General

  • Target

    Zretvyl4.exe

  • Size

    27.5MB

  • Sample

    250108-fhjrksvmbs

  • MD5

    ebe64b3f5daae2c268eca285550ae90b

  • SHA1

    aa667378b686446c31c00c54c5285ff80b44baac

  • SHA256

    71072a765dcb66dc1d74fa4e240a169738d02dde199672928f927268c5b93ed9

  • SHA512

    02abfbdc73585d65ab63403a34896e46c3ea524fa8a784cc82bf42662d2dd33775c5cc549284a81342786ba9514ef87101b6eb611140cbb0cd57c545e18b418d

  • SSDEEP

    786432:Dl02M5uLCQJ8pm6LKcUkSzIZVnbwdlxbPEPfgn:Dl02MRQE7X9bsbA2

Malware Config

Targets

    • Target

      Zretvyl4.exe

    • Size

      27.5MB

    • MD5

      ebe64b3f5daae2c268eca285550ae90b

    • SHA1

      aa667378b686446c31c00c54c5285ff80b44baac

    • SHA256

      71072a765dcb66dc1d74fa4e240a169738d02dde199672928f927268c5b93ed9

    • SHA512

      02abfbdc73585d65ab63403a34896e46c3ea524fa8a784cc82bf42662d2dd33775c5cc549284a81342786ba9514ef87101b6eb611140cbb0cd57c545e18b418d

    • SSDEEP

      786432:Dl02M5uLCQJ8pm6LKcUkSzIZVnbwdlxbPEPfgn:Dl02MRQE7X9bsbA2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Server Software Component: Terminal Services DLL

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks