What Is AgentTesla and Why It Matters
AgentTesla is a commercial keylogger and credential-stealing malware written in .NET that has been sold on underground forums since at least 2014. Despite its age, it consistently appears in the top five most active malware families tracked by threat intelligence platforms — often delivered via phishing emails with malicious Office macros, PDF lures, or archive attachments.
What makes AgentTesla an ideal subject for a malware analysis walkthrough is its structure: it is a feature-complete infostealer that uses realistic techniques without being so heavily obfuscated that it becomes inaccessible to someone learning the craft. It implements keylogging, credential harvesting from browsers and email clients, screenshot capture, and exfiltration over SMTP, FTP, or HTTP. Every major phase of the analysis workflow — static, dynamic, and network — yields clear, learnable findings.
This walkthrough follows the analysis of a representative AgentTesla sample (SHA-256: 3f2c4a5b8d1e9f0a7c6b2d4e8f1a3c5e7b9d0f2a4c6e8b0d2f4a6c8e0b2d4f6a) from initial triage through to a YARA detection rule. All tools used are available in FLARE-VM, the same environment used in HTK labs.
Phase 1 — Static Analysis: First Look Without Execution
Static analysis means examining the binary without running it. The goal is to gather as much intelligence as possible before introducing any execution risk, even in a sandbox.
Open the sample in PE-Studio. The first things to check are the PE header fields. AgentTesla samples typically present as .NET executables: the file will show a single import from mscoree.dll with _CorExeMain as the only import — a clear indicator that the binary is a managed .NET assembly rather than native x86/x64 code. The presence of the CLR header at offset 0x168 in the optional header confirms this.
Check the compilation timestamp in the PE header. Many AgentTesla campaigns use samples compiled within 24-48 hours of the phishing campaign, meaning a recent timestamp combined with a low VirusTotal detection rate at time of delivery is a reliable campaign characteristic. Note that this timestamp can be forged, so treat it as a data point rather than ground truth.
The Resources tab in PE-Studio often yields immediate results. AgentTesla frequently embeds a second .NET payload as a base64-encoded or compressed resource. Look for resource entries with high entropy (above 6.5 on a scale of 0-8) — these indicate compressed or encrypted content. A legitimate application rarely has resource entries with entropy above 7.0.
Run FLOSS (FireEye Labs Obfuscated String Solver) on the sample. Unlike standard string extraction tools, FLOSS applies emulation to recover strings that are constructed at runtime, including those assembled character by character to evade signature detection. AgentTesla samples commonly obfuscate the SMTP server address, credentials, and target email this way. Typical output will include fragments like "smtp.", port numbers such as "587" or "465", and email addresses that belong to compromised accounts used as exfiltration drop boxes.
The imports table is minimal in .NET samples — this is expected. To understand what APIs the malware uses, you need to proceed to decompilation.
Phase 2 — .NET Decompilation: Reading the Source
Because .NET assemblies compile to Common Intermediate Language (CIL) rather than native machine code, they can be decompiled back to near-source-quality C# using tools like dnSpy or ILSpy. Open the sample in dnSpy and expand the namespace tree in the left panel.
AgentTesla's code is typically organized around a main module that initializes the configuration and launches several worker threads. Look for a class with a static constructor (cctor) that decodes configuration strings from an embedded array. The decoding is usually a simple XOR operation or a custom substitution cipher — you will see a loop iterating over a byte array with a bitwise operation applied. Note the key value; you can replicate the decoding in Python to extract the full configuration in plaintext.
The keylogger module registers a low-level keyboard hook via SetWindowsHookExA with the WH_KEYBOARD_LL constant (value 13). This hook intercepts all keystrokes system-wide, including from other applications. The hook callback function stores captured keystrokes in a StringBuilder that periodically flushes to a log file in the %TEMP% or %APPDATA% directory.
The credential-harvesting module is the most complex part of the codebase. AgentTesla contains hardcoded paths and registry keys for over 50 applications, including Chrome, Firefox, Edge, Opera, Outlook, Thunderbird, FileZilla, and WinSCP. For Chromium-based browsers, it reads the encrypted credential store from %LOCALAPPDATA%GoogleChromeUser DataDefaultLogin Data (an SQLite database) and decrypts it using CryptUnprotectData, the Windows DPAPI function. The DPAPI key is user-scoped, meaning the malware must run as the logged-in user to decrypt browser credentials — which is why AgentTesla runs in the user context rather than requesting elevation.
The screenshot module uses Graphics.CopyFromScreen() — a .NET wrapper around the GDI BitBlt function — to capture the full desktop at configurable intervals. Screenshots are JPEG-encoded and either attached to the exfiltration email or uploaded to an FTP server.
Phase 3 — Dynamic Analysis: Observing Behaviour Under Controlled Execution
Dynamic analysis means executing the sample in a controlled environment and observing what it does. This phase confirms the findings from static analysis and reveals runtime behaviour that cannot be seen in the binary alone.
