predatorstealer | 958507b834f5546203d355a85c4f867bf1cf9497a61bbd5f35c4baa4887cf8f1

General

Target

SNTvMcyGn.exe
Size

536KB
MD5

c40d5a3491484ba96ea6a1e938e51194
SHA1

b20b473e71a20307f7a0fe872cb0b30a50a6ef2f
SHA256

958507b834f5546203d355a85c4f867bf1cf9497a61bbd5f35c4baa4887cf8f1
SHA512

3cdf811b929895e56b11b68c4bdb7e14c4b4c41132d17e6c1a8a3ead91d535819f556f559a94c160edf6592f233b2d85594e3d4dcf5593d8e3172b6fd78c3413
SSDEEP

6144:X+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWdG/Wow7+JJUS:OPw2PjCLe3a6Q70zbYow60S

Score

10^/10

predatorstealer collection discovery persistence spyware stealer

Malware Config

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SNTvMcyGn.exe

Executes dropped EXE 1 IoCs

pid	Process
4712	Zip.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SNTvMcyGn.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SNTvMcyGn.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SNTvMcyGn.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update_240403.exe / start"	SNTvMcyGn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2692	SNTvMcyGn.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2692	SNTvMcyGn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	SNTvMcyGn.exe
Token: SeDebugPrivilege	4712	Zip.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 4712	2692	SNTvMcyGn.exe	94
PID 2692 wrote to memory of 4712	2692	SNTvMcyGn.exe	94

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SNTvMcyGn.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SNTvMcyGn.exe

C:\Users\Admin\AppData\Local\Temp\SNTvMcyGn.exe
"C:\Users\Admin\AppData\Local\Temp\SNTvMcyGn.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2692
- C:\Users\Admin\AppData\Local\Temp\Zip.exe
  "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672.zip

Filesize
423KB

MD5
460f5ebcf32bfdd2b2701961bf0bab24

SHA1
3738bf01bb8dc20a6defa843a2770b13b28835d1

SHA256
dbd774b78a5e9f5185bbe1a4a7411de40851ee20e75a6ed0b42ba3785dd5afcc

SHA512
f883a2cac822cd96b58494f8db9152bf5f583f9bca0dbb453c8cddecb737f1a6a2a70fcdced2470669a2c3e8c125681a007f2424404cbeb22ffe832ac270e99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\ProgramList.txt

Filesize
3KB

MD5
db688fb8707737b3179a33fdc1e85951

SHA1
c25c9d25afe2222324c5bc1581f9d275efc70b8a

SHA256
533e12e2d8cc7c43c4c9bc2ab2428a8dbfdcb4f18126d6f63dfa33f4452ea56f

SHA512
da2d85750c45a22ba2d7124bb7f39f62fea0d0d7902ebe5114ca82d8e4c50499a8e2335cec18072ca17f437294981a0041bbf5672a129e16efea769c55906268

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\ProsessList.txt

Filesize
1KB

MD5
1fdb4c64b89f612cf69302fb46ae9f33

SHA1
3e6a51a9e0029f64815d50ef7d94cbf36309045a

SHA256
815ed77f65a59b56d7690d053aa497785bd90db7012e83db63c4a7b16b18b740

SHA512
f95ec4c40ba36c8e2b96619c86d76867fb6275e8e7174aac216ae1d27bc821d784aea1d27936aa612d4fefaad23d5a16a3aac37cd808b256e6d2ac84f9f79d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\Screenshot.png

Filesize
424KB

MD5
7db2dde73fa8645ff5e5d137fbfeeb36

SHA1
08b4fc2cd337411c432431caf5074726ff208f59

SHA256
7cf1b1290b8b4a4731d0b708653d8d25a470d19cdc3400b2b7de827af44e3365

SHA512
25234819f3e9a89e8054c4240a1c24b2fab613551be70ac58e79bafbd1034e0d41784f1a2161e996022fc757987a0c87c8a9ddf99fb8418a6faad6d4364a52c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\info.txt

Filesize
315B

MD5
8c08c25128b0098c9487242910e002df

SHA1
f0fa6674ea59e21f294d420e058298ac417e7905

SHA256
7915838fe8a36cc6f1d2349e6c9a6e1471f59c55dc5c26e0a07a794efbdfaea9

SHA512
982ab148de76f6e4fa450c379a74de25fc910469623491b8ffc8bb7ca74607fd2c1504b2b215f499cf97a4e4ee87766ef851f11d23edcac11473f26f0b9d5e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
memory/2692-7-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/2692-37-0x00007FFB54763000-0x00007FFB54765000-memory.dmp

Filesize
8KB

Download
memory/2692-41-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/2692-40-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/2692-1-0x00007FFB54763000-0x00007FFB54765000-memory.dmp

Filesize
8KB

Download
memory/2692-36-0x000000001B3B0000-0x000000001B4B2000-memory.dmp

Filesize
1.0MB

Download
memory/2692-0-0x00000000006B0000-0x000000000073C000-memory.dmp

Filesize
560KB

Download
memory/2692-4-0x000000001C5B0000-0x000000001CAD8000-memory.dmp

Filesize
5.2MB

Download
memory/2692-3-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/2692-2-0x000000001B6B0000-0x000000001B872000-memory.dmp

Filesize
1.8MB

Download
memory/4712-34-0x0000021E1D540000-0x0000021E1D642000-memory.dmp

Filesize
1.0MB

Download
memory/4712-35-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/4712-27-0x0000021E1D3A0000-0x0000021E1D3B2000-memory.dmp

Filesize
72KB

Download
memory/4712-23-0x0000021E02EA0000-0x0000021E02EB0000-memory.dmp

Filesize
64KB

Download
memory/4712-26-0x0000021E1D320000-0x0000021E1D32A000-memory.dmp

Filesize
40KB

Download
memory/4712-25-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/4712-24-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads