Extracting Config from Agent Tesla RAT Overview Agent Tesla is a .NET-based Remote Access Trojan (RAT) and keylogger that ranked among the top 10 malware variants in 2024, impacting 6.3% of corporate networks globally. It exfiltrates stolen credentials via SMTP email, FTP upload, Telegram bot API, or Discord webhooks. The malware configuration is embedded in the .NET assembly, typically obfuscated using string encryption, resource encryption, or custom loaders that decrypt and execute Agent Tesla in memory via .NET Reflection (fileless). Configuration extraction involves decompiling the .NET…

, s) and int(s) in (25, 465, 587, 2525):\n config[\"smtp_port\"] = int(s)\n if re.match(r'[\\w.+-]+@[\\w-]+\\.[\\w.]+', s):\n config[\"email\"] = s\n return config\n\n\ndef find_ftp_config(strings_list):\n \"\"\"Extract FTP exfiltration configuration.\"\"\"\n config = {\"ftp_server\": None, \"ftp_user\": None, \"ftp_password\": None}\n for s in strings_list:\n if re.match(r'ftp\\.\\w+\\.\\w+', s, re.I):\n config[\"ftp_server\"] = s\n if \"ftp://\" in s.lower():\n config[\"ftp_url\"] = s\n return config\n\n\ndef find_telegram_config(strings_list):\n \"\"\"Extract Telegram bot exfiltration config.\"\"\"\n config = {\"bot_token\": None, \"chat_id\": None}\n for s in strings_list:\n if re.match(r'\\d{8,12}:[A-Za-z0-9_-]{35}', s):\n config[\"bot_token\"] = s\n if re.match(r'^-?\\d{9,13}

Extracting Config from Agent Tesla RAT Overview Agent Tesla is a .NET-based Remote Access Trojan (RAT) and keylogger that ranked among the top 10 malware variants in 2024, impacting 6.3% of corporate networks globally. It exfiltrates stolen credentials via SMTP email, FTP upload, Telegram bot API, or Discord webhooks. The malware configuration is embedded in the .NET assembly, typically obfuscated using string encryption, resource encryption, or custom loaders that decrypt and execute Agent Tesla in memory via .NET Reflection (fileless). Configuration extraction involves decompiling the .NET…

, s):\n config[\"chat_id\"] = s\n return config\n\n\ndef decode_base64_strings(strings_list):\n \"\"\"Try to decode base64-encoded configuration strings.\"\"\"\n decoded = []\n for s in strings_list:\n if len(s) > 20 and re.match(r'^[A-Za-z0-9+/=]+

Extracting Config from Agent Tesla RAT Overview Agent Tesla is a .NET-based Remote Access Trojan (RAT) and keylogger that ranked among the top 10 malware variants in 2024, impacting 6.3% of corporate networks globally. It exfiltrates stolen credentials via SMTP email, FTP upload, Telegram bot API, or Discord webhooks. The malware configuration is embedded in the .NET assembly, typically obfuscated using string encryption, resource encryption, or custom loaders that decrypt and execute Agent Tesla in memory via .NET Reflection (fileless). Configuration extraction involves decompiling the .NET…

, s):\n try:\n d = base64.b64decode(s).decode(\"utf-8\", errors=\"replace\")\n if any(c.isprintable() for c in d) and len(d) > 4:\n decoded.append({\"encoded\": s[:40], \"decoded\": d[:100]})\n except Exception:\n pass\n return decoded\n\n\ndef analyze_sample(file_path):\n \"\"\"Full analysis of suspected Agent Tesla sample.\"\"\"\n hashes = compute_file_hashes(file_path)\n strings = extract_strings(file_path)\n\n indicators_found = []\n for indicator in AGENT_TESLA_INDICATORS[\"strings\"]:\n if any(indicator.lower() in s.lower() for s in strings):\n indicators_found.append(indicator)\n\n smtp = find_smtp_config(strings)\n ftp = find_ftp_config(strings)\n telegram = find_telegram_config(strings)\n b64_decoded = decode_base64_strings(strings)\n\n return {\n \"file\": file_path,\n \"file_size\": os.path.getsize(file_path),\n \"hashes\": hashes,\n \"agent_tesla_indicators\": indicators_found,\n \"is_agent_tesla\": len(indicators_found) >= 3,\n \"config\": {\n \"smtp\": smtp,\n \"ftp\": ftp,\n \"telegram\": telegram,\n },\n \"base64_decoded\": b64_decoded[:10],\n \"total_strings\": len(strings),\n }\n\n\ndef main():\n parser = argparse.ArgumentParser(\n description=\"Extract configuration from Agent Tesla RAT samples\"\n )\n parser.add_argument(\"sample\", help=\"Path to suspected Agent Tesla sample\")\n parser.add_argument(\"--output\", \"-o\", help=\"Output JSON report\")\n parser.add_argument(\"--verbose\", \"-v\", action=\"store_true\")\n args = parser.parse_args()\n\n print(\"[*] Agent Tesla Configuration Extraction Agent\")\n result = analyze_sample(args.sample)\n\n print(f\"[*] SHA256: {result['hashes']['sha256']}\")\n print(f\"[*] Agent Tesla indicators: {len(result['agent_tesla_indicators'])}\")\n print(f\"[*] Likely Agent Tesla: {result['is_agent_tesla']}\")\n\n if result[\"config\"][\"smtp\"][\"smtp_server\"]:\n print(f\"[*] SMTP C2: {result['config']['smtp']['smtp_server']}\")\n if result[\"config\"][\"telegram\"][\"bot_token\"]:\n print(f\"[*] Telegram bot found\")\n\n report = {\"timestamp\": datetime.now(timezone.utc).isoformat(), \"analysis\": result}\n\n if args.output:\n with open(args.output, \"w\") as f:\n json.dump(report, f, indent=2)\n print(f\"[*] Report saved to {args.output}\")\n else:\n print(json.dumps(report, indent=2))\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":5640,"content_sha256":"64d5eb823917bb4e00d7aa8108811f560a8525cc13a041cc8172dbfa75b3cdcf"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Extracting Config from Agent Tesla RAT","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"Agent Tesla is a .NET-based Remote Access Trojan (RAT) and keylogger that ranked among the top 10 malware variants in 2024, impacting 6.3% of corporate networks globally. It exfiltrates stolen credentials via SMTP email, FTP upload, Telegram bot API, or Discord webhooks. The malware configuration is embedded in the .NET assembly, typically obfuscated using string encryption, resource encryption, or custom loaders that decrypt and execute Agent Tesla in memory via .NET Reflection (fileless). Configuration extraction involves decompiling the .NET assembly with dnSpy or ILSpy, identifying the decryption routine for configuration strings, and extracting SMTP server addresses, credentials, FTP endpoints, Telegram bot tokens, and targeted applications.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When performing authorized security testing that involves extracting config from agent tesla rat","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When analyzing malware samples or attack artifacts in a controlled environment","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When conducting red team exercises or penetration testing engagements","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When building detection capabilities based on offensive technique understanding","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"dnSpy or ILSpy for .NET decompilation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Python 3.9+ with ","type":"text"},{"text":"dnlib","type":"text","marks":[{"type":"code_inline"}]},{"text":" or ","type":"text"},{"text":"pythonnet","type":"text","marks":[{"type":"code_inline"}]},{"text":" for automated extraction","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"de4dot for .NET deobfuscation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Understanding of .NET IL code and Reflection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Sandbox for dynamic analysis (ANY.RUN, CAPE)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Deobfuscate and Extract Configuration","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"python"},"content":[{"text":"#!/usr/bin/env python3\n\"\"\"Extract Agent Tesla RAT configuration from .NET assemblies.\"\"\"\nimport re\nimport sys\nimport json\nimport base64\nimport hashlib\nfrom pathlib import Path\n\n\ndef extract_strings_from_dotnet(filepath):\n \"\"\"Extract readable strings from .NET binary for config analysis.\"\"\"\n with open(filepath, 'rb') as f:\n data = f.read()\n\n # Extract US (User Strings) heap from .NET metadata\n strings = []\n\n # Look for common Agent Tesla config patterns\n patterns = {\n \"smtp_server\": re.compile(rb'smtp[\\.\\-][\\w\\.\\-]+\\.\\w{2,}', re.I),\n \"email\": re.compile(rb'[\\w\\.