predatorstealer | 3bc2488a8449370644fe3a3a2f7d514cf096d0efed2e34ff975ce1d309566b5e

Analysis

max time kernel
88s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-04-2023 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
Size

877KB
MD5

c2744c4bab87079337e5040cec0c202c
SHA1

f9a492ebcd8647eb373e889329a12bc69beca10d
SHA256

0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3
SHA512

b4500903b5d30bdd558f241ac31d2405a966ef3b6444674b3b35d01741402ce08a55deeed0bbd85bbe673491a4d4ce4e7b30608e19f008b309ebc91b448ceabf
SSDEEP

12288:OqxiRq8Wzhy7/G5F4MkyzlvMjSp2O28Bu7O1mwlF6jiFOhG4q3N4X5Krg:3iRKhy7/G5GMxt67/m6uJMr

Score

10^/10

predatorstealer collection discovery persistence spyware stealer

Malware Config

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer

Executes dropped EXE 1 IoCs

pid	Process
1952	Zip.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update_231705.exe / start"	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1724 set thread context of 1712	1724	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1712	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1712	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
Token: SeDebugPrivilege	1952	Zip.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1712	1724	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	27
PID 1724 wrote to memory of 1712	1724	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	27
PID 1724 wrote to memory of 1712	1724	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	27
PID 1724 wrote to memory of 1712	1724	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	27
PID 1724 wrote to memory of 1712	1724	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	27
PID 1724 wrote to memory of 1712	1724	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	27
PID 1724 wrote to memory of 1712	1724	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	27
PID 1724 wrote to memory of 1712	1724	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	27
PID 1724 wrote to memory of 1712	1724	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	27
PID 1724 wrote to memory of 1712	1724	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	27
PID 1712 wrote to memory of 1952	1712	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	29
PID 1712 wrote to memory of 1952	1712	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	29
PID 1712 wrote to memory of 1952	1712	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	29
PID 1712 wrote to memory of 1952	1712	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

C:\Users\Admin\AppData\Local\Temp\0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
"C:\Users\Admin\AppData\Local\Temp\0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
  "C:\Users\Admin\AppData\Local\Temp\0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe"
  2⤵
  - Loads dropped DLL
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\Zip.exe
    "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IN_BFEBFBFF000206D7\ProgramList.txt

Filesize
4KB

MD5
db708091ee86de3b508496bca9178f27

SHA1
fa3e67e4143c48d40d66e2f1bc326c16f32c2286

SHA256
f46462fa4372885611f2b03780e37360f6a5f7814f797e94416d7bcad8186546

SHA512
a98558b01d47181f0ba8fb50622cb26a24aa8d233d0cd4b6e8a67e2c95be35ad05decbb6b2a95702858d7030b06135b7c71ddef57b4b18aca5f5c7f972c09931

Download Submit
C:\Users\Admin\AppData\Local\Temp\IN_BFEBFBFF000206D7\ProsessList.txt

Filesize
526B

MD5
fa12c7c4eb2ff14527f8000608ea8d2b

SHA1
167c05ccb06524ec803b05144730dfd758273fc7

SHA256
41499bad5f842548b8b271e630e08840b0980eeed1dff112e5ff21555a910b5b

SHA512
cb2cea09995c768e5aa860f615012319f86812c92c91b2140b18de90b5068652efac3179b008683ca3a6be8d82eed04e8d38e1966df22e4173b5cec401633fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IN_BFEBFBFF000206D7\Screenshot.png

Filesize
391KB

MD5
c0ac068a3b3f8ae189b655b74b0fbe3c

SHA1
816f3d20776993623e55d4ca84f8d880b30b60b0

SHA256
7b32390f36daedad4c417739a5a8ad555df8c97aca19147349fc90596a67ba13

SHA512
497b8a482b98a439e35f44ccd129889166230d196ff673c539ed9c46a6cd73d2dba3bd4752aa89640bd7ae143924d73e0dd7b56fce4d396ec6afbe31ed011107

Download Submit
C:\Users\Admin\AppData\Local\Temp\IN_BFEBFBFF000206D7\info.txt

Filesize
325B

MD5
5e28adb82a030165c8451aa505b43869

SHA1
ee97462bc0406319f644883b5e2def1e2fdd2d62

SHA256
bc72c505332a37f97755cd1098bfd3d7ca167a277df3dd9c15896a52ccaa3692

SHA512
e41b28974725e017a1b25fc12cc39185f14d6925aa6b5f610686d36475edb2ce3aefd4e02215907a85921647102742bed879c4b623fa0de25d5f0294ea84ebe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
memory/1712-61-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1712-81-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/1712-63-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1712-64-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1712-65-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1712-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1712-67-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1712-69-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1712-71-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1712-72-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/1712-73-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/1712-62-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1712-89-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/1724-60-0x00000000059C0000-0x0000000005A4E000-memory.dmp

Filesize
568KB

Download
memory/1724-59-0x0000000005900000-0x00000000059C2000-memory.dmp

Filesize
776KB

Download
memory/1724-54-0x00000000012F0000-0x00000000013D2000-memory.dmp

Filesize
904KB

Download
memory/1724-58-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/1724-57-0x0000000001220000-0x0000000001260000-memory.dmp

Filesize
256KB

Download
memory/1724-56-0x0000000000210000-0x000000000021C000-memory.dmp

Filesize
48KB

Download
memory/1724-55-0x0000000001220000-0x0000000001260000-memory.dmp

Filesize
256KB

Download
memory/1952-87-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/1952-88-0x000000001B510000-0x000000001B590000-memory.dmp

Filesize
512KB

Download
memory/1952-95-0x000000001B510000-0x000000001B590000-memory.dmp

Filesize
512KB

Download