Trojan “Tesla” on my system

Windows Defender picked up this very nasty trojan Trojan: Tesla ( Trojan:Win32/AgentTesla!ml) which does keylogging etc… after I installed Portfolio Performance via the windows installer on my laptop.

This is one of the worst Trojans out there and a severe threat to any of your login password accounts without 2 factor authentication.

You cannot scan for this Trojan in a exe, for example by scanning the windows installer file PortfolioPerformance-0.68.3-setup.exe with a virus scanner, to see if it’s OK and clean.
It hides very well from scanners (see here - Catching the RAT called Agent Tesla | Qualys Security Blog)

It’s picked up later by Windows Defender after it spreads to other files unpacking itself out of its source exe.

I never usually download and install software on my laptop, my Adminstrator account is a seperate windows account, and the only app I have downloaded in many months has been Portfolio Performance windows installer.

I would encourage people to use Windows Defender to scan their systems just in case.

Welcome to the world of false positive signature assumed heuristic scans. This could result in that the scanner assume a finding, where their isn’t anything. Scan the file with

However, is Windows Defender really good enough to protect your data?
The answer is no. Despite its convenience and somewhat acceptable protection rates, Microsoft Defender is lacking when it comes to dealing with more serious cyber threats. Even some free contenders offer better protection, compared to Microsoft Defender. The antivirus is also lacking in terms of reliable scans and secure browsing options.


Thank you but this is incorrect.

This Trojan CANNOT be picked up on a scan of the exe.
Which is why it’s so dangerous.

Only when it unpacks itself into other directories can it be detected. After installing Portfolio-Performance Windows Installer exe, t was detected by Windows Defender when it unpacked itself here

and here

I have used ADlice Roguekiller and Hitman Pro to check over the system after Microsoft Defender removed the Trojan.

So what‘s your point now?


1 Like

That’s bull****! Sorry to be so rude, but that’s not true!

If you’re an expert, use your knowledge and show it to us in the code. The code is completely open source. Actually I have the feeling you read something in the Internet and just talking like that.


I had just for fun downloaded the Windows installer release of PP with Norton 360 in the background. Their was no alerts at all during the installation.

I just loaded the installer file into the sandbox of my employer’s SOC for fun. Result: Nothing

I would advise people not to let you drive them crazy.


In plain english, it cannot be detected by a virus scanner scanning and looking at the exe file

Would you prefer I not report what happened? I am not making this up!

Read the article on the Trojan.

‘main payload code contains an obfuscated first stage PE dll file where char “@” is added for “000” at multiple locations. This helps Agent Tesla evade signature-based detection.’
In plain english, it cannot be detected by a virus scanner scanning and looking at the exe file for the signature

Only when it is later triggered by something does it unpack as it the diagram in the article.

It’s capabilities - "keylogging, screen capture, form-grabbing, credential stealing, and more. It will also exfiltrate credentials from multiple software programs like Google Chrome, Mozilla Firefox, and Microsoft Outlook – making its potential impact truly catastrophic."

Unfortunately this is what occured and you have to say is very well targetted software, for such a Trojan. Unfortunately there are many malicoius actors out there - even whole countries like North Korea etc… who regularly commit such abuse.

Here is a case of open source software used by millions, designed to open a backdoor so someone could take over any linux system (XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor) well hidden and only detected by the remotest chance descovery. It’s not unknown at all.

I used portfolio-performance extensively and some operation must have triggered the trojan code to unpack. It’s not as simple as loading it in a sandbox and running a virus scanner.

I might open a sandbox and see if I can trigger it again though.

Again, what is the point you’d like to make, rather than talking about something you obviously do not understand?

Or is this your first ever try of trolling?


1 Like

It strange how you are so antigonistic towards a ordinary user who posted this very real problem with a keylogger installed that can rip off all your accounts.

If others have found this problem at least they can do a search for ‘Trojan’ and add to the thread.

I will reinstall PP in a sandbox and use it there and there only for now, and see if it infects the sandbox.

As you’re an expert, why don’t you just look up the source code? It’s free and open!

1 Like


No, I wouldn’t prefer that. I am grateful to you for sharing your information here. :smiley:

But it’s wrong to assume that this forum is populated by idiots and Danger freaks.

Considering this fact and the fact that no one else has this problem except you, it is very likely that it is a false alarm. :nerd_face:

And if not, why should PP necessarily be the cause of your problems? Where is the causal connection?

Cheers, Laura

1 Like

I am using NSIS to create the installer. It’s used by many, many different applications. I already have code signing key, but I haven’t been able to make it work on my build machine. Once that is in place, I hope that it reduces the likelihood of virus scanner having false positives. (Of course, I also must ensure that the build machine is “clean” in the sense that I use the original NSIS and not a compromised one).

In general, I think PP is too small to be a reasonable attack vehicle to distribute trojan horses. But vigilance is needed anyway.