General

  • Target

    ZwayPriv.exe

  • Size

    6.0MB

  • Sample

    240413-egsseseb7x

  • MD5

    2030b451d9ac60a382cc9684506348c0

  • SHA1

    01e26d2a75e04e71f20c7b53eb913624a8d3267b

  • SHA256

    1d18101d635590f5e2c403dc2d2b977b9f311a058af0f0346ace52e03328faee

  • SHA512

    08753cc2c270e06eb9bb4e31a5430359b0f4feb42f010e45af73ba164b374c3ab4469a1692f340787c89814e31ff9b7df0d198692a7b9ea0117f77323ea2ad30

  • SSDEEP

    98304:mVBGZTEVqu2i20qbPnOmdBfsa4HOsbiV4zeMOO36LYQTN4c7PdHtjyXrBtt4ia:I6I32i2PnT14usbiV4vOB5Oc7Le9Mn

Malware Config

Targets

    • Target

      ZwayPriv.exe

    • Size

      6.0MB

    • MD5

      2030b451d9ac60a382cc9684506348c0

    • SHA1

      01e26d2a75e04e71f20c7b53eb913624a8d3267b

    • SHA256

      1d18101d635590f5e2c403dc2d2b977b9f311a058af0f0346ace52e03328faee

    • SHA512

      08753cc2c270e06eb9bb4e31a5430359b0f4feb42f010e45af73ba164b374c3ab4469a1692f340787c89814e31ff9b7df0d198692a7b9ea0117f77323ea2ad30

    • SSDEEP

      98304:mVBGZTEVqu2i20qbPnOmdBfsa4HOsbiV4zeMOO36LYQTN4c7PdHtjyXrBtt4ia:I6I32i2PnT14usbiV4vOB5Oc7Le9Mn

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks