General
-
Target
ZwayPriv.exe
-
Size
6.0MB
-
Sample
240413-gdrr3aef8t
-
MD5
2030b451d9ac60a382cc9684506348c0
-
SHA1
01e26d2a75e04e71f20c7b53eb913624a8d3267b
-
SHA256
1d18101d635590f5e2c403dc2d2b977b9f311a058af0f0346ace52e03328faee
-
SHA512
08753cc2c270e06eb9bb4e31a5430359b0f4feb42f010e45af73ba164b374c3ab4469a1692f340787c89814e31ff9b7df0d198692a7b9ea0117f77323ea2ad30
-
SSDEEP
98304:mVBGZTEVqu2i20qbPnOmdBfsa4HOsbiV4zeMOO36LYQTN4c7PdHtjyXrBtt4ia:I6I32i2PnT14usbiV4vOB5Oc7Le9Mn
Malware Config
Targets
-
-
Target
ZwayPriv.exe
-
Size
6.0MB
-
MD5
2030b451d9ac60a382cc9684506348c0
-
SHA1
01e26d2a75e04e71f20c7b53eb913624a8d3267b
-
SHA256
1d18101d635590f5e2c403dc2d2b977b9f311a058af0f0346ace52e03328faee
-
SHA512
08753cc2c270e06eb9bb4e31a5430359b0f4feb42f010e45af73ba164b374c3ab4469a1692f340787c89814e31ff9b7df0d198692a7b9ea0117f77323ea2ad30
-
SSDEEP
98304:mVBGZTEVqu2i20qbPnOmdBfsa4HOsbiV4zeMOO36LYQTN4c7PdHtjyXrBtt4ia:I6I32i2PnT14usbiV4vOB5Oc7Le9Mn
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-