Skip to content

S0331 Agent Tesla

Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.123

Item Value
ID S0331
Associated Names
Version 1.2
Created 29 January 2019
Last Modified 21 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Agent Tesla can collect account information from the victim’s machine.5
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Agent Tesla has used HTTP for C2 communications.57
enterprise T1071.003 Mail Protocols Agent Tesla has used SMTP for C2 communications.572
enterprise T1560 Archive Collected Data Agent Tesla can encrypt data with 3DES before sending it over to a C2 server.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Agent Tesla can add itself to the Registry as a startup program to establish persistence.16
enterprise T1185 Browser Session Hijacking Agent Tesla has the ability to use form-grabbing to extract data from web data forms.2
enterprise T1115 Clipboard Data Agent Tesla can steal data from the victim’s clipboard.4172
enterprise T1555 Credentials from Password Stores Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles.3
enterprise T1555.003 Credentials from Web Browsers Agent Tesla can gather credentials from a number of browsers.2
enterprise T1140 Deobfuscate/Decode Files or Information Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.3
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP.426
enterprise T1203 Exploitation for Client Execution Agent Tesla has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery.6
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Agent Tesla has created hidden folders.6
enterprise T1564.003 Hidden Window Agent Tesla has used ProcessWindowStyle.Hidden to hide windows.3
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Agent Tesla has the capability to kill any running analysis processes and AV software.7
enterprise T1105 Ingress Tool Transfer Agent Tesla can download additional files for execution on the victim’s machine.45
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Agent Tesla can log keystrokes on the victim’s machine.45726
enterprise T1112 Modify Registry Agent Tesla can achieve persistence by modifying Registry key entries.6
enterprise T1027 Obfuscated Files or Information Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult.1 Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings.3
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment The primary delivered mechanism for Agent Tesla is through email phishing messages.2
enterprise T1057 Process Discovery Agent Tesla can list the current running processes on the system.7
enterprise T1055 Process Injection Agent Tesla can inject into known, vulnerable binaries on targeted hosts.6
enterprise T1055.012 Process Hollowing Agent Tesla has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code.6
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Agent Tesla has achieved persistence via scheduled tasks.6
enterprise T1113 Screen Capture Agent Tesla can capture screenshots of the victim’s desktop.45172
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.009 Regsvcs/Regasm Agent Tesla has dropped RegAsm.exe onto systems for performing malicious activity.6
enterprise T1082 System Information Discovery Agent Tesla can collect the system’s computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.173
enterprise T1016 System Network Configuration Discovery Agent Tesla can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings.56
enterprise T1033 System Owner/User Discovery Agent Tesla can collect the username from the victim’s machine.513
enterprise T1124 System Time Discovery Agent Tesla can collect the timestamp from the victim’s machine.5
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Agent Tesla has the ability to extract credentials from configuration or support files.6
enterprise T1552.002 Credentials in Registry Agent Tesla has the ability to extract credentials from the Registry.6
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Agent Tesla has been executed through malicious e-mail attachments 2
enterprise T1125 Video Capture Agent Tesla can access the victim’s webcam and record video.54
enterprise T1497 Virtualization/Sandbox Evasion Agent Tesla has he ability to perform anti-sandboxing and anti-virtualization checks.3
enterprise T1047 Windows Management Instrumentation Agent Tesla has used wmi queries to gather information from the system.2

Groups That Use This Software

ID Name References
G0083 SilverTerrier 8