Analysis
-
max time kernel
1559s -
max time network
1559s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
14-01-2024 17:38
General
-
Target
630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
-
Size
278KB
-
MD5
66a3124fe4ed45fae20e2bd4ee33c626
-
SHA1
fc5ef4caf4d8a51a340f6fd98ac525debcff8f30
-
SHA256
630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad
-
SHA512
569bc064f465c32fd11fdd67896106778f13094e20adc739d8824f9e02508701b712bd3cfdab48782421b35acebe16bb5b0e97543db869ecaec5c1b87902b872
-
SSDEEP
6144:sU0sd0bzy1GOgofaePZ3e5fv+vc6X+olz:XzHGOgovPwcXbl
Malware Config
Extracted
predatorstealer
http://hojokk.com/0x/
Signatures
-
PredatorStealer
Predator is a modular stealer written in C#.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB_201F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_201F.tmp.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
C:\Users\Admin\AppData\Local\Temp\FB_1FD0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_1FD0.tmp.exe"3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD574bafb3e707c7b0c63938ac200f99c7f
SHA110c5506337845ed9bf25c73d2506f9c15ab8e608
SHA256129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689
SHA5125b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781
-
Filesize
83KB
MD5d543973bd33d45d515e8dfc251411c4b
SHA1ecee812501a082552f57aec170cb952578061843
SHA256a02cf7e4d01c3e04c0c6f723a541289a12c5d87ecc47f6b675d84a6b1b0a23b3
SHA512d2c60ec3e93ba01e3122c563a3e19d1a5b7c963545dbf291a53236ea1e7434bcdec6005f1cd08348a2b18a139e5b56dd47ab4c452f71bbb2c5319c77e765be9b
-
Filesize
304KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
248KB
-
Filesize
96KB
-
Filesize
24KB
-
Filesize
80KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
112KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB