General
-
Target
SyncSpoofer.exe
-
Size
276KB
-
Sample
240826-x7jxba1fnh
-
MD5
5a8afe7bfd11728c32066c4290eeddc7
-
SHA1
f2064bbdec287d61722ef35e511b4090212cd1a8
-
SHA256
92c799a2fd29060a44558a153d1ff5866e420e46b35bdd4546c782c17d4bb50f
-
SHA512
e03994e666aa7ff84400e86e4cc3db5a77a5475e1961b553f16dbc293160f58f196b0ab6fb7be4ba34b1d030969f2f94ae80dc0c423f3ec015621bf987b796cb
-
SSDEEP
1536:hJ99JW77A9oXFY+w67Vh7O9H/squacb3P12NETDLiaSKry3bgDBsvVeXBdZs4o7M:vSFHh69HEZJRTDLiaSKreumVeBs4o
Behavioral task
behavioral1
Sample
SyncSpoofer.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
SyncSpoofer.exe
Resource
win11-20240802-en
Malware Config
Targets
-
-
Target
SyncSpoofer.exe
-
Size
276KB
-
MD5
5a8afe7bfd11728c32066c4290eeddc7
-
SHA1
f2064bbdec287d61722ef35e511b4090212cd1a8
-
SHA256
92c799a2fd29060a44558a153d1ff5866e420e46b35bdd4546c782c17d4bb50f
-
SHA512
e03994e666aa7ff84400e86e4cc3db5a77a5475e1961b553f16dbc293160f58f196b0ab6fb7be4ba34b1d030969f2f94ae80dc0c423f3ec015621bf987b796cb
-
SSDEEP
1536:hJ99JW77A9oXFY+w67Vh7O9H/squacb3P12NETDLiaSKry3bgDBsvVeXBdZs4o7M:vSFHh69HEZJRTDLiaSKreumVeBs4o
-
PureLog Stealer payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1