detecting if the victim system has a camera during the initial infection (T1120). I
XwormUnspecified
4
XWorm is a multifaceted malware that has been used by threat actors to exploit vulnerabilities in systems, particularly those running ScreenConnect client software. It provides remote access capabilities, allowing threat actors to infiltrate networks, exfiltrate sensitive data, and download addition
FormbookUnspecified
3
Formbook is a type of malware, a malicious software designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold d
RaccoonUnspecified
2
Raccoon is a type of malware utilized by the Scattered Spider threat actors to obtain sensitive information such as login credentials, browser cookies, and browser histories. The Raccoon Stealer is particularly notorious for its ability to detect countermeasures and delete records associated with th
NETWIREUnspecified
2
NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing at
DarkCometUnspecified
2
DarkComet is a type of malware, specifically a Remote Access Trojan (RAT), that opens a backdoor on an infected computer to steal information. It is part of a larger family of RATs which includes other malicious software such as PlugX, ShadowPad, and AsyncRAT. DarkComet, along with these other RATs,
AsyncRATUnspecified
2
AsyncRAT is a malicious software (malware) that infiltrates computer systems, often without the user's knowledge. It typically enters a system through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Once the executabl
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Agenttesla Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Checkpoint
a year ago
DotRunpeX - demystifying new virtualized .NET injector used in the wild - Check Point Research
Securityaffairs
a year ago
PureCrypter used to deliver AgentTesla to govt organizations
CERT-EU
6 months ago
Malware-Traffic-Analysis.net - 2023-11-22 - AgentTesla infection with FTP data exfil
Malware-traffic-analysis.net
8 months ago
Malware-Traffic-Analysis.net - 2023-09-21 thru 09-25 - examples of malspam pushing AgentTesla
Fortinet
a year ago
Trying to Steal Christmas (Again!) | FortiGuard Labs
CERT-EU
9 months ago
Email campaigns leverage updated DBatLoader to deliver RATs, stealers
Fortinet
3 months ago
TicTacToe Dropper | FortiGuard Labs
Checkpoint
6 months ago
13th November – Threat Intelligence Report - Check Point Research
CERT-EU
3 months ago
Rise in Deceptive PDF: The Gateway to Malicious Payloads | McAfee Blog
CERT-EU
8 months ago
Unpacking what's packed: DotRunPeX analysis
CERT-EU
5 months ago
Windows Computer Hit with AgentTesla Malware to Steal Data
InfoSecurity-magazine
9 months ago
Windows Systems Targeted in Multi-Stage Malware Attack
CERT-EU
a year ago
April 2023’s Most Wanted Malware: Qbot Launches Substantial Malspam Campaign and Mirai Makes its Return - Check Point Blog
CERT-EU
a year ago
China-Taiwan Tensions Spark Surge in Cyberattacks on Taiwan
CERT-EU
a year ago
April 2023's Most Wanted Malware : Qbot Launches Substantial Malspam Campaign and Mirai Makes its Return – Global Security Mag Online
CERT-EU
7 months ago
Threat Roundup for October 13 to October 20
CERT-EU
7 months ago
AgentTesla Stealer Delivered Via Weaponized PDF and CHM Files
InfoSecurity-magazine
9 months ago
Creative QakBot Attack Tactics Challenge Security Defenses
CERT-EU
7 months ago
Discord still a hotbed of malware activity — Now APTs join the fun
CERT-EU
9 months ago
DotRunpeX Malware Injector Widely Delivers Known Malware Families to Attack Windows