Sync-Scheduler (Malware Family)

Sync-Scheduler

VTCollection

According to Cyfirma, Sync-Scheduler is a dedicated document stealer that targets Word documents, Excel Spreadsheets, PowerPoint presentations, PDFs and ZIP compress files. The malware is written in C++ and equipped with anti-analysis and defense evasion techniques. It uses obfuscation in its code and terminates itself if it detects an analysis environment.

References

2024-11-18 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team
Suspected Nation-State Adversary Targets Pakistan Navy in Cyber Espionage Campaign
Sync-Scheduler

2024-03-27 ⋅ Cyfirma ⋅ cyfirma
Sync-Scheduler: A Dedicated Document Stealer
Sync-Scheduler

Yara Rules

[TLP:WHITE] win_sync_scheduler_auto (20260504 | Detects win.sync_scheduler.)

rule win_sync_scheduler_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.sync_scheduler."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sync_scheduler"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d4808 0f1102 ff15???????? 488d05dfa30000 488903 }
            // n = 5, score = 100
            //   488d4808             | cmp                 edx, 0x10
            //   0f1102               | jb                  0x968
            //   ff15????????         |                     
            //   488d05dfa30000       | dec                 eax
            //   488903               | mov                 dword ptr [eax + 0x18], esi

        $sequence_1 = { 48c7c7ffffffff 4d8b6f10 0f1f840000000000 48ffc7 6641391478 75f6 }
            // n = 6, score = 100
            //   48c7c7ffffffff       | dec                 eax
            //   4d8b6f10             | mov                 dword ptr [esp + 0x28], eax
            //   0f1f840000000000     | dec                 eax
            //   48ffc7               | mov                 dword ptr [esp + 0x20], ebx
            //   6641391478           | inc                 ebp
            //   75f6                 | xor                 ecx, ecx

        $sequence_2 = { e8???????? 83cf02 897df7 488d55ff }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83cf02               | xor                 al, 0x74
            //   897df7               | mov                 byte ptr [ebp - 0x6f], al
            //   488d55ff             | mov                 eax, dword ptr [ebp - 0x80]

        $sequence_3 = { 488d542424 498bc9 e8???????? 0f1000 0f1185e0010000 0f104810 }
            // n = 6, score = 100
            //   488d542424           | dec                 eax
            //   498bc9               | mov                 ebx, ecx
            //   e8????????           |                     
            //   0f1000               | dec                 eax
            //   0f1185e0010000       | lea                 eax, [0x5182]
            //   0f104810             | dec                 eax

        $sequence_4 = { 4885c0 7431 4883c027 4883e0e0 488948f8 eb39 483bf1 }
            // n = 7, score = 100
            //   4885c0               | mov                 dword ptr [esi - 8], eax
            //   7431                 | jmp                 0x57
            //   4883c027             | mov                 eax, 0x16
            //   4883e0e0             | dec                 eax
            //   488948f8             | cmp                 edi, eax
            //   eb39                 | dec                 eax
            //   483bf1               | cmovb               edi, eax

        $sequence_5 = { 488d05216a0000 4889843a58ffffff 488b01 48634804 }
            // n = 4, score = 100
            //   488d05216a0000       | dec                 eax
            //   4889843a58ffffff     | cmovb               esi, ecx
            //   488b01               | dec                 eax
            //   48634804             | mov                 dword ptr [eax - 8], ecx

        $sequence_6 = { c645ab55 c645ac54 c645ad57 c645ae56 c645af51 c645b050 }
            // n = 6, score = 100
            //   c645ab55             | mov                 byte ptr [ebp + 0x38], 0x7c
            //   c645ac54             | mov                 byte ptr [ebp + 0x39], 0x6a
            //   c645ad57             | mov                 byte ptr [ebp + 0x35], 0x7c
            //   c645ae56             | mov                 byte ptr [ebp + 0x36], 0x68
            //   c645af51             | mov                 byte ptr [ebp + 0x37], 0x6c
            //   c645b050             | mov                 byte ptr [ebp + 0x38], 0x7c

        $sequence_7 = { 48c705????????00000000 b9e0010000 e8???????? 488bf8 488905???????? 488905???????? }
            // n = 6, score = 100
            //   48c705????????00000000     |     
            //   b9e0010000           | mov                 dword ptr [ebp + 0x120], ecx
            //   e8????????           |                     
            //   488bf8               | dec                 eax
            //   488905????????       |                     
            //   488905????????       |                     

        $sequence_8 = { eb1d ff15???????? cc 488bd6 e8???????? 4d89241e 4d89641e08 }
            // n = 7, score = 100
            //   eb1d                 | dec                 eax
            //   ff15????????         |                     
            //   cc                   | lea                 ecx, [ebp - 0x78]
            //   488bd6               | call                eax
            //   e8????????           |                     
            //   4d89241e             | mov                 byte ptr [esp + 0x20], 0x55
            //   4d89641e08           | mov                 byte ptr [esp + 0x21], 0x6d

        $sequence_9 = { 0408 3464 8844244c 8b442440 }
            // n = 4, score = 100
            //   0408                 | mov                 eax, dword ptr [ebp - 0x58]
            //   3464                 | add                 al, 8
            //   8844244c             | xor                 al, 0x61
            //   8b442440             | mov                 byte ptr [esp + 0x2c], al

    condition:
        7 of them and filesize < 156672
}

Download all Yara Rules

Sync-Scheduler Propose Change

References

Yara Rules

Sync-Scheduler