AgentTesla Infostealer — Static & Dynamic Analysis

Executive Summary

AgentTesla is a .NET-based commodity infostealer sold as malware-as-a-service. This sample was delivered via a phishing email with a weaponized Excel attachment. Upon execution it establishes persistence, harvests credentials, and exfiltrates via SMTP.

TLP: WHITE — suitable for public release.

---

Sample Details

Field	Value
Filename	invoice_march.exe
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
File type	PE32 .NET executable
Size	487 KB
Packer	ConfuserEx v1.0

---

Static Analysis

Initial Triage

file invoice_march.exe
# PE32 executable (GUI) Intel 80386 Mono/.Net assembly

strings invoice_march.exe | grep -i "smtp\|gmail\|pass"
# smtp.gmail.com
# port: 587

Deobfuscation

The sample is packed with ConfuserEx. Use de4dot to deobfuscate:

de4dot invoice_march.exe -o invoice_march_clean.exe

After cleaning, load into dnSpy or ILSpy. Key class of interest:

// Credential harvester — targets Chrome, Firefox, Outlook
private static void StealCredentials()
{
    string path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
    // ...
}

---

Dynamic Analysis

Environment

• Windows 10 22H2 VM (isolated, no internet)
• Tools: ProcMon, Wireshark, x64dbg, FakeNet-NG

Execution Behaviour

Process tree:

explorer.exe
└── invoice_march.exe (PID 4821)
    └── cmd.exe /c schtasks /create ...

Persistence — Scheduled Task:

schtasks /create /tn "WindowsUpdate" /tr "C:\Users\user\AppData\Roaming\svchost.exe" /sc onlogon

Registry key written:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  "WindowsUpdater" = C:\Users\user\AppData\Roaming\svchost.exe

C2 Communication

Exfiltration over SMTP (port 587) to a Gmail account. Captured in FakeNet:

EHLO DESKTOP-ABC123
AUTH LOGIN
334 dXNlcm5hbWU=   # base64: username
MAIL FROM: <victim@domain.com>
Subject: [AgentTesla] | victim | DESKTOP-ABC123

---

Detection Opportunities

YARA Rule

rule AgentTesla_SMTP_Exfil {
    meta:
        description = "Detects AgentTesla SMTP exfiltration strings"
        tlp         = "WHITE"
        author      = "secbysrg"
        date        = "2026-03-11"
    strings:
        $smtp1 = "smtp.gmail.com" ascii
        $smtp2 = "smtp.yandex.com" ascii
        $subj  = "[AgentTesla]" ascii wide
        $net   = "System.Net.Mail" ascii
    condition:
        uint16(0) == 0x5A4D and 2 of ($smtp*) and any of ($subj, $net)
}

Sigma Rule (Scheduled Task persistence)

title: AgentTesla Scheduled Task Persistence
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'schtasks'
            - '/create'
            - 'onlogon'
    condition: selection
level: medium

---

Indicators of Compromise

Type	Value	Description
MD5	d41d8cd98f00b204e9800998ecf8427e	Packed sample
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	Packed sample
Domain	smtp.gmail.com	C2 exfil channel
Registry	HKCU\...\Run\WindowsUpdater	Persistence key
Task	WindowsUpdate	Scheduled task name

---

Mitigations

• Block outbound SMTP (port 587) at perimeter for non-mail servers
• Alert on schtasks /create with /sc onlogon from user-writable paths
• Enable AMSI for .NET assemblies

References

• MalwareBazaar
• ANY.RUN