predatorstealer | 052e54df0b86483f84bbff6504e202c36e7bc25885e369e830dd7086fb7c7562

Analysis

max time kernel
445s
max time network
451s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
20-12-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Size

278KB
MD5

66a3124fe4ed45fae20e2bd4ee33c626
SHA1

fc5ef4caf4d8a51a340f6fd98ac525debcff8f30
SHA256

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad
SHA512

569bc064f465c32fd11fdd67896106778f13094e20adc739d8824f9e02508701b712bd3cfdab48782421b35acebe16bb5b0e97543db869ecaec5c1b87902b872
SSDEEP

6144:sU0sd0bzy1GOgofaePZ3e5fv+vc6X+olz:XzHGOgovPwcXbl

Score

10^/10

predatorstealer collection persistence spyware stealer

Malware Config

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer
Drops startup file 1 IoCs

Processes:

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hetsm.exe.lnk 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Executes dropped EXE 2 IoCs

Processes:

FB_B892.tmp.exeFB_BA29.tmp.exe

pid process

3012 FB_B892.tmp.exe
1808 FB_BA29.tmp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hetsm.exe.lnk	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

pid	process
3012	FB_B892.tmp.exe
1808	FB_BA29.tmp.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

FB_BA29.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_BA29.tmp.exe
Key opened	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_BA29.tmp.exe
Key opened	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_BA29.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

FB_BA29.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cc3a68ce1dad95ce662e1c51f1568e3a.exe / start"	FB_BA29.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

description	pid	process	target process
PID 2064 set thread context of 2620	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

pid	process
2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exeFB_BA29.tmp.exe

description pid process

Token: SeDebugPrivilege 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Token: SeDebugPrivilege 1808 FB_BA29.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Token: SeDebugPrivilege	1808	FB_BA29.tmp.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

outlook_office_path 1 IoCs

Processes:

FB_BA29.tmp.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FB_BA29.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_BA29.tmp.exe

outlook_win_path 1 IoCs

Processes:

FB_BA29.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_BA29.tmp.exe

C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
"C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
"C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"
2⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
"C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\FB_B892.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_B892.tmp.exe"
3⤵
- Executes dropped EXE
PID:3012

C:\Users\Admin\AppData\Local\Temp\FB_BA29.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_BA29.tmp.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_B892.tmp.exe
Filesize
3KB

MD5
74bafb3e707c7b0c63938ac200f99c7f

SHA1
10c5506337845ed9bf25c73d2506f9c15ab8e608

SHA256
129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689

SHA512
5b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BA29.tmp.exe
Filesize
83KB

MD5
d543973bd33d45d515e8dfc251411c4b

SHA1
ecee812501a082552f57aec170cb952578061843

SHA256
a02cf7e4d01c3e04c0c6f723a541289a12c5d87ecc47f6b675d84a6b1b0a23b3

SHA512
d2c60ec3e93ba01e3122c563a3e19d1a5b7c963545dbf291a53236ea1e7434bcdec6005f1cd08348a2b18a139e5b56dd47ab4c452f71bbb2c5319c77e765be9b

Download Submit
memory/1808-51-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/1808-49-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/1808-48-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/1808-44-0x0000000007EA0000-0x0000000007EB8000-memory.dmp

Filesize
96KB

Download
memory/1808-42-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/1808-41-0x0000000004CC0000-0x0000000004D16000-memory.dmp

Filesize
344KB

Download
memory/1808-40-0x0000000004B00000-0x0000000004B0A000-memory.dmp

Filesize
40KB

Download
memory/1808-39-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/1808-37-0x0000000000180000-0x000000000019C000-memory.dmp

Filesize
112KB

Download
memory/1808-38-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/2064-6-0x00000000058C0000-0x000000000595C000-memory.dmp

Filesize
624KB

Download
memory/2064-5-0x00000000056E0000-0x000000000571E000-memory.dmp

Filesize
248KB

Download
memory/2064-18-0x00000000747F0000-0x0000000074FA1000-memory.dmp

Filesize
7.7MB

Download
memory/2064-1-0x0000000000BE0000-0x0000000000C2C000-memory.dmp

Filesize
304KB

Download
memory/2064-2-0x0000000005D30000-0x00000000062D6000-memory.dmp

Filesize
5.6MB

Download
memory/2064-11-0x0000000005CA0000-0x0000000005CB4000-memory.dmp

Filesize
80KB

Download
memory/2064-9-0x00000000063E0000-0x0000000006446000-memory.dmp

Filesize
408KB

Download
memory/2064-8-0x00000000059E0000-0x00000000059E6000-memory.dmp

Filesize
24KB

Download
memory/2064-7-0x0000000005990000-0x00000000059A8000-memory.dmp

Filesize
96KB

Download
memory/2064-0-0x00000000747F0000-0x0000000074FA1000-memory.dmp

Filesize
7.7MB

Download
memory/2064-3-0x0000000005780000-0x0000000005812000-memory.dmp

Filesize
584KB

Download
memory/2064-4-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/2620-17-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2620-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2620-15-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

description	pid	process	target process
PID 2064 wrote to memory of 4552	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2064 wrote to memory of 4552	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2064 wrote to memory of 4552	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2064 wrote to memory of 2620	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2064 wrote to memory of 2620	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2064 wrote to memory of 2620	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2064 wrote to memory of 2620	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2064 wrote to memory of 2620	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2064 wrote to memory of 2620	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2064 wrote to memory of 2620	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2064 wrote to memory of 2620	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2064 wrote to memory of 2620	2064	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2620 wrote to memory of 3012	2620	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_B892.tmp.exe
PID 2620 wrote to memory of 3012	2620	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_B892.tmp.exe
PID 2620 wrote to memory of 3012	2620	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_B892.tmp.exe
PID 2620 wrote to memory of 1808	2620	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_BA29.tmp.exe
PID 2620 wrote to memory of 1808	2620	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_BA29.tmp.exe
PID 2620 wrote to memory of 1808	2620	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_BA29.tmp.exe