Files
Anthropic-Cybersecurity-Skills/skills/extracting-config-from-agent-tesla-rat/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.2 KiB

API Reference: Agent Tesla RAT Configuration Extraction

Agent Tesla Overview

  • Type: .NET RAT / Information Stealer
  • Exfiltration: SMTP, FTP, Telegram, HTTP POST
  • Capabilities: Keylogging, clipboard, screenshots, credential theft

String Extraction

Python Regex for ASCII Strings

re.finditer(rb'[\x20-\x7e]{6,}', binary_data)

Wide Strings (UTF-16LE)

re.finditer(rb'(?:[\x20-\x7e]\x00){6,}', binary_data)

Configuration Indicators

SMTP Exfiltration

Field Pattern
Server smtp.gmail.com, smtp.yandex.com
Port 587, 465, 25
Email [\w.+-]+@[\w-]+\.[\w.]+
Password Base64 or XOR encoded

FTP Exfiltration

Field Pattern
Server ftp.\w+\.\w+
URI ftp://user:pass@host/path

Telegram Bot

Field Pattern
Bot Token \d{8,12}:[A-Za-z0-9_-]{35}
Chat ID \d{9,13}
API URL api.telegram.org/bot{token}/sendDocument

.NET Decompilation

dnSpy

# Open sample in dnSpy
# Navigate to namespace: AgentTesla / WebMonitor / etc.
# Look for hardcoded credentials in static fields

ILSpy / dotPeek

Alternative .NET decompilers for config extraction.

YARA Rule

rule AgentTesla {
    meta:
        description = "Agent Tesla keylogger/RAT"
    strings:
        $smtp = "SmtpPort" ascii wide
        $hook = "KeyboardHook" ascii wide
        $clip = "GetClipboardData" ascii wide
        $ns1 = "AgentTesla" ascii
        $ns2 = "WebMonitor" ascii
    condition:
        uint16(0) == 0x5A4D and 3 of them
}

File Hashing

Python hashlib

import hashlib
sha256 = hashlib.sha256(open(path, 'rb').read()).hexdigest()

VirusTotal API — Sample Lookup

GET https://www.virustotal.com/api/v3/files/{sha256}
x-apikey: {API_KEY}

Response Fields

Field Description
data.attributes.popular_threat_classification Malware family
data.attributes.last_analysis_stats AV detection counts
data.attributes.sandbox_verdicts Sandbox analysis results

Sandbox Analysis

  • ANY.RUN: Interactive analysis
  • Hybrid Analysis: Automated report
  • Joe Sandbox: Deep behavioral analysis