General

  • Target

    edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa_JC.exe

  • Size

    620KB

  • Sample

    230830-x8yrvshe6v

  • MD5

    e36ce22684d90063256005787dc6f20b

  • SHA1

    bc7647d15e52e72bf36fda20e782965a2e7e47ba

  • SHA256

    edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa

  • SHA512

    e779725bb997951150788f81e10ebffa64bc406b519b78dda612955e597ca602b6fd0bfa471fe5abf35e585af5d9c92c6c593958d941c354dd5a5011e490bdb6

  • SSDEEP

    12288:D8t1GmK3ENAdy1YWEt3IRiRwxahJCKxXoRwh3CX7wBO09yrxR+tmtR:D8vGz3EACLEtMEDxVoR0SMwjTR

Malware Config

Extracted

Family

predatorstealer

C2

http://www.biopharmzpharma.com/Maxwhite/

Targets

    • Target

      edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa_JC.exe

    • Size

      620KB

    • MD5

      e36ce22684d90063256005787dc6f20b

    • SHA1

      bc7647d15e52e72bf36fda20e782965a2e7e47ba

    • SHA256

      edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa

    • SHA512

      e779725bb997951150788f81e10ebffa64bc406b519b78dda612955e597ca602b6fd0bfa471fe5abf35e585af5d9c92c6c593958d941c354dd5a5011e490bdb6

    • SSDEEP

      12288:D8t1GmK3ENAdy1YWEt3IRiRwxahJCKxXoRwh3CX7wBO09yrxR+tmtR:D8vGz3EACLEtMEDxVoR0SMwjTR

    • PredatorStealer

      Predator is a modular stealer written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks