AgentTesla is one of the most prevalent .NET-based information stealers in the wild. Known for its leaked builder kits and wide feature set, it targets credentials, system information, and sends the stolen data via SMTP, FTP, or Telegram.

In this post, I break down the real behavior of an AgentTesla sample from a Joe Sandbox public report. Without uploading malware myself, I used Joe Sandbox’s free public analysis feed to reverse how this sample behaves on a compromised system, including the processes it spawns, the persistence it creates, and the MITRE ATT&CK techniques it maps to.

Sample Name: Purchase Order 4500564358.exe
MD5 Hash: 9fd96b295c182c936d74dbb92a96a4d4
Malware Family: AgentTesla
Execution Environment: Windows 10 x64 (Joe Sandbox cloud)

• Keystroke logging
• Clipboard access
• Password and session cookie theft
• SMTP-based data exfiltration
• Persistence via scheduled tasks
• System reconnaissance
• Sandbox/VM evasion

The sample executes multiple times, drops copies of itself, creates scheduled tasks, and uses PowerShell to modify Windows Defender exclusions.

Process Tree: System is w10x64

Purchase Order 4500564358.exe (PID: 7888 cmdline: “C:\Users\user\Desktop\Purchase Order 4500564358.exe” MD5: 9FD96B295C182C936D74DBB92A96A4D4)

powershell.exe (PID: 6248 cmdline: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Add-MpPreference -ExclusionPath “C:\Users\user\AppData\Roaming\NaPhkhYtQQh.exe” MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6216 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6284 cmdline: “C:\Windows\System32\schtasks.exe” /Create /TN “Updates\NaPhkhYtQQh” /XML “C:\Users\user\AppData\Local\Temp\tmp2665.tmp” MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Purchase Order 4500564358.exe (PID: 4768 cmdline: “C:\Users\user\Desktop\Purchase Order 4500564358.exe” MD5: 9FD96B295C182C936D74DBB92A96A4D4)

Purchase Order 4500564358.exe (PID: 6604 cmdline: “C:\Users\user\Desktop\Purchase Order 4500564358.exe” MD5: 9FD96B295C182C936D74DBB92A96A4D4)

NaPhkhYtQQh.exe (PID: 7972 cmdline: C:\Users\user\AppData\Roaming\NaPhkhYtQQh.exe MD5: 9FD96B295C182C936D74DBB92A96A4D4)

schtasks.exe (PID: 3680 cmdline: “C:\Windows\System32\schtasks.exe” /Create /TN “Updates\NaPhkhYtQQh” /XML “C:\Users\user\AppData\Local\Temp\tmp9816.tmp” MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NaPhkhYtQQh.exe (PID: 2884 cmdline: “C:\Users\user\AppData\Roaming\NaPhkhYtQQh.exe” MD5: 9FD96B295C182C936D74DBB92A96A4D4)

Cleanup

- T1055: Process Injection

- T1053.005: Scheduled Task/Job: Scheduled Task

- T1562.001: Impair Defenses: Disable or Modify Tools

- T1555: Credentials from Password Stores

- T1539: Steal Web Session Cookies

- T1087: Account Discovery

- T1082: System Information Discovery

- T1497: Virtualization/Sandbox Evasion

Even when no malicious domains or IPs are flagged, malware like AgentTesla leaves behind plenty of host-level indicators useful for detection.

C:\Users\user\AppData\Roaming\NaPhkhYtQQh.exe
C:\Users\user\AppData\Local\Temp\tmp2665.tmp

powershell.exe Add-MpPreference -ExclusionPath "..."
schtasks.exe /Create /TN "Updates\NaPhkhYtQQh"

The malware does not reach out to traditional C2 IPs or URLs, but it does:

• Query ip-api.com for IP geolocation
• Contain hardcoded SMTP credentials:

[email protected] : Money@2025
SMTP host: cphost14.qhoster.net
Port: 587

This strongly indicates data exfiltration over SMTP, a classic AgentTesla trait.

• Even if there are no malicious URLs/IPs, behavior-based indicators (file paths, process trees, commands) provide deep insight.
• Joe Sandbox offers a rich public repository of malware reports, great for learning and showcasing threat analysis without needing to touch raw malware.
• Mapping behaviors to MITRE ATT&CK makes the analysis standardized, sharable, and easier to convert into detection rules.

You can view the structured findings and extracted IOCs in my GitHub repo:
🔗 https://github.com/Y-yug-S-shah/Agenttesla_analysis/

A detailed YouTube video is coming on August 5th where I’ll walk through this entire sample, from sandbox analysis to MITRE mapping.

You can also check out my previous video on PhishHound:

https://www.youtube.com/@defenderdiarybyyug?sub_confirmation=1

If you’re into Blue Teaming, SOC workflows, or want to learn malware behavior the safe way, follow along!
Feel free to suggest the next malware family I should reverse using public sandboxes like Joe Sandbox or Hatching Triage.