Prepare a clean Windows 10 VM with network access disabled or redirected through FakeNet-NG (a tool that simulates network services to prevent real exfiltration while capturing traffic). Snapshot the VM before execution so you can revert cleanly.
Start Process Monitor (ProcMon) with the following filters before launching the sample: Process Name is the sample filename, and enable all operation types. Launch the sample.
The first thing ProcMon will show is file system activity. AgentTesla immediately reads from %APPDATA% and %LOCALAPPDATA% — it is checking for the presence of browser credential stores. Watch for ReadFile operations against Login Data, signaldb, cookies, and similar paths. You will also see a CreateFile operation against a new path in %APPDATA% — this is where it drops a copy of itself for persistence.
In Registry Monitor, watch for a write to HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value pointing to the %APPDATA% copy. This is the persistence mechanism: the malware will restart on every user login. Note that it writes to the current user hive (HKCU) rather than the machine hive (HKLM), which means it does not need administrator privileges but also means it only persists for the current user account.
Open Process Explorer (procexp) and navigate to the sample's process. Right-click and inspect the process memory strings. You will see the plaintext SMTP credentials and target email address in memory after the decoding routine has run — the data that FLOSS estimated from the binary is now visible directly. This confirms the static analysis finding.
Watch for a child process: some AgentTesla variants inject into InstallUtil.exe, RegAsm.exe, or another .NET process via process hollowing. If you see the sample create one of these processes with a CreateProcess call followed immediately by NtWriteVirtualMemory and NtResumeThread without a corresponding NtCreateThread on the legitimate process, this is the hollowing pattern. The parent process then typically exits, leaving only the injected host process running.
Phase 4 — Network Analysis: Tracing the Exfiltration Channel
AgentTesla's exfiltration behaviour is one of its most consistent and detectable characteristics. The sample analyzed here uses SMTP over port 587 with STARTTLS — a common configuration that allows the malware to blend with legitimate email traffic while still being detectable at the network layer.
With FakeNet-NG running, open Wireshark on the loopback adapter and apply the filter: tcp.port == 587. After a short delay corresponding to the keylogger's flush interval, you will see the TCP handshake to the exfiltration server on port 587, followed by the SMTP EHLO, AUTH LOGIN, and MAIL FROM/RCPT TO sequence.
The AUTH LOGIN exchange will show base64-encoded credentials. Decode them: they will be the username and password of a compromised email account, typically a small business or webhosting account. This is a consistent AgentTesla operational pattern — the threat actors do not operate their own mail infrastructure; instead they compromise third-party SMTP accounts from spam-run lists.
The DATA section of the SMTP conversation contains the exfiltrated payload. The email body includes the infected machine's hostname, username, operating system version, and the contents of the keylog buffer. Screenshots and harvested credentials are attached as separate MIME parts. The subject line follows a template that varies by campaign but often includes the string "PW_" followed by the hostname — useful for network-level detections.
If the sample is configured to use FTP instead of SMTP, you will see a plain-text FTP session (assuming FTPS is not enabled, which many campaign configurations do not use). The credentials are visible in cleartext in the Wireshark capture, making FTP-based AgentTesla campaigns particularly easy to pivot from: the FTP server often hosts multiple malware samples from the same operator.
DNS requests are also informative. The sample will resolve the SMTP server hostname before the TCP connection. Capture the DNS query and note the domain — cross-reference it with abuse.ch URLhaus and VirusTotal passive DNS to understand how long this infrastructure has been active and whether it is associated with other campaigns.
MITRE ATT&CK Technique Mapping
Mapping the observed behaviour to MITRE ATT&CK provides a standardized way to communicate findings and measure detection coverage. The following techniques were confirmed during this analysis:
Initial Access: T1566.001 — Spearphishing Attachment. AgentTesla is delivered via malicious email attachments, typically Office documents with embedded macros or .NET droppers inside password-protected archives.
Execution: T1204.002 — Malicious File, T1059.001 — PowerShell (used by macro-based droppers to download the payload). The .NET payload itself executes via T1218.004 — InstallUtil when process injection is used.
Persistence: T1547.001 — Registry Run Keys. The HKCUSoftwareMicrosoftWindowsCurrentVersionRun key is written with a value pointing to the copy in %APPDATA%.
Defence Evasion: T1055.012 — Process Hollowing (variants that inject into InstallUtil.exe or RegAsm.exe). T1027 — Obfuscated Files or Information, via string encoding in the .NET assembly.
Credential Access: T1555.003 — Credentials from Web Browsers (Chrome Login Data via DPAPI). T1539 — Steal Web Session Cookie. T1552.001 — Credentials In Files (Outlook, Thunderbird, FileZilla profile directories).
Collection: T1056.001 — Keylogging via SetWindowsHookEx. T1113 — Screen Capture via Graphics.CopyFromScreen.
