Overview

overview

10

Static

static

QUOTATIO.exe

windows7_x64

10

QUOTATIO.exe

windows10-2004_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    da0db468513004794ec95a01cc97e5bf4d76a277b7ab7fcabb47ceff6498910e

  • Size

    1.2MB

  • Sample

    220521-bz3tkacgd5

  • MD5

    2283b7187211a55900b55bfeac799339

  • SHA1

    77b05a263ab93386b7f4ae5885aabd4afef4530b

  • SHA256

    da0db468513004794ec95a01cc97e5bf4d76a277b7ab7fcabb47ceff6498910e

  • SHA512

    c1a71eba15fb59e20c64a5417e32601582eb387461b3d28208171e01d826065e4c20816f22b6628151e33a735d0da0fd2dda3e7ee99313bf56705df7132ffb69

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Targets

    • Target

      QUOTATIO.EXE

    • Size

      502KB

    • MD5

      6090c40a1022d3265f2dc7867cd533bb

    • SHA1

      bc5eabceb7a959345421c536219fdbf23602e4e2

    • SHA256

      bdf6444b7ff7cd5866894e61e0ccd96d61d8af22c0043df49d2adcf3659fa853

    • SHA512

      b5d4bc23a7840e03eeffe1f6e5c93c81e42342bb839064607050d8f43d44aae6e51c2200a4e41cc387603ac461157341f66245808a43065090c23902d42aa08a

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks