predatorstealer | 09780015b2aeb7e82bdd67973f45d5eea247ff19057ed8be1c61d8c434983977

Analysis

max time kernel
136s
max time network
144s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15-08-2023 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000f00000001201d-56.exe
Size

550KB
MD5

9dfbed115f029f3501c48806564ec04a
SHA1

cf6538e6d6eec51bab88da3963260b9204158e12
SHA256

09780015b2aeb7e82bdd67973f45d5eea247ff19057ed8be1c61d8c434983977
SHA512

c4812f3fb9f89f65beefb972391fe58c4745ce221a24d8e597254f53d1f091e2178bb8613c35772ee0bb4aca7e5beebc368cd17cc07fdc82cc2fd1b2a0112be1
SSDEEP

6144:s+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWYhJ6usHJdJUt:XPw2PjCLe3a6Q70zbpJOHit

Score

10^/10

predatorstealer persistence spyware stealer

Malware Config

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer

Executes dropped EXE 1 IoCs

pid	Process
3040	Zip.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update_231501.exe / start"	0x000f00000001201d-56.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Files\desktop.ini	0x000f00000001201d-56.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Files\desktop.ini	0x000f00000001201d-56.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
9	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
860	0x000f00000001201d-56.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
860	0x000f00000001201d-56.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
860	0x000f00000001201d-56.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	0x000f00000001201d-56.exe
Token: SeDebugPrivilege	3040	Zip.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 3040	860	0x000f00000001201d-56.exe	29
PID 860 wrote to memory of 3040	860	0x000f00000001201d-56.exe	29
PID 860 wrote to memory of 3040	860	0x000f00000001201d-56.exe	29

C:\Users\Admin\AppData\Local\Temp\0x000f00000001201d-56.exe
"C:\Users\Admin\AppData\Local\Temp\0x000f00000001201d-56.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\Zip.exe
  "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7.zip

Filesize
908KB

MD5
b90f312f081740f3c827587e2e66e6c2

SHA1
c3197cd6337d13714c92de62f2fc643db174ccc5

SHA256
5493ee3563cf8dc33f82e1661701403b1809972f9b19ef3e0d1f987b9b0c13da

SHA512
006d2676c7311c6560bfa8c5cf30774e3f2d40944bce905bcfef8a9d4870bd47452fda9f91397cd83e70e58b0114100cd69bb1ffae6e0ad69f88b4d26464a7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Files\RequestEnter.ini

Filesize
531KB

MD5
5cb1ed12cb3c1ab8f78ff8b6b50d1d83

SHA1
c526573ed82556a692fa50a347039aa0b8978ba9

SHA256
7a28fdedd8204cfc1d82d6f2cfebd305f036da636e52792350a1cf8d5a126b5e

SHA512
1f1e4463bf21c1f77481983c0c9c205134e8c8bb8640cf04dd337cc23a1ec6f00c13184d8fd228c09aaae3c3e7883df994853f8bbab8c3ff907d36663730c69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Files\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\ProgramList.txt

Filesize
2KB

MD5
d5628f68c6301a53aaf470e6d5513b28

SHA1
01dcea142ba4aeb39c4c4eb5a631da0b2d196183

SHA256
caa4da8ace2b22ed85c22fa713f69240bb72629ca3a67d4ecca931429f8c7bfc

SHA512
9ec7a2e8f48013d519014351ec94f764a867a940e114aeb140ff98a797fcc974122ce2bcca7737e4205b2c6b7155081f79f7d6ca90d3ac41f3327416ca976bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\ProsessList.txt

Filesize
483B

MD5
a31d1adaabb13cb72ce8ae0e6bce7a89

SHA1
a61c6536b40aed753ca0208220151eb95921d71a

SHA256
e242abc884e8287161df50aadd4b244ca7917589cbe56ecc3b4099adeee5e7ee

SHA512
accfcfc26f155ed613d0fbc615c5f7bd161456866d2ebc81153db29eca311cf1c5ca61fb1f3e564245b9bc2586e433c48c6829e5082518478551e7d49f614cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Screenshot.png

Filesize
377KB

MD5
c80bbe76fc3fddcb124123da926ca265

SHA1
1c7573ee6fbf9bdb44fd527cd64920698072411a

SHA256
35385ef772b7d800efe2e9313d9ce45f5d0fc0919682fe9e5e7a4820d82484e5

SHA512
d4fc9493dfb5d145a3174072a6aa289c1e84291810f965453f45a40e4c4e323b5f992ea19c7a39fa6ae60af7c047d09ef63135dfa9db5a2f3f7e68574f7c878c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\info.txt

Filesize
325B

MD5
33b2592ef630bc2c11df31cbeb392a8d

SHA1
3b19df80255406e179737306516fa97aeeb307f4

SHA256
0707f73b7ae5fca50f69416b48c21307149e4715c9f8ac9f6ec9e0f034993af9

SHA512
513658d089147498d9968bac88998a7785f54b795b310adf8b954b85ba5b155add50d4f56a5ff0637704e9a1c0c1b1fe6636fa8bccd055e0d8990991be92a2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
3afd64484a2a34fc34d1155747dd3847

SHA1
451e1d878179f6fcfbaf9fa79d9ee8207489748f

SHA256
bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9

SHA512
d21a519c8867d569e56ac5c93ce861a72f6853e3a959467bf8e8779664f99b5e8be76ad27e078935191c798aea05891960e01d9a0d52e2a33d34ec5a58c00448

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
3afd64484a2a34fc34d1155747dd3847

SHA1
451e1d878179f6fcfbaf9fa79d9ee8207489748f

SHA256
bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9

SHA512
d21a519c8867d569e56ac5c93ce861a72f6853e3a959467bf8e8779664f99b5e8be76ad27e078935191c798aea05891960e01d9a0d52e2a33d34ec5a58c00448

Download Submit
memory/860-61-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/860-62-0x000000001A8E0000-0x000000001A960000-memory.dmp

Filesize
512KB

Download
memory/860-55-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/860-77-0x000000001A8E0000-0x000000001A960000-memory.dmp

Filesize
512KB

Download
memory/860-78-0x000000001A8E0000-0x000000001A960000-memory.dmp

Filesize
512KB

Download
memory/860-56-0x000000001A8E0000-0x000000001A960000-memory.dmp

Filesize
512KB

Download
memory/860-57-0x000000001A8E0000-0x000000001A960000-memory.dmp

Filesize
512KB

Download
memory/860-58-0x000000001A8E0000-0x000000001A960000-memory.dmp

Filesize
512KB

Download
memory/860-54-0x0000000000B60000-0x0000000000BF0000-memory.dmp

Filesize
576KB

Download
memory/3040-75-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-74-0x0000000000E50000-0x0000000000E60000-memory.dmp

Filesize
64KB

Download
memory/3040-79-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/3040-87-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-76-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download