analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://f0405363.xsph.ru/api/download.get

Full analysis: https://app.any.run/tasks/97a9cbf0-eac4-4733-885e-5732623c93fd
Verdict: Malicious activity
Threats:

Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets.

Malware Trends Tracker     >>>
Analysis date: February 22, 2020, 06:53:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
predator
Indicators:
MD5:

6876FE233ED8C55B9BF06A127E603DAC

SHA1:

775A9BA3E645C14431AF7349551A91416C8DE41A

SHA256:

805B69193CA08BAB1584B77FDCA0F62DA874984AADAA1D645869C86EF6D74736

SSDEEP:

3:N1KYVRVEs8KElNn:CYVRV/KN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PREDATOR was detected

      • chrome.exe (PID: 3176)

    • Connects to CnC server

      • chrome.exe (PID: 3176)

  • SUSPICIOUS

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 628)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 628)
      • chrome.exe (PID: 3176)

    • Application launched itself

      • chrome.exe (PID: 628)

    • Reads settings of System Certificates

      • chrome.exe (PID: 3176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
25
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs #PREDATOR chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://f0405363.xsph.ru/api/download.get"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1744"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6fa8a9d0,0x6fa8a9e0,0x6fa8a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2524"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3244 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
392"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,4315081550631162817,16954717567339995984,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=3051797880886401899 --mojo-platform-channel-handle=1036 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3176"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,4315081550631162817,16954717567339995984,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=3303285415759636273 --mojo-platform-channel-handle=1636 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2872"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,4315081550631162817,16954717567339995984,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10932267180637034012 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2580"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,4315081550631162817,16954717567339995984,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6562833354332589384 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2612"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,4315081550631162817,16954717567339995984,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=630868016679212482 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2608"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,4315081550631162817,16954717567339995984,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=14257886397782569488 --mojo-platform-channel-handle=3308 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2636"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,4315081550631162817,16954717567339995984,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=5667290162726102121 --mojo-platform-channel-handle=3452 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
699
Read events
620
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
219
Unknown types
6

Dropped files

PID
Process
Filename
Type
628chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5E50D010-274.pma
MD5:
SHA256:
628chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000028.dbtmp
MD5:
SHA256:
628chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\6c036650-cbef-43d3-8e4c-46634cee261d.tmp
MD5:
SHA256:
628chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:33B05E8AC9C178C58ED3321F496588C0
SHA256:2CDF6A09638A0B563EA2672D6926210771902E0A9203FE15D2857FC4EB954CDE
628chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RFa65f3f.TMPtext
MD5:F69C20D5B552B8D973FB1CBA5FDD7D87
SHA256:48799968D50E2D74E625A0AB18E93C6792AF20010334C6BB4E935C8D26F7026A
628chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.oldtext
MD5:6F174C3088498A2CD266BCA5EE2F6624
SHA256:2EEEC1240EB66978ED12E9034F8D4284B0CA1DC82495954636D68140E2187FA4
628chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RFa65f5e.TMPtext
MD5:33B05E8AC9C178C58ED3321F496588C0
SHA256:2CDF6A09638A0B563EA2672D6926210771902E0A9203FE15D2857FC4EB954CDE
628chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:F69C20D5B552B8D973FB1CBA5FDD7D87
SHA256:48799968D50E2D74E625A0AB18E93C6792AF20010334C6BB4E935C8D26F7026A
628chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:FC9FFE77348619CC285333DFF5E1D5D1
SHA256:7CB9B3575330B3D776A21EB7A7407E34F013A0975B7418DA11B5C85DEC91D1F3
628chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DA692BE42E4EF2668AE7499A7D5DA720
SHA256:EB865CAF59002C092F5FDBE22D01935866BC1277108B29E897052CB2439630ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
15
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3176
chrome.exe
GET
200
141.8.192.151:80
http://f0405363.xsph.ru/api/download.get
RU
malicious
3176
chrome.exe
GET
200
84.15.65.12:80
http://r1---sn-cpux-gpme.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=85.206.166.82&mm=28&mn=sn-cpux-gpme&ms=nvh&mt=1582354076&mv=u&mvi=0&pcm2cms=yes&pl=23&shardbypass=yes
LT
crx
293 Kb
whitelisted
3176
chrome.exe
GET
200
141.8.192.151:80
http://f0405363.xsph.ru/api/download.get
RU
malicious
3176
chrome.exe
GET
404
141.8.192.151:80
http://f0405363.xsph.ru/favicon.ico
RU
html
772 b
malicious
3176
chrome.exe
GET
302
172.217.23.110:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
527 b
whitelisted
3176
chrome.exe
GET
302
172.217.23.110:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
532 b
whitelisted
3176
chrome.exe
GET
200
84.15.65.13:80
http://r2---sn-cpux-gpme.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=85.206.166.82&mm=28&mn=sn-cpux-gpme&ms=nvh&mt=1582354076&mv=u&mvi=1&pcm2cms=yes&pl=23&shardbypass=yes
LT
crx
862 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3176
chrome.exe
172.217.16.142:443
clients2.google.com
Google Inc.
US
whitelisted
3176
chrome.exe
172.217.23.110:80
redirector.gvt1.com
Google Inc.
US
whitelisted
3176
chrome.exe
172.217.22.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3176
chrome.exe
172.217.23.97:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted
3176
chrome.exe
141.8.192.151:80
f0405363.xsph.ru
Sprinthost.ru LLC
RU
malicious
3176
chrome.exe
84.15.65.12:80
r1---sn-cpux-gpme.gvt1.com
UAB Bite Lietuva
LT
whitelisted
3176
chrome.exe
172.217.23.109:443
accounts.google.com
Google Inc.
US
suspicious
3176
chrome.exe
172.217.18.99:443
www.google.lt
Google Inc.
US
whitelisted
3176
chrome.exe
84.15.65.13:80
r2---sn-cpux-gpme.gvt1.com
UAB Bite Lietuva
LT
whitelisted
3176
chrome.exe
172.217.18.163:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.22.99
whitelisted
f0405363.xsph.ru
  • 141.8.192.151
malicious
accounts.google.com
  • 172.217.23.109
shared
clients2.google.com
  • 172.217.16.142
whitelisted
redirector.gvt1.com
  • 172.217.23.110
whitelisted
r1---sn-cpux-gpme.gvt1.com
  • 84.15.65.12
whitelisted
clients2.googleusercontent.com
  • 172.217.23.97
whitelisted
r2---sn-cpux-gpme.gvt1.com
  • 84.15.65.13
whitelisted
www.google.com
  • 216.58.207.36
whitelisted
ssl.gstatic.com
  • 172.217.18.163
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://f0405363.xsph.ru/api/download.get