SYMBOLCOMMON_NAMEaka. SYNONYMS
win.predator (Back to overview)

Predator The Thief

URLhaus        

Predator is a feature-rich information stealer. It is sold on hacking forums as a bundle which includes: Payload builder and Command and Control web panel. It is able to grab passwords from browsers, replace cryptocurrency wallets, and take photos from the web-camera. It is developed by using a modular approach so that criminals may add more sophisticated tools on top of the it.

References
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2020-11-09Bleeping ComputerIonut Ilascu
@online{ilascu:20201109:fake:c6dd7b3, author = {Ionut Ilascu}, title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/}, language = {English}, urldate = {2020-11-11} } Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-05CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Vidar
2020-01-17Hiroaki Ogawa, Manabu Niseki
@techreport{ogawa:20200117:100:035a7dd, author = {Hiroaki Ogawa and Manabu Niseki}, title = {{100 more behind cockroaches?}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf}, language = {English}, urldate = {2020-01-17} } 100 more behind cockroaches?
MoqHao Emotet Predator The Thief
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cf5f9e4, author = {SecureWorks}, title = {{GOLD GALLEON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-galleon}, language = {English}, urldate = {2020-05-23} } GOLD GALLEON
Agent Tesla HawkEye Keylogger Pony Predator The Thief
2019-12-25funko
@online{funko:20191225:lets:599836d, author = {funko}, title = {{Let’s play (again) with Predator the thief}}, date = {2019-12-25}, url = {https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/}, language = {English}, urldate = {2020-01-08} } Let’s play (again) with Predator the thief
Predator The Thief
2019-04-18FortinetYueh-Ting Chen, Evgeny Ananin
@online{chen:20190418:predator:5135f9f, author = {Yueh-Ting Chen and Evgeny Ananin}, title = {{Predator the Thief: New Routes of Delivery}}, date = {2019-04-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html}, language = {English}, urldate = {2019-12-17} } Predator the Thief: New Routes of Delivery
Predator The Thief
2019-03-11Kaspersky LabsGReAT
@online{great:20190311:predatory:63ab818, author = {GReAT}, title = {{A predatory tale: Who’s afraid of the thief?}}, date = {2019-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-predatory-tale/89779}, language = {English}, urldate = {2019-12-20} } A predatory tale: Who’s afraid of the thief?
Predator The Thief
2018-10-15fumik0 blogfumik0
@online{fumik0:20181015:predator:9c3fcd9, author = {fumik0}, title = {{Predator The Thief: In-depth analysis (v2.3.5)}}, date = {2018-10-15}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/}, language = {English}, urldate = {2020-01-10} } Predator The Thief: In-depth analysis (v2.3.5)
Predator The Thief
Yara Rules
[TLP:WHITE] win_predator_auto (20230715 | Detects win.predator.)
rule win_predator_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.predator."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 03c2 8bce 50 e8???????? }
            // n = 4, score = 800
            //   03c2                 | add                 eax, edx
            //   8bce                 | mov                 ecx, esi
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { 3bcf 0f42f9 83781410 7202 8b00 57 }
            // n = 6, score = 800
            //   3bcf                 | cmp                 ecx, edi
            //   0f42f9               | cmovb               edi, ecx
            //   83781410             | cmp                 dword ptr [eax + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   57                   | push                edi

        $sequence_2 = { 56 ff750c 8bf1 8d4dfd ff7508 }
            // n = 5, score = 800
            //   56                   | push                esi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8bf1                 | mov                 esi, ecx
            //   8d4dfd               | lea                 ecx, [ebp - 3]
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_3 = { 59 8bc3 eb1b 43 }
            // n = 4, score = 800
            //   59                   | pop                 ecx
            //   8bc3                 | mov                 eax, ebx
            //   eb1b                 | jmp                 0x1d
            //   43                   | inc                 ebx

        $sequence_4 = { 50 8bcf e8???????? e9???????? 0f2805???????? }
            // n = 5, score = 800
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   e9????????           |                     
            //   0f2805????????       |                     

        $sequence_5 = { 895dfc ff7514 8b4d10 e8???????? }
            // n = 4, score = 800
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   e8????????           |                     

        $sequence_6 = { 57 03c2 8bce 50 }
            // n = 4, score = 800
            //   57                   | push                edi
            //   03c2                 | add                 eax, edx
            //   8bce                 | mov                 ecx, esi
            //   50                   | push                eax

        $sequence_7 = { 8bc2 56 8bf1 8d4dfd 57 6a0a }
            // n = 6, score = 800
            //   8bc2                 | mov                 eax, edx
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8d4dfd               | lea                 ecx, [ebp - 3]
            //   57                   | push                edi
            //   6a0a                 | push                0xa

        $sequence_8 = { 56 57 8965f0 8365fc00 0f2805???????? }
            // n = 5, score = 800
            //   56                   | push                esi
            //   57                   | push                edi
            //   8965f0               | mov                 dword ptr [ebp - 0x10], esp
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   0f2805????????       |                     

        $sequence_9 = { 8965f0 8365fc00 8b7508 8b450c 33c9 0fa2 }
            // n = 6, score = 800
            //   8965f0               | mov                 dword ptr [ebp - 0x10], esp
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   33c9                 | xor                 ecx, ecx
            //   0fa2                 | cpuid               

    condition:
        7 of them and filesize < 2211840
}
[TLP:WHITE] win_predator_w0   (20181019 | Yara rule for Predator The Thief v2.3.5 & +)
rule win_predator_w0 {
   meta:
        description = "Yara rule for Predator The Thief v2.3.5 & +"
        author = "Fumik0_"
        date = "2018/10/12"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator"
        malpedia_version = "20181019"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
   strings:
        $hex1 = { BF 00 00 40 06 } 
        $hex2 = { C6 04 31 6B }
        $hex3 = { C6 04 31 63 }
        $hex4 = { C6 04 31 75 }
        $hex5 = { C6 04 31 66 }

        $s1 = "sqlite_" ascii wide
   condition:
        all of ($hex*) and all of ($s*)
}
Download all Yara Rules