analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Predator The Thief Cracked [Gerki.pw].exe

Full analysis: https://app.any.run/tasks/d3062a40-64a3-4c48-9ead-c07d620547b1
Verdict: Malicious activity
Threats:

Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets.

Analysis date: January 17, 2020, 23:28:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
predator
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

139DC5CD86A394A7F226E7A5597BF9F4

SHA1:

06841B71B84568136F323D21F8D856CEB3692EDE

SHA256:

52BF2F37D2ECCA06C9DC3C87B841A5A0D811BA1D0CD936D8BC6F80DE54FD78F9

SSDEEP:

24576:XAHnh+eWsN3skA4RV1Hom2KXMmHamB85COGBiI9E8b0BQ65:Kh+ZkldoPK8YamyLGBiIWj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • api.exe (PID: 2860)
      • Predator The Thief Cracked [XakFor.Net].exe (PID: 2240)
      • Predator The Thief Cracked [XakFor.Net].exe (PID: 3016)
      • api.exe (PID: 2852)
      • api.exe (PID: 3764)
      • Predator The Thief Cracked [XakFor.Net].exe (PID: 3344)
      • HMVAZZVvO.exe (PID: 3096)
    • PREDATOR was detected

      • HMVAZZVvO.exe (PID: 3096)
    • Stealing of credential data

      • HMVAZZVvO.exe (PID: 3096)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Predator The Thief Cracked [Gerki.pw].exe (PID: 2784)
      • Predator The Thief Cracked [XakFor.Net].exe (PID: 3344)
    • Creates files in the user directory

      • Predator The Thief Cracked [Gerki.pw].exe (PID: 2784)
      • HMVAZZVvO.exe (PID: 3096)
    • Loads DLL from Mozilla Firefox

      • HMVAZZVvO.exe (PID: 3096)
    • Reads the cookies of Google Chrome

      • HMVAZZVvO.exe (PID: 3096)
    • Reads the cookies of Mozilla Firefox

      • HMVAZZVvO.exe (PID: 3096)
  • INFO

    • Manual execution by user

      • HMVAZZVvO.exe (PID: 3096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:05:05 13:46:06+02:00
PEType: PE32
LinkerVersion: 12
CodeSize: 581632
InitializedDataSize: 1058304
UninitializedDataSize: -
EntryPoint: 0x2800a
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 88.77.26.37
ProductVersionNumber: 88.77.26.37
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 88.77.26.37
ProductVersion: 88.77.26.37
FileDescription: MessagingDataModel2
CompanyName: Библиотека динамической компоновки (DLL) учетных записей Майкрософт
LegalCopyright: (C) W6VZpwAAMeIGCtMIQivvLyETlie123zIF5SYwmesBBLca3ANmhItdyWAPRUZ6LIoTiOp Technology Co. Ltd., All rights reserved.
ProductName:
Comments: wgMz6zwXC4tbk9eMzG3UyAGYg9XV678zzPoEBmWlFReuMVlFgsb7Na3Ze43hryvR79N3lFSTm
InternalName: DevicePairingWizard.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start start predator the thief cracked [gerki.pw].exe api.exe predator the thief cracked [xakfor.net].exe no specs api.exe no specs predator the thief cracked [xakfor.net].exe no specs api.exe no specs predator the thief cracked [xakfor.net].exe #PREDATOR hmvazzvvo.exe

