SYMBOLCOMMON_NAMEaka. SYNONYMS
win.predator (Back to overview)

Predator The Thief

URLhaus        

Predator is a feature-rich information stealer. It is sold on hacking forums as a bundle which includes: Payload builder and Command and Control web panel. It is able to grab passwords from browsers, replace cryptocurrency wallets, and take photos from the web-camera. It is developed by using a modular approach so that criminals may add more sophisticated tools on top of the it.

References
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-05CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Ransomware vidar
2020-01-17Hiroaki Ogawa, Manabu Niseki
@techreport{ogawa:20200117:100:035a7dd, author = {Hiroaki Ogawa and Manabu Niseki}, title = {{100 more behind cockroaches?}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf}, language = {English}, urldate = {2020-01-17} } 100 more behind cockroaches?
MoqHao Emotet Predator The Thief
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cf5f9e4, author = {SecureWorks}, title = {{GOLD GALLEON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-galleon}, language = {English}, urldate = {2020-05-23} } GOLD GALLEON
Agent Tesla HawkEye Keylogger Pony Predator The Thief
2019-12-25funko
@online{funko:20191225:lets:599836d, author = {funko}, title = {{Let’s play (again) with Predator the thief}}, date = {2019-12-25}, url = {https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/}, language = {English}, urldate = {2020-01-08} } Let’s play (again) with Predator the thief
Predator The Thief
2019-04-18FortinetYueh-Ting Chen, Evgeny Ananin
@online{chen:20190418:predator:5135f9f, author = {Yueh-Ting Chen and Evgeny Ananin}, title = {{Predator the Thief: New Routes of Delivery}}, date = {2019-04-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html}, language = {English}, urldate = {2019-12-17} } Predator the Thief: New Routes of Delivery
Predator The Thief
2019-03-11Kaspersky LabsGReAT
@online{great:20190311:predatory:63ab818, author = {GReAT}, title = {{A predatory tale: Who’s afraid of the thief?}}, date = {2019-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-predatory-tale/89779}, language = {English}, urldate = {2019-12-20} } A predatory tale: Who’s afraid of the thief?
Predator The Thief
2018-10-15fumik0 blogfumik0
@online{fumik0:20181015:predator:9c3fcd9, author = {fumik0}, title = {{Predator The Thief: In-depth analysis (v2.3.5)}}, date = {2018-10-15}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/}, language = {English}, urldate = {2020-01-10} } Predator The Thief: In-depth analysis (v2.3.5)
Predator The Thief
Yara Rules
[TLP:WHITE] win_predator_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_predator_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c747140f000000 c60700 8b4610 40 50 e8???????? 56 }
            // n = 7, score = 900
            //   c747140f000000       | mov                 dword ptr [edi + 0x14], 0xf
            //   c60700               | mov                 byte ptr [edi], 0
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   e8????????           |                     
            //   56                   | push                esi

        $sequence_1 = { 888c062c1f0000 ff862caf0100 85d2 750d 66ff448e14 8a8639af0100 }
            // n = 6, score = 900
            //   888c062c1f0000       | mov                 byte ptr [esi + eax + 0x1f2c], cl
            //   ff862caf0100         | inc                 dword ptr [esi + 0x1af2c]
            //   85d2                 | test                edx, edx
            //   750d                 | jne                 0xf
            //   66ff448e14           | inc                 word ptr [esi + ecx*4 + 0x14]
            //   8a8639af0100         | mov                 al, byte ptr [esi + 0x1af39]

        $sequence_2 = { 8b8630af0100 668994462c9f0000 8a8639af0100 ff8630af0100 088638af0100 02c0 33db }
            // n = 7, score = 900
            //   8b8630af0100         | mov                 eax, dword ptr [esi + 0x1af30]
            //   668994462c9f0000     | mov                 word ptr [esi + eax*2 + 0x9f2c], dx
            //   8a8639af0100         | mov                 al, byte ptr [esi + 0x1af39]
            //   ff8630af0100         | inc                 dword ptr [esi + 0x1af30]
            //   088638af0100         | or                  byte ptr [esi + 0x1af38], al
            //   02c0                 | add                 al, al
            //   33db                 | xor                 ebx, ebx

        $sequence_3 = { 85c0 75ef 51 8d45fd 8bcf 50 }
            // n = 6, score = 900
            //   85c0                 | test                eax, eax
            //   75ef                 | jne                 0xfffffff1
            //   51                   | push                ecx
            //   8d45fd               | lea                 eax, [ebp - 3]
            //   8bcf                 | mov                 ecx, edi
            //   50                   | push                eax

        $sequence_4 = { 57 6a0a 5f 85c0 7916 }
            // n = 5, score = 900
            //   57                   | push                edi
            //   6a0a                 | push                0xa
            //   5f                   | pop                 edi
            //   85c0                 | test                eax, eax
            //   7916                 | jns                 0x18

        $sequence_5 = { 83ec18 8bc2 56 57 8bf9 8d75fd 33d2 }
            // n = 7, score = 900
            //   83ec18               | sub                 esp, 0x18
            //   8bc2                 | mov                 eax, edx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   8d75fd               | lea                 esi, [ebp - 3]
            //   33d2                 | xor                 edx, edx

        $sequence_6 = { 03c2 8bce 50 e8???????? }
            // n = 4, score = 900
            //   03c2                 | add                 eax, edx
            //   8bce                 | mov                 ecx, esi
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 8bf2 83671000 c747140f000000 c60700 8b4610 }
            // n = 5, score = 900
            //   8bf2                 | mov                 esi, edx
            //   83671000             | and                 dword ptr [edi + 0x10], 0
            //   c747140f000000       | mov                 dword ptr [edi + 0x14], 0xf
            //   c60700               | mov                 byte ptr [edi], 0
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]

        $sequence_8 = { 8bf1 8d4dfd 57 6a0a 5f 85c0 }
            // n = 6, score = 900
            //   8bf1                 | mov                 esi, ecx
            //   8d4dfd               | lea                 ecx, [ebp - 3]
            //   57                   | push                edi
            //   6a0a                 | push                0xa
            //   5f                   | pop                 edi
            //   85c0                 | test                eax, eax

        $sequence_9 = { 8b862caf0100 888c062c1f0000 ff862caf0100 85d2 750d }
            // n = 5, score = 900
            //   8b862caf0100         | mov                 eax, dword ptr [esi + 0x1af2c]
            //   888c062c1f0000       | mov                 byte ptr [esi + eax + 0x1f2c], cl
            //   ff862caf0100         | inc                 dword ptr [esi + 0x1af2c]
            //   85d2                 | test                edx, edx
            //   750d                 | jne                 0xf

    condition:
        7 of them and filesize < 2211840
}
[TLP:WHITE] win_predator_w0   (20181019 | Yara rule for Predator The Thief v2.3.5 & +)
rule win_predator_w0 {
   meta:
        description = "Yara rule for Predator The Thief v2.3.5 & +"
        author = "Fumik0_"
        date = "2018/10/12"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator"
        malpedia_version = "20181019"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
   strings:
        $hex1 = { BF 00 00 40 06 } 
        $hex2 = { C6 04 31 6B }
        $hex3 = { C6 04 31 63 }
        $hex4 = { C6 04 31 75 }
        $hex5 = { C6 04 31 66 }

        $s1 = "sqlite_" ascii wide
   condition:
        all of ($hex*) and all of ($s*)
}
Download all Yara Rules