predatorstealer | edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa

Analysis

max time kernel
136s
max time network
145s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
30-08-2023 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa_JC.exe
Size

620KB
MD5

e36ce22684d90063256005787dc6f20b
SHA1

bc7647d15e52e72bf36fda20e782965a2e7e47ba
SHA256

edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa
SHA512

e779725bb997951150788f81e10ebffa64bc406b519b78dda612955e597ca602b6fd0bfa471fe5abf35e585af5d9c92c6c593958d941c354dd5a5011e490bdb6
SSDEEP

12288:D8t1GmK3ENAdy1YWEt3IRiRwxahJCKxXoRwh3CX7wBO09yrxR+tmtR:D8vGz3EACLEtMEDxVoR0SMwjTR

Score

10^/10

predatorstealer collection discovery persistence spyware stealer

Malware Config

Extracted

Family

predatorstealer

http://www.biopharmzpharma.com/Maxwhite/

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer

Executes dropped EXE 2 IoCs

pid	Process
2380	13.dll
2844	Zip.exe

Loads dropped DLL 1 IoCs

pid	Process
2528	edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa_JC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	13.dll
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	13.dll
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	13.dll

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update_233007.exe / start"	13.dll

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Files\desktop.ini	13.dll
File opened for modification	C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Files\desktop.ini	13.dll

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2380	13.dll

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2380	13.dll

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	13.dll
Token: SeDebugPrivilege	2844	Zip.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2528	edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa_JC.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2380	2528	edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa_JC.exe	28
PID 2528 wrote to memory of 2380	2528	edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa_JC.exe	28
PID 2528 wrote to memory of 2380	2528	edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa_JC.exe	28
PID 2528 wrote to memory of 2380	2528	edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa_JC.exe	28
PID 2380 wrote to memory of 2844	2380	13.dll	30
PID 2380 wrote to memory of 2844	2380	13.dll	30
PID 2380 wrote to memory of 2844	2380	13.dll	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	13.dll

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	13.dll

C:\Users\Admin\AppData\Local\Temp\edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa_JC.exe
"C:\Users\Admin\AppData\Local\Temp\edbcfe1171767f6e2a18266e14039c5fecfd0922fd5eca64971a901ea2d9d8aa_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\13.dll
  C:\Users\Admin\AppData\Local\Temp\13.dll
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\Zip.exe
    "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13.dll

Filesize
550KB

MD5
9dfbed115f029f3501c48806564ec04a

SHA1
cf6538e6d6eec51bab88da3963260b9204158e12

SHA256
09780015b2aeb7e82bdd67973f45d5eea247ff19057ed8be1c61d8c434983977

SHA512
c4812f3fb9f89f65beefb972391fe58c4745ce221a24d8e597254f53d1f091e2178bb8613c35772ee0bb4aca7e5beebc368cd17cc07fdc82cc2fd1b2a0112be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.dll

Filesize
550KB

MD5
9dfbed115f029f3501c48806564ec04a

SHA1
cf6538e6d6eec51bab88da3963260b9204158e12

SHA256
09780015b2aeb7e82bdd67973f45d5eea247ff19057ed8be1c61d8c434983977

SHA512
c4812f3fb9f89f65beefb972391fe58c4745ce221a24d8e597254f53d1f091e2178bb8613c35772ee0bb4aca7e5beebc368cd17cc07fdc82cc2fd1b2a0112be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7.zip

Filesize
375KB

MD5
4efe7b99c7f494ce9e11b8abf5578cf7

SHA1
9f676078f5108d4d4da43d876ef0cc75748f8bee

SHA256
75ef9cbfccbbf2860cb72cf9ca66a7e5197cbf71d9ca92fb9b4a4edc05e84662

SHA512
2bc1c3ba5d9056a62af2a7d0e90b8dd78409276a736c0b2490bc5109d51a987f1074f162e7550f75875a6fff012301c2b39ad8afb22bae2550772a4b4bda3439

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Files\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\ProgramList.txt

Filesize
2KB

MD5
d5628f68c6301a53aaf470e6d5513b28

SHA1
01dcea142ba4aeb39c4c4eb5a631da0b2d196183

SHA256
caa4da8ace2b22ed85c22fa713f69240bb72629ca3a67d4ecca931429f8c7bfc

SHA512
9ec7a2e8f48013d519014351ec94f764a867a940e114aeb140ff98a797fcc974122ce2bcca7737e4205b2c6b7155081f79f7d6ca90d3ac41f3327416ca976bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\ProsessList.txt

Filesize
546B

MD5
dfe321c7745dcb4c5981d50b15e111e8

SHA1
16e8baa14ae81dd87d36971be40f1bcb0fcdf80e

SHA256
4557aed29e34992869c8d33ac18eca9bb5325d029f2b21925ae4f74e38f2654c

SHA512
4ec31673d2460540041ad70ae686667cf6cc2717d3d9c1474b3d1f87a2a32f4e50942b8979d29ebc91e12dd9e447d3e9f17a314536d70e4cb2646c24478a490e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\Screenshot.png

Filesize
375KB

MD5
afba9a67f19a4e7de5af3b77d0a35c96

SHA1
351851525fa7e65b6cd26f777ddb29c427db9f3c

SHA256
a6a2968bdd1ce5b6a680354ab38f4f9fdb16994208f357082f42f12f97c2a873

SHA512
50603c53b7540b1b1008543a5db49fd15d1d8f66e194c4153f9e829b701c730c6b75d36c64f98540f78517178a8657123c5880b4cc04cb62e6dcfb7ea1cca22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL_BFEBFBFF000206D7\info.txt

Filesize
325B

MD5
847385d18c65b3620f64bb85d9c7f53a

SHA1
eabe9f4cfe7f1c585bd12fd345ce16a72b01cf9d

SHA256
99cbf989c1a43f30638ef2b866d5f637aec9eb97c20d7fa1c032392c8bb0668a

SHA512
dc1ca07eed5a3b77320252cd280bee77008257dcf26616711414130a61722a6bd203ddfb1504dabf9f7ff1cebfb1e93d9cafe7554ca91a248364e494da51ba3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
3afd64484a2a34fc34d1155747dd3847

SHA1
451e1d878179f6fcfbaf9fa79d9ee8207489748f

SHA256
bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9

SHA512
d21a519c8867d569e56ac5c93ce861a72f6853e3a959467bf8e8779664f99b5e8be76ad27e078935191c798aea05891960e01d9a0d52e2a33d34ec5a58c00448

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
3afd64484a2a34fc34d1155747dd3847

SHA1
451e1d878179f6fcfbaf9fa79d9ee8207489748f

SHA256
bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9

SHA512
d21a519c8867d569e56ac5c93ce861a72f6853e3a959467bf8e8779664f99b5e8be76ad27e078935191c798aea05891960e01d9a0d52e2a33d34ec5a58c00448

Download Submit
\Users\Admin\AppData\Local\Temp\13.dll

Filesize
550KB

MD5
9dfbed115f029f3501c48806564ec04a

SHA1
cf6538e6d6eec51bab88da3963260b9204158e12

SHA256
09780015b2aeb7e82bdd67973f45d5eea247ff19057ed8be1c61d8c434983977

SHA512
c4812f3fb9f89f65beefb972391fe58c4745ce221a24d8e597254f53d1f091e2178bb8613c35772ee0bb4aca7e5beebc368cd17cc07fdc82cc2fd1b2a0112be1

Download Submit
memory/2380-10-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2380-17-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2380-7-0x0000000000300000-0x0000000000390000-memory.dmp

Filesize
576KB

Download
memory/2380-8-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-29-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2380-30-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2380-9-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2380-11-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2380-14-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2844-26-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/2844-31-0x000000001B190000-0x000000001B210000-memory.dmp

Filesize
512KB

Download
memory/2844-28-0x000000001B190000-0x000000001B210000-memory.dmp

Filesize
512KB

Download
memory/2844-38-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2844-27-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download