Process information

PID
CMD
Path
Indicators
Parent process
2784"C:\Users\admin\AppData\Local\Temp\Predator The Thief Cracked [Gerki.pw].exe" C:\Users\admin\AppData\Local\Temp\Predator The Thief Cracked [Gerki.pw].exe
explorer.exe
User:
admin
Company:
Библиотека динамической компоновки (DLL) учетных записей Майкрософт
Integrity Level:
MEDIUM
Description:
MessagingDataModel2
Exit code:
0
Version:
88.77.26.37
2860"C:\Users\admin\AppData\Roaming\2ezlv6H6UbV\api.exe" C:\Users\admin\AppData\Roaming\2ezlv6H6UbV\api.exe
Predator The Thief Cracked [Gerki.pw].exe
User:
admin
Company:
tvq0scfjxdl
Integrity Level:
MEDIUM
Description:
cmvs0tjqzo2
Exit code:
3762504530
Version:
2.8.0.6
3016"C:\Users\admin\AppData\Roaming\2ezlv6H6UbV\Predator The Thief Cracked [XakFor.Net].exe" C:\Users\admin\AppData\Roaming\2ezlv6H6UbV\Predator The Thief Cracked [XakFor.Net].exePredator The Thief Cracked [Gerki.pw].exe
User:
admin
Integrity Level:
MEDIUM
Description:
Predator The Thief Cracked [XakFor.Net]
Version:
1.0.0.0
2852"C:\Users\admin\AppData\Roaming\NKvzgDxuwYuHn\api.exe" C:\Users\admin\AppData\Roaming\NKvzgDxuwYuHn\api.exePredator The Thief Cracked [Gerki.pw].exe
User:
admin
Company:
tvq0scfjxdl
Integrity Level:
MEDIUM
Description:
cmvs0tjqzo2
Exit code:
4294967295
Version:
2.8.0.6
2240"C:\Users\admin\AppData\Roaming\NKvzgDxuwYuHn\Predator The Thief Cracked [XakFor.Net].exe" C:\Users\admin\AppData\Roaming\NKvzgDxuwYuHn\Predator The Thief Cracked [XakFor.Net].exePredator The Thief Cracked [Gerki.pw].exe
User:
admin
Integrity Level:
MEDIUM
Description:
Predator The Thief Cracked [XakFor.Net]
Version:
1.0.0.0
3764"C:\Users\admin\AppData\Roaming\Qql6yxwepKsZkI6Z\api.exe" C:\Users\admin\AppData\Roaming\Qql6yxwepKsZkI6Z\api.exePredator The Thief Cracked [Gerki.pw].exe
User:
admin
Company:
tvq0scfjxdl
Integrity Level:
MEDIUM
Description:
cmvs0tjqzo2
Exit code:
4294967295
Version:
2.8.0.6
3344"C:\Users\admin\AppData\Roaming\Qql6yxwepKsZkI6Z\Predator The Thief Cracked [XakFor.Net].exe" C:\Users\admin\AppData\Roaming\Qql6yxwepKsZkI6Z\Predator The Thief Cracked [XakFor.Net].exe
Predator The Thief Cracked [Gerki.pw].exe
User:
admin
Integrity Level:
MEDIUM
Description:
Predator The Thief Cracked [XakFor.Net]
Version:
1.0.0.0
3096"C:\Users\admin\Desktop\HMVAZZVvO.exe" C:\Users\admin\Desktop\HMVAZZVvO.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
1 014
Read events
897
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
1
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
2784Predator The Thief Cracked [Gerki.pw].exeC:\Users\admin\AppData\Local\Temp\aut9AB4.tmp
MD5:
SHA256:
2784Predator The Thief Cracked [Gerki.pw].exeC:\Users\admin\AppData\Local\Temp\aut9B9F.tmp
MD5:
SHA256:
2784Predator The Thief Cracked [Gerki.pw].exeC:\Users\admin\AppData\Local\Temp\aut9BFE.tmp
MD5:
SHA256:
2784Predator The Thief Cracked [Gerki.pw].exeC:\Users\admin\AppData\Local\Temp\aut9C3D.tmp
MD5:
SHA256:
2784Predator The Thief Cracked [Gerki.pw].exeC:\Users\admin\AppData\Local\Temp\aut9CFA.tmp
MD5:
SHA256:
2784Predator The Thief Cracked [Gerki.pw].exeC:\Users\admin\AppData\Local\Temp\aut9D78.tmp
MD5:
SHA256:
3344Predator The Thief Cracked [XakFor.Net].exeC:\Users\admin\AppData\Local\Temp\stub.bin
MD5:
SHA256:
3096HMVAZZVvO.exeC:\Users\admin\AppData\Local\Temp\ifoepebnvwuz.ukz
MD5:
SHA256:
3096HMVAZZVvO.exeC:\Users\admin\AppData\Roaming\zpars6q7w8w7t7q7w8w7t7.zip
MD5:
SHA256:
2784Predator The Thief Cracked [Gerki.pw].exeC:\Users\admin\AppData\Roaming\NKvzgDxuwYuHn\api.exeexecutable
MD5:E7161E8D24F66E438DB0C53C1A805F1A
SHA256:24314260537A473182C71D06023A2EC3F3FDDB5785D3FAE962622B5890F9FEB0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info