Overview

overview

10

Static

static

9

QUOTE 2020.exe

windows7_x64

10

QUOTE 2020.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    61dbf9cc2b39be1838666e7e2edaa5667059e9813d667357d93ff4aa81ee51ef

  • Size

    602KB

  • Sample

    220521-pbk6haabfm

  • MD5

    01801049050137f3929321da483fbcfc

  • SHA1

    ad7c245ef7ee9fc3c11d4421579d18fd414c5cba

  • SHA256

    61dbf9cc2b39be1838666e7e2edaa5667059e9813d667357d93ff4aa81ee51ef

  • SHA512

    9f044c0c72c1cd5ae67b75a0405992b09a8c45056dd11f815ae5f6d58b5788bad68d07ee7f83013393cdca2026291ce0a852440ba0949cc7c2a74da578c7672c

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    don4@intarscan.org
  • Password:
    !c}w0m3nCK#h

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    don4@intarscan.org
  • Password:
    !c}w0m3nCK#h

Targets

    • Target

      QUOTE 2020.exe

    • Size

      540KB

    • MD5

      21d1083d295c27ac02ac97e8b5ad08f3

    • SHA1

      8b2d20b952e05651a600f5e36d95ebccc738fc97

    • SHA256

      708819369d030c9ac2cca2a078e695318a8b8289ff78e50a44684761d63173e5

    • SHA512

      20ba1c6c9f6cc404b33153befefa0424faabf4ea4e01e1d5bae042c9571c446f61f8f7d3f308a9f0049946bca87469d71825e1d5babf4ea9691a02e9933ae150

    Score
    10/10
    agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • AgentTesla Payload

    • CoreCCC Packer

      Detects CoreCCC packer used to load .NET malware.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks