predatorstealer | 43cdfa89c733035f467ed836d47e9b4f0606694a9f0bbd2e2486f280c3b4bbca

General

Target

iZgmWELeW.exe
Size

536KB
MD5

0eb6dbfff80ff1be420351f6a26d622f
SHA1

1ca934f59e932387e96a49d88fc05ddf2bf4db8a
SHA256

43cdfa89c733035f467ed836d47e9b4f0606694a9f0bbd2e2486f280c3b4bbca
SHA512

f03bed046630eaad253d89110cee1711243b377d22f805cdbd28a46e3c2705c987789bb499afb30ad28ce317079a6e6e47ce7064827d58f2f4bbb11d381fe2d0
SSDEEP

6144:X+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWdG/Wow7+JJUZ:OPw2PjCLe3a6Q70zbYow60Z

Score

10^/10

predatorstealer collection discovery persistence spyware stealer

Malware Config

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer

Executes dropped EXE 1 IoCs

pid	Process
96	Zip.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iZgmWELeW.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iZgmWELeW.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iZgmWELeW.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update_240403.exe / start"	iZgmWELeW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3484	iZgmWELeW.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3484	iZgmWELeW.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3484	iZgmWELeW.exe
Token: SeDebugPrivilege	96	Zip.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 96	3484	iZgmWELeW.exe	74
PID 3484 wrote to memory of 96	3484	iZgmWELeW.exe	74

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iZgmWELeW.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iZgmWELeW.exe

C:\Users\Admin\AppData\Local\Temp\iZgmWELeW.exe
"C:\Users\Admin\AppData\Local\Temp\iZgmWELeW.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3484
- C:\Users\Admin\AppData\Local\Temp\Zip.exe
  "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:96

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672.zip

Filesize
421KB

MD5
d054a11277f77dfd92308472be408e47

SHA1
f84f37da26c92223aec8d54c927df2124c635d3c

SHA256
457b41c122a2f7727fe5febbcd79eb433f790ed7aa1a1139758cf892d0d6a13b

SHA512
ba47773829de4f12e00c0a332d28a9c6490894d91e9f3f615e3b516e58bae2492e070a04e6b711188e4c055f20892656a5c962b129f2736a4fe3a908a8f3218f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\ProgramList.txt

Filesize
1KB

MD5
adbb38b2251f95a577597fbfb89730e4

SHA1
510276d61b8b26f3ee92ba40fc8161f10eb83e65

SHA256
1775361eee6162b9f65c8624d4a02c3a5868503d302bc3d257e57c10d3a6ec02

SHA512
79257bace579d73208198b26c2dbfc65044d42e0d8afd7d7392ea89a717e05ee500627e8f697333e421370702e42f3d2c58297f9b2e330f847d4b55239dcf97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\ProsessList.txt

Filesize
1KB

MD5
1a8c3b152895f588bff97d882efd17b8

SHA1
e6ee2bb97eb53c9e9eb621a28ade06810aa44cbc

SHA256
1f10db59245d4ff7cc2efcec3d2f23f0c42107c35549f3f4bd8d61816771b766

SHA512
4ef5b1b7a61b7a8e620a2decca5ff9a403f22d6ac21bb01045957fed17c0a4ad9700ba4aa15babd7a01b8ba922cc1319a14480e115739e34ba9be320b3aa4eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\Screenshot.png

Filesize
422KB

MD5
07dcbd9258d7786b77a86009347bf541

SHA1
361d5b0e18e50d05013330f906ed7886d5cd4e48

SHA256
9ea9d353c66e08cc667e431ef8d2feb3095161f3aa68b8425b2972bdc3059595

SHA512
6dc14d665c79eb50a3530e2393b1193b9602ac812c9899e58b57e9d9d8fcc91a6d7a0baf4d4bf4a028d5f39ceec341da7dbfee784666c7db9d710dca1c676ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\info.txt

Filesize
315B

MD5
83ec86e039ca48a49153f1b4e3a67f3b

SHA1
9a82f1046a0b4955e75c051836dff6bba9e9de49

SHA256
42f93192456b8cf589cfa609816180552334a52550d06c36caeaa8a523fbff63

SHA512
f843031c299bc8ef7ce09b7a8fed09554a7f0c7dc7f87b4709d5580340b28c387da37a48d2a5c35e3236ae2f3f552e4764692282e044e0d9f772d4557ed4a68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
memory/96-18-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

Filesize
9.9MB

Download
memory/96-17-0x000001FA09580000-0x000001FA09590000-memory.dmp

Filesize
64KB

Download
memory/96-19-0x000001FA0B340000-0x000001FA0B34A000-memory.dmp

Filesize
40KB

Download
memory/96-20-0x000001FA0B370000-0x000001FA0B382000-memory.dmp

Filesize
72KB

Download
memory/96-27-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

Filesize
9.9MB

Download
memory/3484-0-0x00007FFC27E43000-0x00007FFC27E44000-memory.dmp

Filesize
4KB

Download
memory/3484-7-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

Filesize
9.9MB

Download
memory/3484-4-0x000000001C290000-0x000000001C7B6000-memory.dmp

Filesize
5.1MB

Download
memory/3484-3-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

Filesize
9.9MB

Download
memory/3484-2-0x000000001B390000-0x000000001B552000-memory.dmp

Filesize
1.8MB

Download
memory/3484-1-0x0000000000480000-0x000000000050C000-memory.dmp

Filesize
560KB

Download
memory/3484-29-0x00007FFC27E43000-0x00007FFC27E44000-memory.dmp

Filesize
4KB

Download
memory/3484-30-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads