Overview

overview

10

Static

static

1

HWID SyncSpoofer.rar

windows7-x64

3

HWID SyncSpoofer.rar

windows10-2004-x64

7

SyncSpoofer.exe

windows7-x64

10

SyncSpoofer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HWID SyncSpoofer.rar

  • Size

    2.3MB

  • Sample

    240506-qqy7cada2t

  • MD5

    bec32e154b97e234570053bf213d0fbe

  • SHA1

    49ad2049440e1367c1f2a87d4c7c86510e7a29af

  • SHA256

    dc28910bd758fccf7797669d2876da58d58c398d85cb77bf8e8066ba00448b09

  • SHA512

    7aec0da86226e3f557b9d19c581837434814812e924098cccb351668d583d4bbc35610f03026a22ec561bfd6796f452d0518bc037b9d52c6c956aecb8af2087f

  • SSDEEP

    49152:dhZZjfnQccWBLfqmRa7x9vp6vwFvD1ZAGFDHOhZbG3PXgL6F81+GaGGbl:drJrjdg6vwh3FkLC811M

Score
10/10
zgratevasionexecutionpersistenceratspywarestealer

Malware Config

Targets

    • Target

      HWID SyncSpoofer.rar

    • Size

      2.3MB

    • MD5

      bec32e154b97e234570053bf213d0fbe

    • SHA1

      49ad2049440e1367c1f2a87d4c7c86510e7a29af

    • SHA256

      dc28910bd758fccf7797669d2876da58d58c398d85cb77bf8e8066ba00448b09

    • SHA512

      7aec0da86226e3f557b9d19c581837434814812e924098cccb351668d583d4bbc35610f03026a22ec561bfd6796f452d0518bc037b9d52c6c956aecb8af2087f

    • SSDEEP

      49152:dhZZjfnQccWBLfqmRa7x9vp6vwFvD1ZAGFDHOhZbG3PXgL6F81+GaGGbl:drJrjdg6vwh3FkLC811M

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      SyncSpoofer.exe

    • Size

      2.5MB

    • MD5

      10c51aa1fc224b93206f1083082f02be

    • SHA1

      584d370ec990a36e6b0b8920aa2a31975ef1d5c6

    • SHA256

      f4e72d601237b4b9c807bb10eda596cb25912b6447db75f9d554b3398133fc79

    • SHA512

      411febdaefc44f711dcf926c576ff519062e5eb854f606770f730426fa6a586c9e4fc6a7c3c523255cdaf02c721afb52d20b1e0d498baa029d5df8ca04429274

    • SSDEEP

      49152:ucvAvIUj4MlR9zMKwS/R0Tg5iWzu659A6/q7fUn9ZTF/cYFylcJD2uxN:ucvAgUh/9Pgv659A6y7fUn9ZTF/NF9z

    Score
    10/10
    zgratevasionexecutionpersistenceratspywarestealer

    • Detect ZGRat V1

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Nirsoft

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks