Agent Tesla

Overview

Agent Tesla is a .NET-based remote access trojan (RAT) and keylogger that has been active since 2014. It is sold as a legitimate "monitoring software" but is primarily used for malicious purposes. Agent Tesla is one of the most common malware families distributed via phishing campaigns targeting businesses.

Also Known As

AgentTesla, Negasteal

How It Spreads

• • Business Email Compromise (BEC) phishing campaigns
• • Fake invoice and shipping notification emails
• • Malicious Office documents with macros
• • Compressed archives with executables
• • Exploit kits (CVE-2017-11882 commonly used)

What It Does

• • Records all keystrokes (keylogging)
• • Captures screenshots at regular intervals
• • Steals credentials from email clients and browsers
• • Monitors clipboard contents
• • Exfiltrates data via SMTP, FTP, or HTTP
• • Captures webcam photos

Target Platforms

Windows 7, Windows 10, Windows 11

Detection Tips

• • Monitor for processes using common keylogging APIs
• • Alert on .NET processes making SMTP connections
• • Detect screenshot capture API calls from unusual processes
• • Watch for processes adding themselves to startup
• • Monitor for clipboard monitoring behavior

MITRE ATT&CK Techniques

T1056.001, T1113, T1555, T1041, T1547.001