predatorstealer | 51b075e7b8e4cdc4fbfbc0975f314c8dbe132708cf4bfd401309211f6e305ba9

General

Target

VXtAzooiE.exe
Size

536KB
MD5

35a56e5bb4edb4c6a9ea41f6a0dd12e6
SHA1

21b771f649d8481f3d192723e46c1cfe344cfd98
SHA256

51b075e7b8e4cdc4fbfbc0975f314c8dbe132708cf4bfd401309211f6e305ba9
SHA512

3b8583c55516b61ed9bf129e048b8cee46e1767ce8b0a19ea13361fa25e605b7d297adaa953b440f42366c964ea54aaa8b2fe7daa4affdc3d2779840fec677c6
SSDEEP

6144:X+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWdG/Wow7+JJUt:OPw2PjCLe3a6Q70zbYow60t

Score

10^/10

predatorstealer collection discovery persistence spyware stealer

Malware Config

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	VXtAzooiE.exe

Executes dropped EXE 1 IoCs

pid	Process
3448	Zip.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VXtAzooiE.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VXtAzooiE.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VXtAzooiE.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update_240403.exe / start"	VXtAzooiE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4472	VXtAzooiE.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4472	VXtAzooiE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	VXtAzooiE.exe
Token: SeDebugPrivilege	3448	Zip.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 3448	4472	VXtAzooiE.exe	92
PID 4472 wrote to memory of 3448	4472	VXtAzooiE.exe	92

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VXtAzooiE.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VXtAzooiE.exe

C:\Users\Admin\AppData\Local\Temp\VXtAzooiE.exe
"C:\Users\Admin\AppData\Local\Temp\VXtAzooiE.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4472
- C:\Users\Admin\AppData\Local\Temp\Zip.exe
  "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672.zip

Filesize
427KB

MD5
8498234e3e9c22873f459feda0d2c28c

SHA1
dc38b1cf689ea83b72c1bde3c372473cad42905a

SHA256
3fb54eb6d8dbbca017ab349f41fa2c2573c2b14c7730108cf32452f5e3e12673

SHA512
9e87315a8e06efa0fdb9284b544c9f1c0674bcbca01b9f05a60f01d0fe1a3353658ea89564d43744a8adf350bd4a859d70de53e4ea381dddd91cbdc641c4754b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\ProgramList.txt

Filesize
2KB

MD5
cfe18367f0cd09ecc89e4dec41435205

SHA1
c6f7c17d06b8fcecab9034bae5f3ba23689cfb9b

SHA256
86bcda1f2679269abe24d399316b5b7542deb1acdc3d89f100f367917b9fba4e

SHA512
bd3a517c8c687b6b9a62fb2f5c239575f825cbd13ae298c174285bb6ab882c9753498756b0888e34753d64999882cd3771bd65943653b768ffefae314b8dd8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\ProsessList.txt

Filesize
1KB

MD5
60a850294c7d27d1f6c8c95bee3241af

SHA1
bf28c0f1dfda39271ff3f7e9bb530098912031c1

SHA256
9c2d1b208bf075ce1256996062cce556d13b2cbd0d26e4ff8b26a6f2a8ab0492

SHA512
e89c792e3c51cd1b737dd29b70fefbbde2bcf2a7556a233ba2aa2d652cd6cef095bb7daccea2eca50e6b8e1e64ce3d943e20d08d6d68da98992651d3ddce9057

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\Screenshot.png

Filesize
428KB

MD5
afeada92351240bccabd15e285937a42

SHA1
e9fb4d87cf53469bfb9bacd667eff1728fb4c89b

SHA256
13ff0b3ee4c8c71f15d2f255f699db6840327be7a94650f68dc4f6b9954ee530

SHA512
147ff73e28aff6d9a43435ada6cc49176a247582d51ac0dcb7cbef4a59878a4446f26b706ea4c5e3dc3b3685a6b455ba841ecb30e2d414988e0c7aaa7aa5c6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\info.txt

Filesize
315B

MD5
5124ab27f5a1645b33329b07656cb47f

SHA1
73b7bcc67759f3b7128f9c0fc4d399579a6e4eea

SHA256
6e9b8deae94f6cede267f37748d6b7bdefa5809dad1f4a1caaf5573ab1018a3f

SHA512
54e99a97e880832b09a1e3c45912ea540d31e424ac15b2b26c690c4f1b6bd79469db2cd13aa702446ec8286ab0627c42ade2331390676bc881ef90f3ac4f7aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
memory/3448-26-0x00000109F2370000-0x00000109F237A000-memory.dmp

Filesize
40KB

Download
memory/3448-23-0x00000109EFEA0000-0x00000109EFEB0000-memory.dmp

Filesize
64KB

Download
memory/3448-24-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-25-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-35-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-27-0x00000109F2600000-0x00000109F2612000-memory.dmp

Filesize
72KB

Download
memory/4472-4-0x000000001C940000-0x000000001CE68000-memory.dmp

Filesize
5.2MB

Download
memory/4472-5-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4472-3-0x000000001BB40000-0x000000001BD02000-memory.dmp

Filesize
1.8MB

Download
memory/4472-2-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4472-33-0x00007FFE94223000-0x00007FFE94225000-memory.dmp

Filesize
8KB

Download
memory/4472-0-0x00007FFE94223000-0x00007FFE94225000-memory.dmp

Filesize
8KB

Download
memory/4472-36-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4472-1-0x0000000000AE0000-0x0000000000B6C000-memory.dmp

Filesize
560KB

Download
memory/4472-38-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads