General
-
Target
SyncSpoofer.exe
-
Size
276KB
-
Sample
240827-t2seqasbmr
-
MD5
5a8afe7bfd11728c32066c4290eeddc7
-
SHA1
f2064bbdec287d61722ef35e511b4090212cd1a8
-
SHA256
92c799a2fd29060a44558a153d1ff5866e420e46b35bdd4546c782c17d4bb50f
-
SHA512
e03994e666aa7ff84400e86e4cc3db5a77a5475e1961b553f16dbc293160f58f196b0ab6fb7be4ba34b1d030969f2f94ae80dc0c423f3ec015621bf987b796cb
-
SSDEEP
1536:hJ99JW77A9oXFY+w67Vh7O9H/squacb3P12NETDLiaSKry3bgDBsvVeXBdZs4o7M:vSFHh69HEZJRTDLiaSKreumVeBs4o
Behavioral task
behavioral1
Sample
SyncSpoofer.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7308213044:AAFm9yNR1WX2-QnC_ZcUdYHkkJGg7179JYE/sendMessag
Targets
-
-
Target
SyncSpoofer.exe
-
Size
276KB
-
MD5
5a8afe7bfd11728c32066c4290eeddc7
-
SHA1
f2064bbdec287d61722ef35e511b4090212cd1a8
-
SHA256
92c799a2fd29060a44558a153d1ff5866e420e46b35bdd4546c782c17d4bb50f
-
SHA512
e03994e666aa7ff84400e86e4cc3db5a77a5475e1961b553f16dbc293160f58f196b0ab6fb7be4ba34b1d030969f2f94ae80dc0c423f3ec015621bf987b796cb
-
SSDEEP
1536:hJ99JW77A9oXFY+w67Vh7O9H/squacb3P12NETDLiaSKry3bgDBsvVeXBdZs4o7M:vSFHh69HEZJRTDLiaSKreumVeBs4o
-
PureLog Stealer payload
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-