Agenttesla

Category: infostealer · Aliases: InfoStealer.AgentTesla, Keylogger.AgentTesla, MSIL/AgentTesla · Sample count (EMBER 2018): 43 · Enrichment: curated_sourced · Updated: 2026-07-02T07:47:42Z
First seen: 2014Status: active

Overview

Executive Summary

Agent Tesla is a highly prevalent, commercially available Information Stealer (InfoStealer) and advanced Keylogger written in .NET. It is sold openly on underground forums under a Malware-as-a-Service (MaaS) model, making it accessible to low-skill threat actors. It is designed to comprehensively harvest sensitive data from infected machines, focusing heavily on corporate email credentials, web browser data, and capturing user keystrokes.

Infection Vector and Technical Capabilities

Agent Tesla is overwhelmingly distributed via targeted phishing and broad malspam campaigns. The emails typically contain malicious ZIP files, ISO images, or weaponized Office documents (using equation editor exploits or macros) that execute the initial dropper. Once active, it operates as a stealthy data vacuum:

Threat Assessment

An Agent Tesla infection is a severe data privacy and security breach. The theft of valid corporate email credentials leads directly to catastrophic Business Email Compromise (BEC) fraud, while stolen VPN credentials provide attackers with direct access to the internal network.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1566.001Spearphishing Attachment
T1056.001Keylogging
T1555.003Credentials from Web Browsers
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol

Indicators of Compromise

Public indicators drawn from CISA advisories and vendor reporting. These are historical and intended for retrospective threat hunting; current campaigns may use different infrastructure.

Delivery vectors

Network indicators

Persistence mechanisms

Detection Guidance

Detection ideas drawn from public reporting. Tune to your environment before deploying.

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_AGENTTESLA {
    meta:
        description = "Detects Agenttesla (infostealer)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "agenttesla" ascii wide nocase
        $s2 = "infostealer.agenttesla" ascii wide nocase
        $s3 = "keylogger.agenttesla" ascii wide nocase
        $s4 = "msil/agenttesla" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Agenttesla Activity
id: 6aafae42beb96c4465d1982306e7285b
status: experimental
description: Detects generic indicators of the agenttesla malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*agenttesla*"
            - "*infostealer.agenttesla*"
            - "*keylogger.agenttesla*"
            - "*msil/agenttesla*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate host and capture memory if possible
  2. Rotate all credentials stored in browsers, FTP clients, email clients on the host
  3. Revoke and reissue VPN certificates used on the host
  4. Block known SMTP/FTP exfil endpoints and Telegram if not business-essential

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not just delete the binary — credentials are likely already exfiltrated
  2. Do not assume free webmail SMTP destinations are benign
  3. Do not skip user notification — phishing targeting their contacts often follows

References & External Analysis

Frequently Asked Questions

What is Agent Tesla?

A .NET-based spyware trojan, observed since at least 2014, used to steal credentials and log activity on infected machines.

What does Agent Tesla steal?

Saved credentials from browsers and email/FTP clients, keystrokes, clipboard contents, and screenshots.

How is Agent Tesla delivered?

Mainly through phishing emails carrying malicious documents or archive attachments.

How does it send stolen data out?

Commonly over email (SMTP), FTP, or messaging services to attacker-controlled accounts.

How can I protect against keyloggers like Agent Tesla?

Use multi-factor authentication so stolen passwords alone are insufficient, be cautious with attachments, and keep endpoint protection updated.

Where is the authoritative reference?

MITRE ATT&CK's Agent Tesla entry (S0331), linked on this page.

Related Families (Category: infostealer)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/agenttesla.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.