predatorstealer | 3bc2488a8449370644fe3a3a2f7d514cf096d0efed2e34ff975ce1d309566b5e

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2023 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
Size

877KB
MD5

c2744c4bab87079337e5040cec0c202c
SHA1

f9a492ebcd8647eb373e889329a12bc69beca10d
SHA256

0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3
SHA512

b4500903b5d30bdd558f241ac31d2405a966ef3b6444674b3b35d01741402ce08a55deeed0bbd85bbe673491a4d4ce4e7b30608e19f008b309ebc91b448ceabf
SSDEEP

12288:OqxiRq8Wzhy7/G5F4MkyzlvMjSp2O28Bu7O1mwlF6jiFOhG4q3N4X5Krg:3iRKhy7/G5GMxt67/m6uJMr

Score

10^/10

predatorstealer collection discovery persistence spyware stealer

Malware Config

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

Executes dropped EXE 1 IoCs

pid	Process
3176	Zip.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update_231707.exe / start"	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4936 set thread context of 2548	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
2548	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2548	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
Token: SeDebugPrivilege	2548	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
Token: SeDebugPrivilege	3176	Zip.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 1764	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	91
PID 4936 wrote to memory of 1764	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	91
PID 4936 wrote to memory of 1764	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	91
PID 4936 wrote to memory of 2548	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	92
PID 4936 wrote to memory of 2548	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	92
PID 4936 wrote to memory of 2548	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	92
PID 4936 wrote to memory of 2548	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	92
PID 4936 wrote to memory of 2548	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	92
PID 4936 wrote to memory of 2548	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	92
PID 4936 wrote to memory of 2548	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	92
PID 4936 wrote to memory of 2548	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	92
PID 4936 wrote to memory of 2548	4936	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	92
PID 2548 wrote to memory of 3176	2548	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	93
PID 2548 wrote to memory of 3176	2548	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe	93

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe

C:\Users\Admin\AppData\Local\Temp\0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
"C:\Users\Admin\AppData\Local\Temp\0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
  "C:\Users\Admin\AppData\Local\Temp\0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe"
  2⤵
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe
  "C:\Users\Admin\AppData\Local\Temp\0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe"
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\Zip.exe
    "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0663257fdd4fc2ee70895f2d46ed462472c2eb8734bd191ab37df92555276bc3.exe.log

Filesize
1KB

MD5
765cff098b629b1eb49e3ef981f7001a

SHA1
32b7ade1f746d013371141dcebd96e0bb3faeef3

SHA256
ee17be860e129795491b4be61f5ac446b16f2679e056114024ffc72b2e23a9b7

SHA512
ca2d2ddafc2dcbeab2c93f039bdbc567d4c9e0457e741e71c432b7461a1a8165891f22112ff1b57004ba51271899555fbf001db17d2dc748bafc608817bd9474

Download Submit
C:\Users\Admin\AppData\Local\Temp\IN_BFEBFBFF00090672\ProgramList.txt

Filesize
1KB

MD5
a0069f5e66bee104f0f4f13da873e0d1

SHA1
54120eea530d99c973f650d9aaa01dd0925cb20a

SHA256
bdb1213fe1648ef523383b19fb81212395578aec6e19fc32811632788b2b1078

SHA512
9eab7970525d5eca04e78b576813ea06312c052f247bdc2570b94a6046fb4fc8dac63e793c4448617c726836b81d8fa825191d2d18fe872373af6282a3ee6c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IN_BFEBFBFF00090672\ProsessList.txt

Filesize
1KB

MD5
1729617ad328b5030aa435e6eeec8027

SHA1
dbee67ce3dfc53272cd1d46276c37be14c02aea7

SHA256
80c5fe1dbd8fdf1954a080fb48c304bf5fe97eb2258ff048db1781202af49711

SHA512
c156aba9a66957c31d14fcd7e47b5edbc893170ec4cb5d81f37bda8f90b57985e6880493c412a781c8707ae857c5832576601c47cb512e684c9e0852d38b2fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IN_BFEBFBFF00090672\Screenshot.png

Filesize
422KB

MD5
89286215809d41cfa5dd8c4137b866f9

SHA1
8b67660c52964033cadc3b132e39ff568e6a260a

SHA256
f69a62e10c4840147f48b4bafc1dc80a29edc8b4808ae25aaf0b0395cc9ac8c4

SHA512
16616964808d1fa7103813bf0f3902642b8d2db405de4c3a330151d960d6ffefcd4e52de85d79058f1fcde1dd1a74cb4b31af1b90db8fe830f235978ba58513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IN_BFEBFBFF00090672\info.txt

Filesize
315B

MD5
6eea27bd00b9add18c4fa4574d727b4b

SHA1
3b6c250f1b8fcd40408a5aba2c1d4f182e74cdef

SHA256
841ff088863727857a1e2d02b741cc3912ca9cb845627b2b920faf86733f3ef5

SHA512
adf25862a2038088202aefba5fda878407427c192b5121c7cdfdf69b41f674a5dcc1b84f3a05042a084d2e726504f6e602dd789887ebae69530e308ee95003da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
memory/2548-141-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2548-171-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2548-144-0x0000000005150000-0x00000000051A6000-memory.dmp

Filesize
344KB

Download
memory/2548-145-0x0000000005B70000-0x0000000005D32000-memory.dmp

Filesize
1.8MB

Download
memory/2548-146-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2548-147-0x0000000006AB0000-0x0000000006FDC000-memory.dmp

Filesize
5.2MB

Download
memory/2548-148-0x00000000067C0000-0x0000000006826000-memory.dmp

Filesize
408KB

Download
memory/2548-149-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2548-179-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3176-169-0x0000024F6D020000-0x0000024F6D030000-memory.dmp

Filesize
64KB

Download
memory/3176-172-0x0000024F6CF30000-0x0000024F6CF3A000-memory.dmp

Filesize
40KB

Download
memory/3176-167-0x0000024F69500000-0x0000024F69510000-memory.dmp

Filesize
64KB

Download
memory/3176-168-0x0000024F6D2F0000-0x0000024F6D4B2000-memory.dmp

Filesize
1.8MB

Download
memory/3176-173-0x0000024F6CF60000-0x0000024F6CF72000-memory.dmp

Filesize
72KB

Download
memory/3176-170-0x0000024F6DAF0000-0x0000024F6E018000-memory.dmp

Filesize
5.2MB

Download
memory/4936-133-0x00000000000D0000-0x00000000001B2000-memory.dmp

Filesize
904KB

Download
memory/4936-139-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4936-140-0x0000000006990000-0x0000000006A2C000-memory.dmp

Filesize
624KB

Download
memory/4936-138-0x00000000055C0000-0x0000000005766000-memory.dmp

Filesize
1.6MB

Download
memory/4936-137-0x0000000004A20000-0x0000000004A2A000-memory.dmp

Filesize
40KB

Download
memory/4936-136-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4936-135-0x0000000004A60000-0x0000000004AF2000-memory.dmp

Filesize
584KB

Download
memory/4936-134-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download