secbysrg
Title here
Summary here
AgentTesla Infostealer — Static & Dynamic Analysis
Executive Summary
AgentTesla is a .NET-based commodity infostealer sold as malware-as-a-service. This sample was delivered via a phishing email with a weaponized Excel attachment. Upon execution it establishes persistence, harvests credentials, and exfiltrates via SMTP.
TLP: WHITE — suitable for public release.
Sample Details
| Field | Value |
|---|---|
| Filename | invoice_march.exe |
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| File type | PE32 .NET executable |
| Size | 487 KB |
| Packer | ConfuserEx v1.0 |
Static Analysis
Initial Triage
file invoice_march.exe
# PE32 executable (GUI) Intel 80386 Mono/.Net assembly
strings invoice_march.exe | grep -i "smtp\|gmail\|pass"
# smtp.gmail.com
# port: 587Deobfuscation
The sample is packed with ConfuserEx. Use de4dot to deobfuscate:
de4dot invoice_march.exe -o invoice_march_clean.exeAfter cleaning, load into dnSpy or ILSpy. Key class of interest:
// Credential harvester — targets Chrome, Firefox, Outlook
private static void StealCredentials()
{
string path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
// ...
}Dynamic Analysis
Environment
- Windows 10 22H2 VM (isolated, no internet)
- Tools: ProcMon, Wireshark, x64dbg, FakeNet-NG
Execution Behaviour
Process tree:
explorer.exe
└── invoice_march.exe (PID 4821)
└── cmd.exe /c schtasks /create ...Persistence — Scheduled Task:
schtasks /create /tn "WindowsUpdate" /tr "C:\Users\user\AppData\Roaming\svchost.exe" /sc onlogonRegistry key written:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsUpdater" = C:\Users\user\AppData\Roaming\svchost.exeC2 Communication
Exfiltration over SMTP (port 587) to a Gmail account. Captured in FakeNet:
EHLO DESKTOP-ABC123
AUTH LOGIN
334 dXNlcm5hbWU= # base64: username
MAIL FROM: <victim@domain.com>
Subject: [AgentTesla] | victim | DESKTOP-ABC123Detection Opportunities
YARA Rule
rule AgentTesla_SMTP_Exfil {
meta:
description = "Detects AgentTesla SMTP exfiltration strings"
tlp = "WHITE"
author = "secbysrg"
date = "2026-03-11"
strings:
$smtp1 = "smtp.gmail.com" ascii
$smtp2 = "smtp.yandex.com" ascii
$subj = "[AgentTesla]" ascii wide
$net = "System.Net.Mail" ascii
condition:
uint16(0) == 0x5A4D and 2 of ($smtp*) and any of ($subj, $net)
}Sigma Rule (Scheduled Task persistence)
title: AgentTesla Scheduled Task Persistence
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'schtasks'
- '/create'
- 'onlogon'
condition: selection
level: mediumIndicators of Compromise
| Type | Value | Description |
|---|---|---|
| MD5 | d41d8cd98f00b204e9800998ecf8427e | Packed sample |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | Packed sample |
| Domain | smtp.gmail.com | C2 exfil channel |
| Registry | HKCU\...\Run\WindowsUpdater | Persistence key |
| Task | WindowsUpdate | Scheduled task name |
Mitigations
- Block outbound SMTP (port 587) at perimeter for non-mail servers
- Alert on
schtasks /createwith/sc onlogonfrom user-writable paths - Enable AMSI for .NET assemblies