General
-
Target
HWID-Full-Hwid-Spoofer-V6-main.zip
-
Size
1.1MB
-
Sample
250422-d2y99swpt7
-
MD5
950c8dfd0026c47d1848693bb8b2e95a
-
SHA1
bbb28ea46f17485428ca7b06bf658d0dbb394af0
-
SHA256
68a69f16a889ad43022b8fcc385208ebef112a021ff40be2b715b5bd41d47b98
-
SHA512
c5aabc692b36db3e2319e11ec2687e57d0cd61a0bc4e5ca87483684614b3bf61176ec8740a0f3faa8c827d134d0193eea36ef891db8a69e8882cba1ba507247a
-
SSDEEP
24576:9Edyg/L/xme9GelcXme/JPKhKoPEJqScLuOg/D3I:9CykYe9tCmQPQZKoLuf/D3I
Static task
static1
Behavioral task
behavioral1
Sample
HWID-Full-Hwid-Spoofer-V6-main/Spoofer V2/HwidSpoofer rcs/Hwid Spoofenls..scr
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
HWID-Full-Hwid-Spoofer-V6-main/Spoofer V2/HwidSpoofer rcs/Hwid Spoofenls..scr
Resource
win11-20250411-en
Behavioral task
behavioral3
Sample
HWID-Full-Hwid-Spoofer-V6-main/Spoofer V2/HwidSpoofer rcs/imgui/imgui_widgets.vbs
Resource
win10v2004-20250410-en
Behavioral task
behavioral4
Sample
HWID-Full-Hwid-Spoofer-V6-main/Spoofer V2/HwidSpoofer rcs/imgui/imgui_widgets.vbs
Resource
win11-20250410-en
Malware Config
Extracted
asyncrat
0.5.7B
217.64.31.3:8808
217.64.31.3:8437
Windows System Guard Runtime
-
delay
3
-
install
false
-
install_file
Windows Session Manager
-
install_folder
%AppData%
Targets
-
-
Target
HWID-Full-Hwid-Spoofer-V6-main/Spoofer V2/HwidSpoofer rcs/Hwid Spoofenls..scr
-
Size
799KB
-
MD5
98d7999986d63fbd914bddc3d7b7ecf9
-
SHA1
7c528fb3cc427791482f7a84923a21621cfb9675
-
SHA256
144a026bb63a29b36a3437094c4f53cf1cb135edcbe15ab06e35fb8759129bfc
-
SHA512
13bb42bf2078b3407af5786e9c1d057a306cba561519f905e4ba3fa1acaf8687551c70941775daa89394384808b6524659cda354a715e5ab3c3cba558c065616
-
SSDEEP
12288:v41SrH22qla5w/yXbxixFcRMFQIkeNCSo9mbX8:v0SrH0MW/IbxiYCQIkeNCSBQ
-
Asyncrat family
-
Detect PureCrypter injector
-
Modifies WinLogon for persistence
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Purecrypter family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of SetThreadContext
-
-
-
Target
HWID-Full-Hwid-Spoofer-V6-main/Spoofer V2/HwidSpoofer rcs/imgui/imgui_widgets.cpp
-
Size
400KB
-
MD5
45a544786c02b499b7156044d1671905
-
SHA1
ecdd2ccefeab70ffa1dd2a7a15fc0ccd6719b7d6
-
SHA256
ad445f6d25dc2ae970526b82c8a76c493fb5108a0b087b718c67fddc3dd7f29e
-
SHA512
d6a1898366d99a445dbddaf21eda40b0552ad22f6f496813f1b9ceb2d3d584b38a4bfe88ae8838e569d1a8547f2dc220721169ccd9a31dfb70f0bcded21b2d0b
-
SSDEEP
6144:74so43lXq5XlM1IDaqsaMM2MQ/VauXV0fZH:74so43lXq5XlCMMM2MQtauX6fZ
Score1/10 -
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Obfuscated Files or Information
1Command Obfuscation
1