Agent Tesla
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Agent Tesla can collect account information from the victim’s machine.(Citation: DigiTrust Agent Tesla Jan 2017) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Agent Tesla has used HTTP for C2 communications.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017) |
.003 | Application Layer Protocol: Mail Protocols |
Agent Tesla has used SMTP for C2 communications.(Citation: Cofense Agent Tesla)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020) |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Agent Tesla can add itself to the Registry as a startup program to establish persistence.(Citation: Fortinet Agent Tesla April 2018)(Citation: SentinelLabs Agent Tesla Aug 2020) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Agent Tesla can gather credentials from a number of browsers.(Citation: Bitdefender Agent Tesla April 2020) |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP.(Citation: Talos Agent Tesla Oct 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: SentinelLabs Agent Tesla Aug 2020) |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Agent Tesla has created hidden folders.(Citation: SentinelLabs Agent Tesla Aug 2020) |
.003 | Hide Artifacts: Hidden Window |
Agent Tesla has used |
||
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Agent Tesla has the capability to kill any running analysis processes and AV software.(Citation: Fortinet Agent Tesla June 2017) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Agent Tesla can log keystrokes on the victim’s machine.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)(Citation: SentinelLabs Agent Tesla Aug 2020) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
The primary delivered mechanism for Agent Tesla is through email phishing messages.(Citation: Bitdefender Agent Tesla April 2020) |
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Agent Tesla has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code.(Citation: SentinelLabs Agent Tesla Aug 2020) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Agent Tesla has achieved persistence via scheduled tasks.(Citation: SentinelLabs Agent Tesla Aug 2020) |
Enterprise | T1218 | .009 | System Binary Proxy Execution: Regsvcs/Regasm |
Agent Tesla has dropped RegAsm.exe onto systems for performing malicious activity.(Citation: SentinelLabs Agent Tesla Aug 2020) |
Enterprise | T1016 | .002 | System Network Configuration Discovery: Wi-Fi Discovery |
Agent Tesla can collect names and passwords of all Wi-Fi networks to which a device has previously connected.(Citation: Malwarebytes Agent Tesla April 2020) |
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Agent Tesla has the ability to extract credentials from configuration or support files.(Citation: SentinelLabs Agent Tesla Aug 2020) |
.002 | Unsecured Credentials: Credentials in Registry |
Agent Tesla has the ability to extract credentials from the Registry.(Citation: SentinelLabs Agent Tesla Aug 2020) |
||
Enterprise | T1204 | .002 | User Execution: Malicious File |
Agent Tesla has been executed through malicious e-mail attachments (Citation: Bitdefender Agent Tesla April 2020) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0083 | SilverTerrier |
(Citation: Unit42 SilverTerrier 2018) |
G1018 | TA2541 |
(Citation: Proofpoint TA2541 February 2022) |
References
- Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
- Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
- Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
- The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
- Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
- Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
- Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
- Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
- Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.