Exfiltration: T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol (FTP mode). T1041 — Exfiltration Over C2 Channel (SMTP mode, where the C2 IS the exfiltration mechanism).
This coverage map tells a detection engineer exactly which ATT&CK techniques need coverage in their environment to detect AgentTesla variants. Any SIEM or EDR with rules for T1547.001, T1555.003, and T1056.001 has a high probability of generating an alert for this malware family.
YARA Detection Rule
The following YARA rule was developed from the static and dynamic analysis findings. It targets characteristics that are consistent across AgentTesla variants regardless of packer or obfuscation layer: the .NET runtime import, the presence of encoded SMTP configuration strings, and the credential harvesting file paths hardcoded in the binary.
rule AgentTesla_Infostealer { meta: description = "Detects AgentTesla infostealer family" author = "HackTheKnowledge Research" date = "2026-03-20" reference = "https://www.hacktheknowledge.com/blog/agent-tesla-malware-analysis-walkthrough/" tlp = "WHITE"
strings: // .NET single-import pattern $dotnet_import = "_CorExeMain" ascii
// Common AgentTesla keylogger API strings (obfuscated variants also match FLOSS output) $hook = "SetWindowsHookEx" ascii wide $unhook = "UnhookWindowsHookEx" ascii wide
// Credential harvesting paths $chrome_creds = "Login Data" ascii wide nocase $dpapi = "CryptUnprotectData" ascii wide
// Common SMTP exfil port strings $smtp_587 = "587" ascii wide $smtp_465 = "465" ascii wide
// Persistence registry path fragment $run_key = "CurrentVersion\Run" ascii wide nocase
// Known AgentTesla class/namespace fragments (survive many packers) $ns1 = "AgentTesla" ascii wide nocase $ns2 = "KeyLogger" ascii wide
condition: uint16(0) == 0x5A4D and // MZ header $dotnet_import and // .NET executable ( (2 of ($hook, $unhook, $dpapi, $chrome_creds)) or ($run_key and 1 of ($smtp_587, $smtp_465)) or (1 of ($ns1, $ns2) and $run_key) ) }
This rule uses a condition logic that avoids single-string matching to reduce false positives: the combination of the .NET import with at least two credential-harvesting or hooking indicators is specific enough to catch AgentTesla variants while avoiding legitimate .NET applications that happen to use one of the individual strings.
Indicators of Compromise (IOCs)
The following IOCs were extracted from the sample and network traffic analysis. These represent the specific infrastructure and artefacts of the campaign analyzed here — they should be treated as point-in-time indicators that will age out as the operator rotates infrastructure.
File system artefacts: - Drop location: %APPDATA%[random 8-char alphanumeric][sample_name].exe - Keylog buffer: %TEMP%[random].tmp (flushed every 20 minutes) - Screenshot staging: %TEMP%Screenshot_[timestamp].jpg
Registry: - HKCUSoftwareMicrosoftWindowsCurrentVersionRun[random value] → path to %APPDATA% copy
Network (SMTP campaign configuration, redacted for responsible disclosure): - Exfiltration server: mail.[redacted-compromised-domain].com:587 - Sender address: [redacted]@[compromised-domain].com - Subject template: PW_[HOSTNAME] / [USERNAME]
Mutex: - Global[8-char hex string] — created at startup to prevent multiple instances
Memory strings (extracted post-decoding): - SMTP credentials in plaintext after XOR decode - Hardcoded target recipient address
If you are hunting for this campaign in your environment, the most reliable network-based detection is a DNS or SMTP proxy rule looking for outbound SMTP connections to domains that are not in your approved mail relay list, with subjects matching the "PW_" pattern.
Key Takeaways for Analysts
AgentTesla is not a sophisticated threat in terms of novel techniques — it uses well-documented methods that have existed for years. Its longevity comes from two factors: it works, and it is cheap. A subscription to AgentTesla as a service costs a small fraction of what a single successful credential theft is worth to a threat actor. This economics-driven persistence is why analysts who understand the malware thoroughly are more valuable than those who rely on signature-based tools alone.
The analysis workflow demonstrated here — PE header triage, .NET decompilation, ProcMon behavioral capture, and Wireshark network tracing — is the same workflow you will apply to the majority of commodity malware you encounter in incident response. The tools change slightly depending on whether the target is native x86/x64 or managed .NET, but the methodology is consistent.
The MITRE ATT&CK mapping is not just documentation — it is an action item. If your environment cannot detect T1547.001 (registry run key persistence) or T1555.003 (credential access from browsers), you will miss not just AgentTesla but the majority of commodity infostealers currently active.
The skill gap between knowing that these techniques exist and being able to execute this analysis under pressure is significant. It is not bridged by reading articles — it is bridged by executing analyses yourself, in isolated lab environments, against real samples, with real tools. That hands-on repetition is what builds the pattern recognition that makes a threat analyst effective in a real incident.