BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
39
Global rank
82 infographic chevron month
Month rank
76 infographic chevron week
Week rank
907
IOCs

Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets.

Stealer
Type
ex-USSR
Origin
1 July, 2018
First seen
2 March, 2024
Last seen

How to analyze Predator the Thief with ANY.RUN

Type
ex-USSR
Origin
1 July, 2018
First seen
2 March, 2024
Last seen

IOCs

Hashes
be2b49cbf58fe7d9ac1b6cd3085d410e9a2676e0f8a22df66b6b0f7fe8a0df84
005c34fe3a6628e1ffca38980aaad5ae9334d7869ca6586b3b5760315cc7e01e
b325257fc273675b48f8b30e23372de9cf05235944c431d00e6ad7ed5ab03dae
34e29329ff034569dd7f13a901f5662b2a1d445e4603c8a3f95d81798cca4589
c0a078009c06590f094b79a80a1108f4e6467fc49e12fc10d7863d6e2c3ff219
6bb006ea18891091aafb8f934b7f3cf19ff7f717d9df2b584eaa1e22ca7f8b46
8753f7436281b54b13ae25b14c139d2ed33f0ec7ab35c0e2c7d04fcaaf7a0a95
dd2731ef9e71afa867e8884c836b61dd0583328dd062d03616c4002e1cd08e4d
4c27a0da0e105c0c7bd1766c60d39fd20120c69de33706fc7f4acf2b56e86194
3db28721d096bd564a0194705e4fbae8a60966972551b0465a305b807ff2ef88
d04e0274da94d72351bf87ca097d9b886780bb472b0bdbf5503f69cab7348ae2
48c28f533c4e1253797a740bce59e939678343d2eb2a85839b202391fa66272c
c6618aed05b4664d2c432708ff6a7600d38e0c13a4db5060bacc1b7bcf2cf756
f9b53e1a21ff88aca1875633b92c676559cbb82dc8517f9e2f8245d001ad84f0
4245088e2600188006929bc88f455b57e849ef1748c0bda3e9bd3c4dd23ae017
8ba8faa0524cfdd1944988e87373967fd2a492c12cca9dbed77e73953f249390
b935689b73080cbb9e705e0e598554d1551803e405607ceeabafe763aa6f9977
29324838245f3a8ec0c6c9132e860ed7676bdb3bdc82640eb830fe08f0bb52c6
8fbf7903201f218f5bc8e77272ee25129a808dd05a8ad6f7cb0c052d6e2c5a7d
1fed9ba7086e4a2fb9b01c6e9fbb93e46a733c813217a537b63b09bdeb644d10
Domains
apppedidos.safetysur.es
wa.ankabuttech.com
clientes.grupoccima.com
predator.blablacar-es-transaction.xyz
sib.nantapack.com
mavelecgr.comd8
mavelecgr.com4
androidservices3215.xyz
upokachi.net
panelxuenel.xyz
alphawork247.biz
a0409347.xsph.ru
yourprodx100.net
sdadvert197.xyz
hobzy.beget.tech
frankinshteyn2.ru
daerty.zadc.ru
oilusnew2020.live
topsupportznet.net
perfname777.net
URLs
http://a0307832.xsph.ru/api/download.get
http://a0307832.xsph.ru/api/gate.get
http://a0307832.xsph.ru/api/info.get
http://f0332771.xsph.ru/api/gate.get
http://f0332771.xsph.ru/api/download.get
http://185.204.2.247/api/gate.get
http://185.204.2.247/api/check.get
http://ww38.deceptiveengineering.com/path/logs.php
http://www.deceptiveengineering.com/path/logs.php
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 51
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 723
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 570
comments 0

What is Predator the Thief?

Predator the Thief is an information stealer type malware, which attackers use to collect information from infected machines. Predator trojan can steal passwords, information from crypto wallets, access the camera to collect visuals of a machine owner and more.

As ransomware and other malicious programs from the stealer class, Predator the Thief is a somewhat basic program that hasn’t changed much since it’s the first version developed by a user named Alexuiop1337 around July of 2018. Bearing this in mind, this malware does not pose a significant threat to most corporations with adequate cybersecurity measures but can devastate careless private users.

General description of Predator the Thief

Researchers believe that Predator the Thief was developed by Russian-speaking malware actors as it mostly appears for sale on Russian forums where the malware could be obtained for a meager price of around $30. At the moment of publication, the price has risen to $150. With every purchase, clients obtain a builder and everything they need to host attacks. Malware authors themselves are known to distribute the builder but haven’t been witnessed generating any direct attacks.