\\-]+@[\\w\\.\\-]+\\.\\w{2,}'),\n \"ftp_url\": re.compile(rb'ftp://[\\w\\.\\-:/]+', re.I),\n \"telegram_token\": re.compile(rb'\\d{8,10}:[A-Za-z0-9_-]{35}'),\n \"telegram_chat\": re.compile(rb'(?:chat_id=|chatid[=:])[\\-]?\\d{5,15}', re.I),\n \"discord_webhook\": re.compile(rb'https://discord\\.com/api/webhooks/\\d+/[\\w-]+'),\n \"password\": re.compile(rb'(?:pass(?:word)?|pwd)[=:]\\s*[\\w!@#$%^&*]{4,}', re.I),\n \"port\": re.compile(rb'(?:port|smtp_port)[=:]\\s*\\d{2,5}', re.I),\n }\n\n results = {}\n for name, pattern in patterns.items():\n matches = pattern.findall(data)\n if matches:\n results[name] = [m.decode('utf-8', errors='replace') for m in matches]\n\n # Extract Base64-encoded strings (common obfuscation)\n b64_pattern = re.compile(rb'[A-Za-z0-9+/]{20,}={0,2}')\n b64_decoded = []\n for match in b64_pattern.finditer(data):\n try:\n decoded = base64.b64decode(match.group())\n text = decoded.decode('utf-8', errors='strict')\n if text.isprintable() and len(text) > 5:\n b64_decoded.append(text)\n except Exception:\n pass\n\n if b64_decoded:\n results[\"base64_decoded_strings\"] = b64_decoded[:30]\n\n return results\n\n\ndef decrypt_agenttesla_strings(data, key_hex):\n \"\"\"Decrypt Agent Tesla encrypted configuration strings.\"\"\"\n key = bytes.fromhex(key_hex)\n # Agent Tesla V1: Simple XOR with key\n decrypted_strings = []\n\n # Find encrypted blobs (high-entropy byte sequences)\n blob_pattern = re.compile(rb'[\\x80-\\xff]{16,256}')\n for match in blob_pattern.finditer(data):\n blob = match.group()\n # Try XOR decryption\n decrypted = bytes(b ^ key[i % len(key)] for i, b in enumerate(blob))\n try:\n text = decrypted.decode('utf-8', errors='strict')\n if text.isprintable() and len(text.strip()) > 3:\n decrypted_strings.append(text.strip())\n except UnicodeDecodeError:\n pass\n\n # V2: SHA256-based key derivation then AES\n sha256_key = hashlib.sha256(key).digest()\n\n return decrypted_strings\n\n\ndef analyze_exfiltration_config(config):\n \"\"\"Analyze extracted configuration for exfiltration methods.\"\"\"\n methods = []\n\n if config.get(\"smtp_server\"):\n methods.append({\n \"type\": \"SMTP\",\n \"servers\": config[\"smtp_server\"],\n \"emails\": config.get(\"email\", []),\n })\n\n if config.get(\"ftp_url\"):\n methods.append({\n \"type\": \"FTP\",\n \"urls\": config[\"ftp_url\"],\n })\n\n if config.get(\"telegram_token\"):\n methods.append({\n \"type\": \"Telegram\",\n \"tokens\": config[\"telegram_token\"],\n \"chat_ids\": config.get(\"telegram_chat\", []),\n })\n\n if config.get(\"discord_webhook\"):\n methods.append({\n \"type\": \"Discord\",\n \"webhooks\": config[\"discord_webhook\"],\n })\n\n return methods\n\n\nif __name__ == \"__main__\":\n if len(sys.argv) \u003c 2:\n print(f\"Usage: {sys.argv[0]} \u003cagent_tesla_sample>\")\n sys.exit(1)\n\n config = extract_strings_from_dotnet(sys.argv[1])\n methods = analyze_exfiltration_config(config)\n\n report = {\"raw_config\": config, \"exfiltration_methods\": methods}\n print(json.dumps(report, indent=2))","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Validation Criteria","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Exfiltration method identified (SMTP/FTP/Telegram/Discord)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Server addresses and credentials extracted from config","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Targeted applications list recovered","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Keylogger and screenshot capture settings documented","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Persistence mechanism identified","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"IOCs suitable for network blocking extracted","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Splunk - Agent Tesla Detection and Analysis","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Qualys - Catching the RAT Agent Tesla","type":"text","marks":[{"type":"link","attrs":{"href":"https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ANY.RUN Agent Tesla Analysis","type":"text","marks":[{"type":"link","attrs":{"href":"https://any.run/malware-trends/agenttesla/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Trustwave - Agent Tesla Novel Loader","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-teslas-new-ride-the-rise-of-a-novel-loader/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Malpedia - Agent Tesla","type":"text","marks":[{"type":"link","attrs":{"href":"https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla","title":null}}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"extracting-config-from-agent-tesla-rat","tags":["agent-tesla","rat","config-extraction","dotnet","malware-analysis","keylogger","credential-theft"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/extracting-config-from-agent-tesla-rat/SKILL.md","repo_owner":"mukul975","body_sha256":"397a136fa27699867561eaf6c0f78fa96e3096f89553dbc6b56eb0f7bb109336","cluster_key":"04d4ab7fb6c8660a9a3df34ab96976e6a4cd102ef1d139493f8e3ba10397f7e3","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/extracting-config-from-agent-tesla-rat/SKILL.md","attachments":[{"id":"78ae3c13-797c-58cb-9233-466856cf0ea5","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/78ae3c13-797c-58cb-9233-466856cf0ea5/attachment.md","path":"assets/template.md","size":419,"sha256":"201cf4d0e9fb3aa5ae0b7c3069544d841b1635138e10c217969add43d13c5704","contentType":"text/markdown; charset=utf-8"},{"id":"8a64b9c7-380e-5659-a011-aeaa592574c3","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/8a64b9c7-380e-5659-a011-aeaa592574c3/attachment.md","path":"references/api-reference.md","size":2295,"sha256":"23079652c7cf9613c69a426a41cec26a63992d2947be214250d1cccc400546bb","contentType":"text/markdown; charset=utf-8"},{"id":"7e6dc7da-e64e-59fa-85b8-bd8978490d29","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/7e6dc7da-e64e-59fa-85b8-bd8978490d29/attachment.md","path":"references/standards.md","size":307,"sha256":"491dd533004eb898aa3b1d2c1d22c31fc763576c5e0879f22113bcfacabe57d5","contentType":"text/markdown; charset=utf-8"},{"id":"5d75d269-0475-5d2f-bbe8-70b68e770c12","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/5d75d269-0475-5d2f-bbe8-70b68e770c12/attachment.md","path":"references/workflows.md","size":466,"sha256":"7ff4f67b933c7dba57af2572a12f9fa7a915bac41c1dc7cf138924694ae1dd05","contentType":"text/markdown; charset=utf-8"},{"id":"72d4c54c-e55f-5ec9-8880-a7e6e530fb34","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/72d4c54c-e55f-5ec9-8880-a7e6e530fb34/attachment.py","path":"scripts/agent.py","size":5640,"sha256":"64d5eb823917bb4e00d7aa8108811f560a8525cc13a041cc8172dbfa75b3cdcf","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"08542bacc00593c06a5c9e985e3f87c5162b1453d744e1a79396d3f937c9f890","attachment_count":5,"text_attachments":5,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/extracting-config-from-agent-tesla-rat/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"Apache-2.0","version":"v1","category":"security","nist_csf":["DE.AE-02","RS.AN-03","ID.RA-01","DE.CM-01"],"subdomain":"malware-analysis","import_tag":"clean-skills-v1","description":"Extract embedded configuration from Agent Tesla RAT samples including SMTP/FTP/Telegram exfiltration credentials, keylogger settings, and C2 endpoints using .NET decompilation and memory analysis.","nist_ai_rmf":["GOVERN-1.1","MEASURE-2.7","MANAGE-3.1"],"atlas_techniques":["AML.T0024","AML.T0056","AML.T0086"]}},"renderedAt":1782981653425}

Extracting Config from Agent Tesla RAT Overview Agent Tesla is a .NET-based Remote Access Trojan (RAT) and keylogger that ranked among the top 10 malware variants in 2024, impacting 6.3% of corporate networks globally. It exfiltrates stolen credentials via SMTP email, FTP upload, Telegram bot API, or Discord webhooks. The malware configuration is embedded in the .NET assembly, typically obfuscated using string encryption, resource encryption, or custom loaders that decrypt and execute Agent Tesla in memory via .NET Reflection (fileless). Configuration extraction involves decompiling the .NET…