Agenttesla

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. Recently, the malware has been observed being delivered via a dropper executable variant and another separate TicTacToe dropper sample. The final payload in these samples was detected as AgentTesla, indicating its continued prevalence in the threat landscape. DBatLoader, also known as ModiLoader, a malware strain observed since 2020, has been used to download and execute the final payload of commodity malware campaigns, such as AgentTesla. DBatLoader campaigns are often initiated through malicious emails and are known to abuse cloud services to stage and retrieve additional payloads. Furthermore, AgentTesla has been found in the arsenal of several cybercrime groups along with other malware like FormBook, Remcos, LokiBot, GuLoader, Snake Keylogger, and XWorm. Despite changes in the malware-as-a-service (MaaS) market, AgentTesla remains a dominant player due to its effective and stealthy operation. In one documented infection chain, victims downloaded an Excel document exploiting a vulnerability in outdated versions of Microsoft Office, leading to the injection of AgentTesla. In older versions of Acrobat Reader, the automatic execution of malicious JavaScript could also lead to the injection of AgentTesla via PowerShell into Regsvcs.exe. This malware leverages Telegram bots for data exfiltration, taking advantage of their security, anonymity, ease of use, stealth, and resilience. This combination makes Telegram bots an appealing choice for AgentTesla's data exfiltration tactics.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Dcrat
2
DcRAT is a malicious software that has been used in various cyberattacks throughout 2023 and into 2024. The malware, distributed through fake OnlyFans content, deceptive Google Meet sites, and spoofed Skype and Zoom websites, downloads a DcRAT payload when users click on certain elements. This Remot
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Spam
Rat
Loader
Windows
Discord
Telegram
Remcos
Phishing
Trojan
Downloader
Infostealer
Proofpoint
Acrobat
Maas
Chrome
Sandbox
Hp
Fortiguard
Github
Gbhackers
Microsoft
Net
Exploit
Dropper
Cybercrime
Vulnerability
Ransomware
Evasive
Spyware
Outlook
Firefox
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LokibotUnspecified
6
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
RedlineUnspecified
5
RedLine is a malware designed to exploit and damage computer systems by stealing personal information, disrupting operations, or even holding data hostage for ransom. It has been identified as a favorite infostealer among threat actors selling logs through the marketplace 2easy, which also sells Rac
njRATUnspecified
5
NjRAT is a remote-access Trojan (RAT) that has been commonly used in both criminal and targeted attacks since as early as 2013. It is part of a suite of RATs used by attackers, including Remcos and AsyncRAT, to exploit and damage computer systems. NjRAT can identify remote hosts on connected network
XwormUnspecified
4
XWorm is a multi-functional malware that provides threat actors with remote access capabilities, has the potential to spread across networks, exfiltrate sensitive data, and download additional payloads. It was observed exploiting ScreenConnect vulnerabilities, a client software used for remote syste
FormbookUnspecified
3
Formbook is a type of malware known for its ability to steal personal information, disrupt operations, and potentially hold data for ransom. The malware is commonly spread through suspicious downloads, emails, or websites, often without the user's knowledge. In June 2023, Formbook was observed being
RaccoonUnspecified
2
Raccoon is a highly potent and cost-effective Malware-as-a-Service (MaaS) primarily sold on dark web forums, used extensively by Scattered Spider threat actors to pilfer sensitive data. As per the "eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2.0" report published on August 31, 20
DarkCometUnspecified
2
DarkComet is a Remote Access Trojan (RAT) that opens a backdoor on infected computers, allowing unauthorized access and data theft. This malware has been classified among the top five Command and Control (C2) families, indicating its widespread usage by cybercriminals. DarkComet, along with other es
NanoCoreUnspecified
2
NanoCore is a notorious Remote Access Trojan (RAT) first discovered in 2013. It targets Windows operating system users and operates by opening a backdoor on an infected computer to steal information. NanoCore has maintained a top five position for six consecutive months, taking the third spot in Dec
NETWIREUnspecified
2
NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing at
AsyncRATUnspecified
2
AsyncRAT is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Once the executable loads http_dll.dll, the DL
TrickBotUnspecified
1
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
EmotetUnspecified
1
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
Avemaria/warzoneratUnspecified
1
None
VidarUnspecified
1
Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
ZxShellUnspecified
1
ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among o
QakBotUnspecified
1
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
PrivateloaderUnspecified
1
PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or website
DarkgateUnspecified
1
DarkGate is a malicious software (malware) that poses significant threats to computer systems and data. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hos
Raccoon StealerUnspecified
1
Raccoon Stealer is a form of malware that was first identified in 2019. Developed by Russian-speaking coders and initially promoted on Russian-language hacking forums, the malicious software was designed to steal sensitive data from victims, including credit card information, email credentials, and
QbotUnspecified
1
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
GuLoaderUnspecified
1
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
Redline StealerUnspecified
1
RedLine Stealer is a type of malware that has been causing significant disruption in the digital landscape. This malicious software infiltrates computer systems, often without the user's knowledge, via suspicious downloads, emails, or websites, and then proceeds to steal personal information, disrup
DotrunpexUnspecified
1
DotRunpeX is a rapidly evolving and highly stealthy .NET injector malware that has gained significant attention from both security analysts and threat actors. It employs the "Process Hollowing" method to distribute a wide variety of other malware strains, including AgentTesla, ArrowRAT, AsyncRat, Av
REvilUnspecified
1
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
AzorultUnspecified
1
Azorult is a type of malware, or malicious software, that infiltrates systems to exploit and damage them, often without the user's knowledge. It has historically been one of the favored infostealers sold on the marketplace 2easy, alongside RedLine, Raccoon, Vidar, and Taurus. However, as of late Feb
MazeUnspecified
1
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TA2541Unspecified
1
TA2541, a cybercriminal threat actor identified by Proofpoint, has been actively executing malicious actions since January 2017. This group demonstrates persistent and ongoing threat activity, targeting sectors related to aviation, transportation, and travel. Unlike many similar entities, TA2541 doe
SnakeUnspecified
1
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-40444Unspecified
1
None
Netwire PrivateloaderUnspecified
1
None
Vidar XwormUnspecified
1
None
Redline RemcosUnspecified
1
None
Asyncrat Avemaria/warzoneratUnspecified
1
None
Source Document References
Information about the Agenttesla Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Checkpoint
2 months ago
Inside the Box: Malware’s New Playground - Check Point Research
SANS ISC
3 months ago
Malicious PDF File Used As Delivery Mechanism - SANS Internet Storm Center
BankInfoSecurity
3 months ago
Steganography Campaign Targets Global Enterprises
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #computerhacker - Am I Hacker Proof
CERT-EU
5 months ago
Rise in Deceptive PDF: The Gateway to Malicious Payloads | McAfee Blog
CERT-EU
5 months ago
Unmasking 2024's Email Security Landscape
CERT-EU
5 months ago
Watch out! There are hidden dangers lurking your PDFs
InfoSecurity-magazine
5 months ago
“TicTacToe Dropper” Malware Distribution Tactics Revealed
Fortinet
5 months ago
TicTacToe Dropper | FortiGuard Labs
CERT-EU
6 months ago
Windows Computer Hit with AgentTesla Malware to Steal Data
Secureworks
a year ago
DarkTortilla Malware Analysis
CERT-EU
a year ago
Microsoft OneNote Announces Enhanced Security After Phishing Attacks
CERT-EU
7 months ago
8220 gang exploits old Oracle WebLogic vulnerability to deliver infostealers, cryptominers - Help Net Security
MITRE
7 months ago
TA2541: Threats to Aviation, Aerospace, & Travel | Proofpoint US
CERT-EU
9 months ago
Threat Roundup for October 13 to October 20
CERT-EU
8 months ago
Malware-Traffic-Analysis.net - 2023-11-22 - AgentTesla infection with FTP data exfil
Checkpoint
8 months ago
13th November – Threat Intelligence Report - Check Point Research
CERT-EU
9 months ago
Discord still a hotbed of malware activity — Now APTs join the fun
CERT-EU
9 months ago
AgentTesla Stealer Delivered Via Weaponized PDF and CHM Files