An individual first promoted the malware with an alias “Alexuiop1337” who is still actively spreading information about the virus. However, at one point, he has taken up another name — “Kongress_nlt.” There is also a known telegram user, “sett9” who is affiliated with the operation and could be the “Kongress_nlt” himself. It is known that “sett9” is active on Telegram. Furthermore, one can follow the latest news concerning Predator on a dedicated Telegram channel, “@PredatorSoftwareChannel,” which lists all updates to the malware.

And the authors do, in fact, frequently update the malware and introduce new functions and undetectable samples to avoid discovery. In addition, they are willing to set up backend administration cabinets for clients for an extra fee. Notably, one of the updates has reworked the code from the ground up to make Predator what they call “fileless.” This means that when running, the malware doesn’t leave any files on an infected machine, making it that much more difficult to detect. This allows the stealer to operate stealthily under the hood of a clueless victim and inflict more damage over time as more potentially sensitive data is stolen.

When it comes to data-stealing, concerning browsers Predator the Thief focuses mainly on Chrome, Opera, and Firefox-based programs and uses “industry-standard” techniques to do its job. The malware can also mess with wallets for the following cryptocurrency:

  • Ethereum
  • Multibit
  • Electrum
  • Armory
  • Bytecoin
  • Bitcoin
  • And others…

As well as pull data from Filezilla and WInFTP. Another trick that Predator has up its sleeve is an anti-VM check that instantly terminates the execution of the malware detects that it is being launched on a Virtual Machine. This feature is there to complicate the analysis as much as possible and slow down research.

However, despite these functions, and although Predator can steal data from many sources the same as ransomware, it is still considered a relatively primitive malware compared to some other stealers. Not surprisingly for its well affordable price. However, while the punch that it packs may not be enough to shatter the defense of most modern large-scale corporations, small businesses and individuals can still suffer serious damage from Predator attacks.

Predator the Thief malware analysis

A video recorded in the ANY.RUN malware hunting service displays the execution process of Predator the Thief, allowing one to examine it in a convenient and safe environment.

process graph of predator the thief execution

Figure 1: Displays the dynamic graph of processes generated by the ANY.RUN malware analyzing service.

text report of the predator the thief analysis

Figure 2: Even more information about the execution of malware can be found in this customizable text report generated by ANY.RUN.

Predator the Thief execution process

Predator's execution process is quite straightforward the same as Qbot and Netwire. After the stealer starts execution, it instantly begins stealing information from the system. Stolen information is then being written into files which are later compressed into a single archive. After that, Predator sends the compressed file to its Command And Control server. When the file is sent, the malware terminates the execution and sometimes deletes itself.

Distribution of Predator the Thief

Predator trojan gets into the machines of its victims disguised as a harmless document. It may enter the machine in a .ZIP file which contains an executable disguised as a document or useful program with a name that tricks the potential victim into interacting with it.

In other cases, the malware utilizes the vulnerability in the UNACEV2.dll library of WinRAR. In this case, the victim is being presented with multiple .PNG, which is to hide the fact that the malicious file is placed in the startup folder, which will be executed with the next system reboot or launch. Also, Predator The Thief distribution is a common method through links to legitimate websites such as cdn.discordapp.com, raw.githubusercontent.com, and others.

How to detect Predator the Thief using ANY.RUN?

Some malware creates files in which it named itself. Often you can find such info about Predator the Thief using ANY.RUN's "Static Discovering." Open either the "Files" tab in the lower part of the task's window or click on the process and then on the "More Info" button in the appeared window. After that, all you need to do is click on the "Information.txt" file.

predator the thief static discovering

Figure 3: Static discovering of the file "Information.txt" created by Predator the Thief

Summary

Predator the Thief may not be the most complex information stealer on the planet. It is also one of the cheapest options currently on the market. Despite that, the authors of this malicious program show a strong dedication to their business and spend a lot of time and energy producing meaningful updates, marketing their creation in underground communities, providing set-up services, and building admin panels upon request. This above all leads to the fact that Predator is becoming a more and more popular stealer and dangerously accessible.

Bearing in mind that most attack vectors involved documents structured around business topics, small company owners are at the biggest risk since cyber defense is sometimes lacking in smaller companies.

To help the situation and make this threat less dangerous, cybersecurity researchers can use the tools ANY.RUN malware hunting service provides to professionals and students to crack the code of Predator the Thief. ANY.RUN streamlines the malware analysis process and enables to complete research projects faster and more efficiently without compromising the quality of results. Hopefully, together we will mitigate the threat posed by Predator and other similar information stealers and ransomware as well.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy