predatorstealer | 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad

Analysis

max time kernel
70s
max time network
68s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Size

278KB
MD5

66a3124fe4ed45fae20e2bd4ee33c626
SHA1

fc5ef4caf4d8a51a340f6fd98ac525debcff8f30
SHA256

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad
SHA512

569bc064f465c32fd11fdd67896106778f13094e20adc739d8824f9e02508701b712bd3cfdab48782421b35acebe16bb5b0e97543db869ecaec5c1b87902b872
SSDEEP

6144:sU0sd0bzy1GOgofaePZ3e5fv+vc6X+olz:XzHGOgovPwcXbl

Score

10^/10

predatorstealer collection persistence spyware stealer

Malware Config

Extracted

Family

predatorstealer

http://hojokk.com/0x/

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer
Drops startup file 1 IoCs

Processes:

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hetsm.exe.lnk 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Executes dropped EXE 2 IoCs

Processes:

FB_2CAC.tmp.exeFB_2CDB.tmp.exe

pid process

2168 FB_2CAC.tmp.exe
2464 FB_2CDB.tmp.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hetsm.exe.lnk	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

pid	process
2168	FB_2CAC.tmp.exe
2464	FB_2CDB.tmp.exe

Loads dropped DLL 3 IoCs

Processes:

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

pid	process
2624	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
2624	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
2624	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

FB_2CDB.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_2CDB.tmp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_2CDB.tmp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_2CDB.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

FB_2CDB.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cc3a68ce1dad95ce662e1c51f1568e3a.exe / start"	FB_2CDB.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

description	pid	process	target process
PID 1720 set thread context of 2624	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

pid	process
1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exeFB_2CDB.tmp.exe

description pid process

Token: SeDebugPrivilege 1720 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Token: SeDebugPrivilege 2464 FB_2CDB.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Token: SeDebugPrivilege	2464	FB_2CDB.tmp.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

outlook_office_path 1 IoCs

Processes:

FB_2CDB.tmp.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FB_2CDB.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_2CDB.tmp.exe

outlook_win_path 1 IoCs

Processes:

FB_2CDB.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_2CDB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
"C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
"C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"
2⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
"C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\FB_2CAC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_2CAC.tmp.exe"
3⤵
- Executes dropped EXE
PID:2168

C:\Users\Admin\AppData\Local\Temp\FB_2CDB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_2CDB.tmp.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2464

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\FB_2CAC.tmp.exe
Filesize
3KB

MD5
74bafb3e707c7b0c63938ac200f99c7f

SHA1
10c5506337845ed9bf25c73d2506f9c15ab8e608

SHA256
129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689

SHA512
5b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781

Download Submit
\Users\Admin\AppData\Local\Temp\FB_2CDB.tmp.exe
Filesize
83KB

MD5
d543973bd33d45d515e8dfc251411c4b

SHA1
ecee812501a082552f57aec170cb952578061843

SHA256
a02cf7e4d01c3e04c0c6f723a541289a12c5d87ecc47f6b675d84a6b1b0a23b3

SHA512
d2c60ec3e93ba01e3122c563a3e19d1a5b7c963545dbf291a53236ea1e7434bcdec6005f1cd08348a2b18a139e5b56dd47ab4c452f71bbb2c5319c77e765be9b

Download Submit
memory/1720-1-0x00000000001C0000-0x000000000020C000-memory.dmp

Filesize
304KB

Download
memory/1720-2-0x0000000004030000-0x000000000406E000-memory.dmp

Filesize
248KB

Download
memory/1720-3-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-4-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/1720-5-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/1720-7-0x0000000004870000-0x0000000004884000-memory.dmp

Filesize
80KB

Download
memory/1720-45-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/2464-40-0x0000000001220000-0x000000000123C000-memory.dmp

Filesize
112KB

Download
memory/2624-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-22-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2624-14-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2624-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2624-24-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2624-16-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2624-20-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2624-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2624-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

description	pid	process	target process
PID 1720 wrote to memory of 2696	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2696	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2696	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2696	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2624	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2624	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2624	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2624	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2624	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2624	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2624	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2624	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2624	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 1720 wrote to memory of 2624	1720	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
PID 2624 wrote to memory of 2168	2624	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_2CAC.tmp.exe
PID 2624 wrote to memory of 2168	2624	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_2CAC.tmp.exe
PID 2624 wrote to memory of 2168	2624	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_2CAC.tmp.exe
PID 2624 wrote to memory of 2168	2624	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_2CAC.tmp.exe
PID 2624 wrote to memory of 2464	2624	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_2CDB.tmp.exe
PID 2624 wrote to memory of 2464	2624	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_2CDB.tmp.exe
PID 2624 wrote to memory of 2464	2624	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_2CDB.tmp.exe
PID 2624 wrote to memory of 2464	2624	630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe	FB_2CDB.tmp.exe