Trojan Agent Tesla – Malware Analysis

Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25

Family : Agent Tesla

Downloaded Sample Link: Click here

Signature: Microsoft Visual C# v7.0/ Basic.NET

Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe


VirusTotal score:


Malware behavior:

  • Steal browser information (URL, Usernames, Passwords)
  • Steal passwords for email clients.
  • Steal FTP Clients
  • Steal download manager passwords.
  • Collect OS and hardware information.

Browser Information:

When I debug the malware executable, Initially it creates a SQLite database to store collected information from victims machine.

Below are the tables getting created.


Tables created:

  • meta
  • logins
  • sqlite_sequence
  • stats
  • compromised_credentials

found it collected browsers data (Google chrome), that includes accessed URLs and related usernames and passwords.


database table logins stores all browser related information. Below are the table columns.


Apart from this, malware also look for all different types of browsers to steal data from it.

It look for below browsers:

  • Opera Browser
  • Yandex Browser
  • 360 Browser
  • Iridium Browser
  • Comodo Dragon
  • Cool Novo
  • Chromium
  • Torch Browser
  • 7Star
  • Amigo
  • Brave
  • CentBrowser
  • Chedot
  • Coccoc
  • Elements Browser
  • Epic Privacy
  • Kometa
  • Orbitum
  • Sputnik
  • Uran
  • Vivaldi
  • Citrio
  • Liebao Browser
  • Sleipnir 6
  • QIP Surf
  • Coowon

Below screenshot taken while debugging malware.


Malware also look for below email clients. I haven’t install any of them on my machine during analyzing this.

Email Clients:

  • Outlook
  • Thunderbird
  • Foxmail
  • Opera Mail
  • Pocomail
  • Claws-mail
  • Postbox

FTP Clients:

Malware grabs credentials from FTP clients as well. Below list.

  • FileZilla
  • Core FTP
  • SmartFTP
  • FTPGetter
  • FlashFXP

It also makes FTP web request. (Remote Server couldn’t find)


It uses smtp client to send information over the network using port 587 which indicates sending data from smtp client to a particular smtp Server through mail attachments.


Malware executable also make HTTPWebRequest which must be downloading SMTP client to transfer data to remote SMTP server.


unfortunately, it didn’t make any connection to any remote server address.


  • Steal Browser Information including urls, usernames and passwords.
  • Steal email client credentials.
  • Steal credentials of FTP servers.
  • Computer information.

Thank you.

3 thoughts on “Trojan Agent Tesla – Malware Analysis

Leave a Reply to Dave Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.