extracting-config-from-agent-tesla-rat

by mukul975

extracting-config-from-agent-tesla-rat skill for Malware Analysis: extract Agent Tesla .NET config, SMTP/FTP/Telegram credentials, keylogger settings, and C2 endpoints with repeatable workflow guidance.

Stars0

Favorites0

Comments0

AddedMay 11, 2026

CategoryMalware Analysis

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill extracting-config-from-agent-tesla-rat

Curation Score

This skill scores 78/100, which means it is a solid but not top-tier directory listing: users should find it sufficiently triggerable and workflow-driven for Agent Tesla config extraction, but they should expect some manual judgment and missing onboarding details. The repository provides a real malware-analysis workflow, supporting references, and a helper script, so it is worth installing for cybersecurity use cases.

78/100

Strengths

Specific, well-scoped trigger: extracting embedded Agent Tesla configuration from .NET malware samples, including SMTP/FTP/Telegram/C2 data.
Operational content is substantial: the SKILL.md body is long, includes workflow sections, and the repo adds references plus a Python helper script.
Good install decision signal: frontmatter is valid, the license is present, and the documentation ties the skill to concrete analysis tasks and outputs.

Cautions

No install command in SKILL.md, so users may need to infer setup and invocation steps themselves.
Some repository content is broad/illustrative rather than complete end-to-end guidance, so advanced analysts may still need to adapt the workflow manually.

Agent Tesla Rat Dotnet Keylogger Credential Theft

Overview

Overview of extracting-config-from-agent-tesla-rat skill

What this skill does

The extracting-config-from-agent-tesla-rat skill helps you extract embedded configuration from Agent Tesla samples, including SMTP, FTP, Telegram, and other exfiltration settings. It is aimed at analysts who need the actual payload settings, not a generic malware write-up.

Who should use it

Use the extracting-config-from-agent-tesla-rat skill if you are doing malware analysis, incident response, threat hunting, or authorized reverse engineering and need quick access to indicators and infrastructure hidden inside a .NET sample. It is most useful when you already have a suspicious binary and want config details faster than manual decompilation alone.

Why it is useful

The main value is workflow guidance for decompiling .NET malware, locating encrypted strings, and validating extracted indicators. Compared with a plain prompt, this skill is better when you need a repeatable path from sample to IOC extraction and report-ready notes.

How to Use extracting-config-from-agent-tesla-rat skill

Install and load it

Use the repository skill install flow for the extracting-config-from-agent-tesla-rat install step, then open the skill files before analyzing a sample. A typical install command is:

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill extracting-config-from-agent-tesla-rat

Start with the right files

For this extracting-config-from-agent-tesla-rat guide, read SKILL.md first, then check references/api-reference.md, references/workflows.md, and references/standards.md. If you want a quick implementation clue, review scripts/agent.py to see the string and indicator logic the skill expects.

Give the skill a usable prompt

The extracting-config-from-agent-tesla-rat usage works best when you specify sample type, goal, and output format. Strong inputs look like: “Analyze this .NET sample for Agent Tesla config, extract SMTP/Telegram indicators, note deobfuscation steps, and return IOC tables plus analyst caveats.” Weak inputs like “analyze this malware” leave too much interpretation.

Match the workflow to the sample

This skill fits best when you can combine static inspection with decompilation and string extraction. If the sample is packed, heavily customized, or not .NET-based, say so up front so the workflow can adjust instead of assuming a standard Agent Tesla layout.

extracting-config-from-agent-tesla-rat skill FAQ

Is this only for Agent Tesla?

Yes, the extracting-config-from-agent-tesla-rat skill is centered on Agent Tesla RAT config extraction. It can still help with nearby .NET stealer variants, but the best results come when the sample matches the Agent Tesla family or a close derivative.

Do I need advanced reversing skills?

No, but you do need basic malware-handling discipline and the ability to recognize .NET assemblies, string obfuscation, and common IOC patterns. For beginners, this skill is useful because it narrows the path from sample to reportable findings.

How is this different from a normal prompt?

A normal prompt may describe Agent Tesla in general terms. This extracting-config-from-agent-tesla-rat skill is better when you want a concrete extraction workflow, including what to inspect first, what indicators to capture, and how to avoid missing hidden config fields.

When should I not use it?

Do not use it as a substitute for full forensic validation, sandboxing policy, or legal authorization. It is also a poor fit if your main task is behavior emulation, full detonation analysis, or unpacking malware that is not .NET-based.

