predatorstealer | bceb7feb4613ac228f25eb96d6b4d5f41bd1d94642b0e131a6fea147c4121c39

General

Target

9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe
Size

536KB
MD5

ce0d92e0c437b96373597ed18de7324e
SHA1

1695af76eda0e99b5159db064557f7c6dbd493c5
SHA256

9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7
SHA512

75e6f2060c0ec516107c6987763bd90befe6cb65d97aa315d0ddd1f71c80454aed9fe5f96f1bb7e43e57470faf0583028f2562dbc3bbb9cb52f1136fc4b41226
SSDEEP

6144:X+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWdG/Wow7+JJUR:OPw2PjCLe3a6Q70zbYow60R

Score

10^/10

predatorstealer collection discovery persistence spyware stealer

Malware Config

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer

Executes dropped EXE 1 IoCs

pid	Process
2924	Zip.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe
Key opened	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe
Key opened	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update_232810.exe / start"	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2568	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2568	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe
Token: SeDebugPrivilege	2924	Zip.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2924	2568	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe	29
PID 2568 wrote to memory of 2924	2568	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe	29
PID 2568 wrote to memory of 2924	2568	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

C:\Users\Admin\AppData\Local\Temp\9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe
"C:\Users\Admin\AppData\Local\Temp\9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2568
- C:\Users\Admin\AppData\Local\Temp\Zip.exe
  "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7.zip

Filesize
369KB

MD5
cb7722640352101e3e3d5379f71a6f62

SHA1
458ee37d6be69c84db82fcfb258b3dca150589b5

SHA256
99cb923b582003db90473bdf488aae37ca7be8b920b703d7711204cd4c002e2a

SHA512
21b43dfd2347074a83f88f9ec6e9319213267ffb85847ba33c94dfeb9276ba313a1b813815b1a69166f9f52166455cdd211a68b7837b7619c903bcd6a4dfe68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\ProgramList.txt

Filesize
2KB

MD5
d5628f68c6301a53aaf470e6d5513b28

SHA1
01dcea142ba4aeb39c4c4eb5a631da0b2d196183

SHA256
caa4da8ace2b22ed85c22fa713f69240bb72629ca3a67d4ecca931429f8c7bfc

SHA512
9ec7a2e8f48013d519014351ec94f764a867a940e114aeb140ff98a797fcc974122ce2bcca7737e4205b2c6b7155081f79f7d6ca90d3ac41f3327416ca976bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\ProsessList.txt

Filesize
526B

MD5
38a2dc0e4c132d24ef90ce12daf42e7f

SHA1
953850820a7a30ae3fb286c835d20fb1dbf90ac2

SHA256
23a3577e2fb9f4644ad22271816af5b35e59692e4e8c7899aee934ebc86746ef

SHA512
6306a5851655652156d7fc6c0a4e00e905373b1000e4c105ccef563b860ae2b855cee4bbc4e8fab2e5c8920a3600af2c75f77c46f62c3f00299e73f8a88acffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Screenshot.png

Filesize
370KB

MD5
2e3addc5f236e76ba59ca8a898f59bbd

SHA1
e0fa4529f4623f7fad0f4b385a1de14772784926

SHA256
82ef8c0f7b6467062cb9f5aeae972258a216da23c97173b9bbaa2b11bcd10e09

SHA512
93e85648579bbd8a84f75272e5c9fba11ab49f99d019379a37946c490981e0a510a6489078d8cc27ee833359925ce5fbc4cac73b79dcde5e7cb6fe13c5bc7e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\info.txt

Filesize
325B

MD5
0dd1e9270d612e66e95160f049c54adb

SHA1
a682140b400740b1141add293f6c871e93239c71

SHA256
0dc16a233ec00200b1cf1a3a841eee764d92d7089a73a6828ac3d4191eb01c40

SHA512
af4c75448d31cb56e44a32ecfcd28b58a0d56ffff08a335be9614975b7278dbf407c02d43417f20bbaa45d7e904c40ea3c076a9616aedf64c0e94764ec349ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
memory/2568-72-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2568-70-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-54-0x0000000000F20000-0x0000000000FAC000-memory.dmp

Filesize
560KB

Download
memory/2568-57-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2568-56-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2568-80-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2568-55-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-71-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-73-0x0000000000460000-0x00000000004E0000-memory.dmp

Filesize
512KB

Download
memory/2924-74-0x0000000000460000-0x00000000004E0000-memory.dmp

Filesize
512KB

Download
memory/2924-69-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/2924-81-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads