General
-
Target
Zretvyl4.exe
-
Size
27.5MB
-
Sample
250108-fhjrksvmbs
-
MD5
ebe64b3f5daae2c268eca285550ae90b
-
SHA1
aa667378b686446c31c00c54c5285ff80b44baac
-
SHA256
71072a765dcb66dc1d74fa4e240a169738d02dde199672928f927268c5b93ed9
-
SHA512
02abfbdc73585d65ab63403a34896e46c3ea524fa8a784cc82bf42662d2dd33775c5cc549284a81342786ba9514ef87101b6eb611140cbb0cd57c545e18b418d
-
SSDEEP
786432:Dl02M5uLCQJ8pm6LKcUkSzIZVnbwdlxbPEPfgn:Dl02MRQE7X9bsbA2
Behavioral task
behavioral1
Sample
Zretvyl4.exe
Resource
win7-20240903-en
Malware Config
Targets
-
-
Target
Zretvyl4.exe
-
Size
27.5MB
-
MD5
ebe64b3f5daae2c268eca285550ae90b
-
SHA1
aa667378b686446c31c00c54c5285ff80b44baac
-
SHA256
71072a765dcb66dc1d74fa4e240a169738d02dde199672928f927268c5b93ed9
-
SHA512
02abfbdc73585d65ab63403a34896e46c3ea524fa8a784cc82bf42662d2dd33775c5cc549284a81342786ba9514ef87101b6eb611140cbb0cd57c545e18b418d
-
SSDEEP
786432:Dl02M5uLCQJ8pm6LKcUkSzIZVnbwdlxbPEPfgn:Dl02MRQE7X9bsbA2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Server Software Component: Terminal Services DLL
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Time Providers
1Create or Modify System Process
1Windows Service
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Time Providers
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Indicator Removal
1File Deletion
1Virtualization/Sandbox Evasion
1