Agent Tesla Spyware
Updated 08/10/2019 – Updated IOC list
Agent Tesla is a .NET-based spyware. It has gone through numerous updates to add extra functionality and is commonly seen being sold on dark net sites.
It is delivered via malicious Microsoft Word documents distributed in spam or phishing campaigns. Once opened these documents ask the user to enable macros, at which point the infection process is initiated.
It then collects keystrokes, screenshots and clipboard files. It will also attempt to gather passwords and credentials from a number of applications. This information is then sent to a command and control server.
A detailed report on this can be found here.
IOC List
| 1[.]10[.]16[.]13 |
| 1[.]217[.]125[.]148 |
| 103[.]207[.]38[.]142 |
| 103[.]6[.]196[.]80 |
| 104[.]160[.]175[.]168 |
| 104[.]168[.]139[.]3 |
| 104[.]18[.]47[.]106 |
| 104[.]20[.]208[.]21 |
| 104[.]27[.]162[.]68 |
| 104[.]27[.]163[.]68 |
| 105[.]112[.]26[.]12 |
| 107[.]173[.]219[.]125 |
| 108[.]170[.]51[.]58 |
| 108[.]177[.]127[.]108 |
| 109[.]232[.]227[.]138 |
| 120[.]138[.]17[.]203 |
| 131[.]186[.]113[.]135 |
| 131[.]186[.]113[.]136 |
| 148[.]163[.]124[.]20 |
| 149[.]202[.]110[.]2 |
| 151[.]101[.]1[.]211 |
| 158[.]69[.]236[.]131 |
| 16[.]12[.]4[.]7 |
| 16[.]146[.]38[.]70 |
| 162[.]244[.]92[.]133 |
| 162[.]88[.]100[.]200 |
| 162[.]88[.]100[.]200 |
| 162[.]88[.]96[.]194 |
| 162[.]88[.]96[.]194 |
| 172[.]245[.]5[.]100 |
| 173[.]237[.]185[.]120 |
| 176[.]9[.]117[.]123 |
| 178[.]32[.]52[.]15 |
| 18[.]205[.]71[.]63 |
| 181[.]174[.]165[.]161 |
| 181[.]174[.]166[.]168 |
| 184[.]168[.]26[.]1 |
| 184[.]75[.]209[.]169 |
| 185[.]145[.]128[.]177 |
| 185[.]158[.]139[.]62 |
| 185[.]20[.]209[.]34 |
| 185[.]208[.]211[.]20 |
| 185[.]211[.]246[.]107 |
| 185[.]26[.]122[.]68 |
| 185[.]61[.]138[.]107 |
| 185[.]84[.]181[.]89 |
| 188[.]241[.]58[.]19 |
| 192[.]138[.]189[.]96 |
| 192[.]170[.]156[.]116 |
| 192[.]185[.]202[.]208 |
| 192[.]64[.]114[.]136 |
| 192[.]64[.]119[.]17 |
| 194[.]88[.]106[.]241 |
| 196[.]196[.]144[.]203 |
| 197[.]211[.]59[.]68 |
| 198[.]54[.]112[.]161 |
| 198[.]54[.]117[.]218 |
| 198[.]54[.]126[.]111 |
| 199[.]188[.]200[.]126 |
| 199[.]188[.]200[.]49 |
| 199[.]192[.]19[.]135 |
| 199[.]192[.]25[.]46 |
| 2[.]16[.]186[.]120 |
| 2[.]16[.]186[.]97 |
| 2[.]57[.]88[.]21 |
| 202[.]75[.]52[.]173 |
| 203[.]147[.]62[.]86 |
| 204[.]141[.]32[.]118 |
| 207[.]55[.]242[.]133 |
| 207[.]7[.]86[.]75 |
| 208[.]91[.]198[.]143 |
| 208[.]91[.]199[.]223 |
| 208[.]91[.]199[.]224 |
| 208[.]91[.]199[.]225 |
| 209[.]188[.]18[.]186 |
| 213[.]180[.]204[.]38 |
| 213[.]58[.]146[.]119 |
| 216[.]222[.]194[.]166 |
| 216[.]37[.]42[.]30 |
| 216[.]55[.]169[.]138 |
| 217[.]174[.]148[.]65 |
| 217[.]76[.]131[.]237 |
| 23[.]105[.]131[.]188 |
| 23[.]211[.]9[.]92 |
| 23[.]249[.]161[.]109 |
| 3[.]224[.]145[.]145 |
| 31[.]220[.]49[.]166 |
| 34[.]233[.]102[.]38 |
| 37[.]49[.]225[.]163 |
| 37[.]59[.]117[.]243 |
| 41[.]190[.]14[.]231 |
| 46[.]101[.]158[.]88 |
| 46[.]36[.]38[.]31 |
| 5[.]153[.]47[.]250 |
| 5[.]153[.]47[.]250 |
| 5[.]153[.]47[.]250 |
| 51[.]254[.]27[.]116 |
| 52[.]200[.]125[.]74 |
| 52[.]206[.]161[.]133 |
| 52[.]6[.]79[.]229 |
| 65[.]154[.]166[.]201 |
| 67[.]20[.]76[.]108 |
| 69[.]90[.]162[.]15 |
| 74[.]208[.]5[.]15 |
| 8[.]253[.]190[.]120 |
| 82[.]223[.]190[.]46 |
| 82[.]223[.]191[.]195 |
| 84[.]38[.]134[.]121 |
| 87[.]120[.]254[.]237 |
| 88[.]238[.]232[.]168 |
| 93[.]158[.]134[.]38 |
| 93[.]87[.]38[.]16 |
| 93[.]87[.]38[.]23 |
| 95[.]235[.]186[.]132 |
| 217[.]in-addr[.]arpa |
| 22y456[.]com |
| 9confederatex[.]ml |
| acrartex[.]cf |
| adastrawll[.]gq |
| adm-kingdom[.]cf |
| advantiixspa[.]tk |
| ae-photonics[.]ml |
| agenttesla[.]com |
| agodatex[.]ga |
| alankeef-co[.]tk |
| alvian[.]tk |
| amakiri[.]eu |
| amorim[.]ml |
| angloeastern[.]ga |
| anixter[.]cf |
| anonupload[.]net |
| armandogoncalves[.]tk |
| awoofrubs[.]com |
| becu[.]org |
| bencros[.]tk |
| berner[.]ml |
| bitcoindoublingsoft[.]us |
| blakeleyarts[.]com |
| blkgg[.]org |
| box[.]tradefox[.]tk |
| bxtkpuk[.]link |
| coka[.]la |
| com2c[.]com[.]au |
| composecv[.]com |
| data[.]hu |
| denmarkheating[.]net |
| diodetech[.]com |
| diodetechs[.]com |
| doko[.]moe |
| erusst[.]com |
| etisalat[.]com[.]ng |
| fav[.]al |
| freeavailabledomains[.]com |
| frontierkniters[.]in |
| gfss[.]com[.]my |
| grapco[.]ml |
| handrush[.]com/wp-content/plugins/akismet/views/DurGhamPop[.]exe |
| hwy11-17-hwy582tocoughlin[.]com |
| icf-fx[.]kz |
| impreac[.]com |
| indialanka[.]com |
| ipqbook[.]com |
| jpmorganchasse[.]com |
| kangnaterayna[.]com |
| karalismechanical[.]com |
| kelvinarinze[.]ml |
| keystonefinancials[.]org |
| lewd[.]se |
| magosnegt[.]net |
| mail[.]chinaclassic[.]com[.]sg |
| mail[.]vermak[.]com[.]tr |
| marketingempresario[.]com |
| marmarawhite[.]com |
| medicalfarmitalia[.]it |
| nascenthotels[.]com |
| netwire[.]duckdns[.]org |
| newsofmyru[.]pw |
| novomet[.]bg |
| nveeusa[.]com |
| pakistanbusinessconsultants[.]com |
| perma[.]cc |
| plubmerspro[.]us |
| porr[.]com[.]mk |
| rekings[.]com |
| repoyochar2u[.]ddns[.]net |
| repoyochar2u[.]hopto[.]org |
| riversidecasinoandresort[.]com |
| ronaldgabbypatterson[.]com |
| serviciodecorreo[.]es |
| servidoresdns[.]net |
| stevecommunication[.]ga |
| style[.]top |
| swzgvvpnj54atkfbp6in[.]ru |
| tabara-general[.]com |
| telcolaj[.]com |
| toolsalesonline[.]com/tool |
| twistermedical[.]com |
| twqezsa[.]net |
| uchservers[.]ga/ejike/ejike[.]exe |
| uchservers[.]ga/frankchizi/frankchiz[.]exe |
| uchservers[.]ga/sima/sima[.]exe |
| uchservers[.]ga/toby/toby[.]exe |
| uchservers[.]ga/yugo/yugo[.]exe |
| usa[.]cc |
| verona[.]im |
| victimsdomain[.]com |
| viswavsp[.]com |
| web[.]riderit[.]com |
| wfdblinds[.]com |
| xheaven[.]pw |
| xhr[.]open |
Affected Platforms
Microsoft Windows – All versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.