predatorstealer | ce1d57e8980fbdc500dc1baa64d4fcf2e3bc30a61c11ccad452cbc8bbe1f49fd | Triage

Submit
Reports

Overview

overview

Static

static

server.exe

windows10-2004-x64

Sharing

General

Target

server.exe
Size

550KB
Sample

240504-smwcdshd41
MD5

6cb512426a10237538b506679437b187
SHA1

281a423f138f9793ecaa9485457c2c01f35e8955
SHA256

ce1d57e8980fbdc500dc1baa64d4fcf2e3bc30a61c11ccad452cbc8bbe1f49fd
SHA512

ccfcb46cac5fcec1574310325cfe7d19661e30dd7f2638196e7ad21eadfd7d98f1a38bc65c44dcc52d322828a4243802394136f0eeea52cf1c39f81851a90cb4
SSDEEP

6144:s+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWYhJ6usHJdJUQ:XPw2PjCLe3a6Q70zbpJOHiQ

Score

10^/10

predatorstealer collection discovery persistence spyware stealer

Static task

static1

predatorstealer

2 signatures

Behavioral task

behavioral1

Sample

server.exe

Resource

win10v2004-20240419-en

predatorstealer collection discovery persistence spyware stealer

windows10-2004-x64

17 signatures

300 seconds

Malware Config

Extracted

Family

predatorstealer

C2

http://unseamed-semaphore.000webhostapp.com/Panel/

Targets

- Target
  
  server.exe
- Size
  
  550KB
- MD5
  
  6cb512426a10237538b506679437b187
- SHA1
  
  281a423f138f9793ecaa9485457c2c01f35e8955
- SHA256
  
  ce1d57e8980fbdc500dc1baa64d4fcf2e3bc30a61c11ccad452cbc8bbe1f49fd
- SHA512
  
  ccfcb46cac5fcec1574310325cfe7d19661e30dd7f2638196e7ad21eadfd7d98f1a38bc65c44dcc52d322828a4243802394136f0eeea52cf1c39f81851a90cb4
- SSDEEP
  
  6144:s+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWYhJ6usHJdJUQ:XPw2PjCLe3a6Q70zbpJOHiQ
Score

10^/10

predatorstealer collection discovery persistence spyware stealer
- PredatorStealer
  Predator is a modular stealer written in C#.
  stealer predatorstealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

predatorstealer

behavioral1

predatorstealercollectiondiscoverypersistencespywarestealer

© 2018-2024

Terms | Privacy