How to Improve extracting-config-from-agent-tesla-rat skill

Provide sample-specific context

The biggest quality boost comes from giving the extracting-config-from-agent-tesla-rat skill the sample hash, suspected family, file type, and any observed strings or imports. If you already saw smtp, telegram, or WebMonitor artifacts, include them so the analysis can focus on likely config locations.

Ask for the exact output you need

Say whether you want IOC extraction, a deobfuscation walkthrough, an analyst summary, or a report template filled in. The repo includes an analysis-report structure, so you can improve results by asking for fields like SHA-256, findings, extracted IOCs, and recommendations in one pass.

Watch for common failure modes

The most common miss is assuming every sample stores config the same way. With extracting-config-from-agent-tesla-rat, better results come from telling the skill whether strings are plaintext, XOR/base64-like, or hidden behind .NET reflection and resource loading. That reduces false confidence and helps avoid empty IOC tables.

Iterate after the first pass

If the first output is partial, follow up with targeted prompts such as “re-scan for Telegram bot token patterns,” “separate hardcoded config from runtime-resolved values,” or “map each IOC to evidence line numbers.” This usually improves the extracting-config-from-agent-tesla-rat skill output more than broad re-analysis.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

deobfuscating-javascript-malware

by mukul975

deobfuscating-javascript-malware helps analysts turn heavily obfuscated malicious JavaScript into readable code for malware analysis, phishing pages, web skimmers, droppers, and browser-delivered payloads. Use this deobfuscating-javascript-malware skill for structured deobfuscation, decode tracing, and controlled review when simple minification is not the issue.

Malware Analysis

Favorites 0GitHub 0

analyzing-powershell-empire-artifacts

by mukul975

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

Security Audit

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-macro-malware-in-office-documents

by mukul975

analyzing-macro-malware-in-office-documents helps malware analysts inspect malicious VBA in Word, Excel, and PowerPoint files, decode obfuscation, and extract IOCs, execution paths, and payload staging logic for phishing triage, incident response, and document malware analysis.

Malware Analysis

Favorites 0GitHub 0

analyzing-golang-malware-with-ghidra

by mukul975

analyzing-golang-malware-with-ghidra helps analysts reverse engineer Go-compiled malware in Ghidra with workflows for function recovery, string extraction, build metadata, and dependency mapping. The analyzing-golang-malware-with-ghidra skill is useful for malware triage, incident response, and Security Audit tasks that need practical, Go-specific analysis steps.

Security Audit

Favorites 0GitHub 0

analyzing-supply-chain-malware-artifacts

by mukul975

analyzing-supply-chain-malware-artifacts is a malware-analysis skill for tracing trojanized updates, poisoned dependencies, and build-pipeline tampering. Use it to compare trusted and untrusted artifacts, extract indicators, assess compromise scope, and report findings with less guesswork.

Malware Analysis

Favorites 0GitHub 6.1k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

detecting-rootkit-activity

by mukul975

detecting-rootkit-activity is a Malware Analysis skill for finding rootkit indicators such as hidden processes, hooked system calls, altered kernel structures, hidden modules, and covert network artifacts. It uses cross-view comparison and integrity checks to help validate suspicious hosts when standard tools disagree.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-mobile-malware-behavior

by mukul975

The detecting-mobile-malware-behavior skill analyzes suspicious Android and iOS apps for permission abuse, runtime activity, network indicators, and malware-like patterns. Use it for triage, incident response, and detecting-mobile-malware-behavior for Security Audit workflows with evidence-backed mobile analysis.

Security Audit

Favorites 0GitHub 6.1k

analyzing-ransomware-payment-wallets

by mukul975

analyzing-ransomware-payment-wallets is a read-only blockchain-forensics skill for tracing ransomware payment wallets, following fund movement, and clustering related addresses for Security Audit and incident response. Use it when you have a BTC address, tx hash, or suspected wallet and need evidence-backed attribution support.

Security Audit

Favorites 0GitHub 6.1k

analyzing-ransomware-encryption-mechanisms

by mukul975

analyzing-ransomware-encryption-mechanisms skill for malware analysis, focused on identifying ransomware encryption, key handling, and decryption feasibility. Use it to inspect AES, RSA, ChaCha20, hybrid schemes, and implementation flaws that may support recovery.

Malware Analysis

Favorites 0GitHub 6.1k

extracting-iocs-from-malware-samples

by mukul975

extracting-iocs-from-malware-samples skill guide for malware analysis: extract hashes, IPs, domains, URLs, host artifacts, and validation cues from samples for threat intel and detection.

Malware Analysis

Favorites 0GitHub 0