predatorstealer | bceb7feb4613ac228f25eb96d6b4d5f41bd1d94642b0e131a6fea147c4121c39

General

Target

9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe
Size

536KB
MD5

ce0d92e0c437b96373597ed18de7324e
SHA1

1695af76eda0e99b5159db064557f7c6dbd493c5
SHA256

9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7
SHA512

75e6f2060c0ec516107c6987763bd90befe6cb65d97aa315d0ddd1f71c80454aed9fe5f96f1bb7e43e57470faf0583028f2562dbc3bbb9cb52f1136fc4b41226
SSDEEP

6144:X+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWdG/Wow7+JJUR:OPw2PjCLe3a6Q70zbYow60R

Score

10^/10

predatorstealer collection discovery persistence spyware stealer

Malware Config

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

Executes dropped EXE 1 IoCs

pid	Process
1080	Zip.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update_232810.exe / start"	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1088	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1088	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe
Token: SeDebugPrivilege	1080	Zip.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1080	1088	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe	90
PID 1088 wrote to memory of 1080	1088	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe	90

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe

C:\Users\Admin\AppData\Local\Temp\9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe
"C:\Users\Admin\AppData\Local\Temp\9f2a970442b3b9551f3fc534f19b989cb24c652ca5ac2e4eea515ac6b91bf0b7.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1088
- C:\Users\Admin\AppData\Local\Temp\Zip.exe
  "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF00090672.zip

Filesize
418KB

MD5
9285c0c95ddcdc3e037f78f7a8a6dba5

SHA1
d6433fe4c75d7c2600b29cb3eefacbbfeeee29cc

SHA256
5fbeb5640a98f216f9cd577e3936e6a75e1ad0d06da2a42f032939c227a58031

SHA512
6fe27a6230a6df403183118e616f44d1e92c0b97a056af5b3487d029e2abb5ee2ec07ca3490c89318905ce536b30854e18e0d0af9f98d316e42d4ba1b124aae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF00090672\ProgramList.txt

Filesize
1KB

MD5
2554617f5ea5199193845737e7e7d8f7

SHA1
f554ce7419f1f4c1696d6b8d8288791ac85b1aa2

SHA256
dad01264f26c2236215a3e45b92fe83fb08e3406b1b121958d0e9c3df4c0ae34

SHA512
7444900f9a771bec90f7478714581bce47fe2b398c73ce1b5cc442dc123494388b7d79892955bec1bfcebec05a4562cc4522ededecfa99218990878f9ffc3898

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF00090672\ProsessList.txt

Filesize
1KB

MD5
ec8bcb133f1440d57aeba7649b588c8c

SHA1
30f51ceb53d9044da75df937d2ff23d34f246e39

SHA256
a46a69d91ea545d22afd09af7aa0bb2814c9d7181ef487e526908612a155a96e

SHA512
9be57597b6a9f0f07a1b62605dd7de7cb161e96e984090256a3fd8c129d1cb2afe8d979f5460f4005b1478e91da0dcf92b314522eab049afb7cea7149fe101b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF00090672\Screenshot.png

Filesize
419KB

MD5
dd9477ff91f8341c4544058726edde6a

SHA1
c5ba52bc57f215b2dc867236a8fb6f66e3285bdc

SHA256
25c57064e7f6bdde894fb72c9b25619e825c7ae91209d6b4cd0001e519018f5e

SHA512
3bfc4e4ff51ce212e0d49864481a419c3679f8a24ea8a79d4a757ce03d15ded564c7c9aebedae6020f47014981c12ce7df0a35f7bb1dc9bd6230b1234433c39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF00090672\info.txt

Filesize
315B

MD5
141c27ca53da38c2ca0e744c5ebf9322

SHA1
a35b9043c1f8027f5ac1662877608f2374c94751

SHA256
f17376c17d1d10fd12e622371216b3b83cbec5120c023990f5dd939f9f57c37e

SHA512
e578e547694ed5fc294ed530293cac83326c50ae1e0a6ef5034baa679723cb803f1cc5a91527aa8c18b406bf50050a9b05ad3ec83c1e77d945e642592c1d6982

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
memory/1080-162-0x000002003FFE0000-0x000002003FFF2000-memory.dmp

Filesize
72KB

Download
memory/1080-161-0x000002003FFB0000-0x000002003FFBA000-memory.dmp

Filesize
40KB

Download
memory/1080-170-0x00007FFE354C0000-0x00007FFE35F81000-memory.dmp

Filesize
10.8MB

Download
memory/1080-158-0x0000020025AF0000-0x0000020025B00000-memory.dmp

Filesize
64KB

Download
memory/1080-159-0x00007FFE354C0000-0x00007FFE35F81000-memory.dmp

Filesize
10.8MB

Download
memory/1080-168-0x0000020040000000-0x0000020040010000-memory.dmp

Filesize
64KB

Download
memory/1088-133-0x0000000000990000-0x0000000000A1C000-memory.dmp

Filesize
560KB

Download
memory/1088-144-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/1088-138-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/1088-137-0x000000001C800000-0x000000001CD28000-memory.dmp

Filesize
5.2MB

Download
memory/1088-136-0x000000001B900000-0x000000001BAC2000-memory.dmp

Filesize
1.8MB

Download
memory/1088-135-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/1088-160-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/1088-141-0x00007FFE354C0000-0x00007FFE35F81000-memory.dmp

Filesize
10.8MB

Download
memory/1088-134-0x00007FFE354C0000-0x00007FFE35F81000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads