predatorstealer | 09780015b2aeb7e82bdd67973f45d5eea247ff19057ed8be1c61d8c434983977

General

Target

0x000f00000001201d-56.exe
Size

550KB
MD5

9dfbed115f029f3501c48806564ec04a
SHA1

cf6538e6d6eec51bab88da3963260b9204158e12
SHA256

09780015b2aeb7e82bdd67973f45d5eea247ff19057ed8be1c61d8c434983977
SHA512

c4812f3fb9f89f65beefb972391fe58c4745ce221a24d8e597254f53d1f091e2178bb8613c35772ee0bb4aca7e5beebc368cd17cc07fdc82cc2fd1b2a0112be1
SSDEEP

6144:s+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWYhJ6usHJdJUt:XPw2PjCLe3a6Q70zbpJOHit

Score

10^/10

predatorstealer persistence spyware stealer

Malware Config

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer

Executes dropped EXE 1 IoCs

pid	Process
1980	Zip.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update_231501.exe / start"	0x000f00000001201d-56.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Files\desktop.ini	0x000f00000001201d-56.exe
File created	C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Files\desktop.ini	0x000f00000001201d-56.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2532	0x000f00000001201d-56.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2532	0x000f00000001201d-56.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2532	0x000f00000001201d-56.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	0x000f00000001201d-56.exe
Token: SeDebugPrivilege	1980	Zip.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1980	2532	0x000f00000001201d-56.exe	29
PID 2532 wrote to memory of 1980	2532	0x000f00000001201d-56.exe	29
PID 2532 wrote to memory of 1980	2532	0x000f00000001201d-56.exe	29

C:\Users\Admin\AppData\Local\Temp\0x000f00000001201d-56.exe
"C:\Users\Admin\AppData\Local\Temp\0x000f00000001201d-56.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\Zip.exe
  "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7.zip

Filesize
379KB

MD5
e5ec7eb99ac39a92127fdc230c3c23eb

SHA1
9cf85d5aa271e5ade5f6df95205bda3495e9fcc4

SHA256
38491292613e140fdd6eb1c35ffe9a46059b0395b3146e0ced3897e3c6de2fa6

SHA512
6d4dbf129b20aad39248543c4ebeac9bbfa7e04c96926b853cbff459dc836940d472a32634ccdf85d697089c6d1e82a36963046b819bbc442d6994380ce5c9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Files\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\ProgramList.txt

Filesize
2KB

MD5
d5628f68c6301a53aaf470e6d5513b28

SHA1
01dcea142ba4aeb39c4c4eb5a631da0b2d196183

SHA256
caa4da8ace2b22ed85c22fa713f69240bb72629ca3a67d4ecca931429f8c7bfc

SHA512
9ec7a2e8f48013d519014351ec94f764a867a940e114aeb140ff98a797fcc974122ce2bcca7737e4205b2c6b7155081f79f7d6ca90d3ac41f3327416ca976bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\ProsessList.txt

Filesize
483B

MD5
79a2516367b0f680b1fb8143919d5589

SHA1
0edc663b8834a0d4d9347409c7564fb521ae4348

SHA256
cfdc5f6abc5114d0f959eeb485119a797042387c11c3324cdb94ef8f9827c05c

SHA512
1081ea80ff7f0136ab22ecfd7fe9859a5c6c04a2bbf12da77f4e18f5b2fc06c4b64f887d444bb7ed2ca6d0c1bdbf59422e6818e7e2e8ba6b534f44b5d0e4b5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Screenshot.png

Filesize
380KB

MD5
17d0b6f554c8fb71ef0b1c49f83695c1

SHA1
005d56a12b06412df8d7a92d8209f95a3ec7dd49

SHA256
9ccbfa9a5ef9a69100cf87b43f9dbfcf7df5e8c0741d94ec473b9bfa457d4074

SHA512
7fa230729c065e92ace49b73d2d54bd562ed4f4118380fc4cb4d3ff1b3fbb1169cd54cc5a674dd73e92ce9dd034a15b7197d86f66beed9d8ebd23d40904eb75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\info.txt

Filesize
325B

MD5
33b2592ef630bc2c11df31cbeb392a8d

SHA1
3b19df80255406e179737306516fa97aeeb307f4

SHA256
0707f73b7ae5fca50f69416b48c21307149e4715c9f8ac9f6ec9e0f034993af9

SHA512
513658d089147498d9968bac88998a7785f54b795b310adf8b954b85ba5b155add50d4f56a5ff0637704e9a1c0c1b1fe6636fa8bccd055e0d8990991be92a2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
3afd64484a2a34fc34d1155747dd3847

SHA1
451e1d878179f6fcfbaf9fa79d9ee8207489748f

SHA256
bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9

SHA512
d21a519c8867d569e56ac5c93ce861a72f6853e3a959467bf8e8779664f99b5e8be76ad27e078935191c798aea05891960e01d9a0d52e2a33d34ec5a58c00448

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
3afd64484a2a34fc34d1155747dd3847

SHA1
451e1d878179f6fcfbaf9fa79d9ee8207489748f

SHA256
bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9

SHA512
d21a519c8867d569e56ac5c93ce861a72f6853e3a959467bf8e8779664f99b5e8be76ad27e078935191c798aea05891960e01d9a0d52e2a33d34ec5a58c00448

Download Submit
memory/1980-72-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1980-77-0x000000001AD10000-0x000000001AD90000-memory.dmp

Filesize
512KB

Download
memory/1980-85-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1980-73-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1980-84-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1980-74-0x000000001AD10000-0x000000001AD90000-memory.dmp

Filesize
512KB

Download
memory/2532-63-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2532-76-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2532-60-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2532-57-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2532-56-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2532-55-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2532-75-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2532-53-0x0000000000EA0000-0x0000000000F30000-memory.dmp

Filesize
576KB

Download
memory/2532-54-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads