{
	"id": "5f2d4e0c-0bae-49f1-a802-5da9e54ec659",
	"created_at": "2026-04-06T00:08:44.816453Z",
	"updated_at": "2026-04-10T03:19:57.692797Z",
	"deleted_at": null,
	"sha1_hash": "cb8606a800da85be5c20fe67194fb9345c1fca0e",
	"title": "Analysis of the Predator Pain Keylogger",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1283851,
	"plain_text": "Analysis of the Predator Pain Keylogger\r\nBy Kimberly\r\nArchived: 2026-04-05 22:33:23 UTC\r\nAnalysis of the Predator Pain Keylogger\r\nWritten by Kimberly on Sunday, 27 April 2014. Posted in Malware Reports Viewed 15824 times\r\nThe Predator Pain Keylogger incorporates Browser, Messenger, FTP and File stealers and is able of Clipboard\r\nand Screenhot logging, Bitcoin Wallet theft.\r\nPredator Pain targets Steam, MineCraft and World of WarCraft usernames and passwords. A Runescape Pin\r\nStealer is also available.\r\nPredator Pain can disable several Windows features and spread via USB or P2P. KazyLoader, also known as\r\nKaragany, is used as the file downloader in this sample.\r\nThe Predator Pain Keylogger is advertised for 35$ on underground forums and comes with its own crypter.\r\nPredator Pain is the payload of an unsolicited email from the IRS with the subject line \"Swift Transfer\r\nConfirmation\". No money at the horizon in this fake email but a swift transfer of all logins and passwords the\r\nPredator Pain Keylogger can possibly grab.\r\nPredator Pain Keylogger\r\nUpon execution SWIFTTRANSFERRECEPTS_FDP.EXE will display an error message stating that the\r\napplication failed to initialize properly. The warning is a fake error message and part of the Predator Pain builder\r\noptions.\r\nhttp://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nPage 1 of 12\n\nIn meanwhile SWIFTTRANSFERRECEPTS_FDP.EXE will create a copy of itself as WINLOGON.EXE in the\r\n%AppData%\\Roaming folder and start the newly created process. WINLOGON.EXE will also create a global\r\nLow Level Keyboard hook and display the same fake error as above.\r\nWINLOGON.EXE creates the following files in the %AppData%\\Roaming folder:\r\npid.txt: contains the PID of the Predator Pain Keylogger process - e.g. 1628\r\npidloc.txt: contains the path to the Predator Pain logger executable - e.g.\r\n%AppData%\\Roaming\\winlogon.exe\r\nhttp://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nPage 2 of 12\n\nPredator Pain will also create a copy of itself as WINDOWSUPDATE.EXE in the %AppData%\\Roaming folder.\r\nPredator Pain checks periodically for the existence of WindowsUpdate.exe. If the file is deleted a new copy is\r\nwritten to the HDD.\r\nThe following registry keys are created to ensure persistence:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run \"Windows Update\"\r\nType: REG_SZ\r\nData: C:\\Users\\MxAngel\\AppData\\Roaming\\WindowsUpdate.exe\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon \"Shell\"\r\nType: REG_SZ\r\nData: explorer.exe, C:\\Users\\MxAngel\\AppData\\Roaming\\winlogon.exe\r\nBefore we go any further there are a few things that need clarification. When the Predator Pain binary -\r\nwinlogon.exe in our analysis - is running, we can dump the strings contained in the different memory regions. The\r\nlist is quite huge but for now we will focus on the three following elements:\r\nWebBrowserPassView: WebBrowserPassView.exe\r\nMail PassView: mailpv.exe\r\nCMemoryExecute: CMemoryExecute.dll\r\nWebBrowserPassView\r\nWebBrowserPassView, developed by Nir Sofer, is a tool to recover lost passwords stored in your web browser.\r\nWebBrowserPassView supports Internet Explorer,Mozilla, Google Chrome, Safari, and Opera and can be used to\r\nrecover lost / forgotten passwords of any website, including Facebook, Yahoo, Google, and GMail, as long as the\r\npassword is stored by the browser. The passwords can be saved to text / html / csv / xml files.\r\nMail PassView\r\nMail PassView, developed by Nir Sofer, allows extracting lost email passwords from the following email clients:\r\nhttp://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nPage 3 of 12\n\nOutlook Express\r\nMicrosoft Outlook 2000 (POP3 and SMTP Accounts only)\r\nMicrosoft Outlook 2002/2003/2007/2010/2013 (POP3, IMAP, HTTP and SMTP Accounts)\r\nWindows Mail\r\nWindows Live Mail\r\nIncrediMail\r\nEudora\r\nNetscape 6.x/7.x (If the password is not encrypted with master password)\r\nMozilla Thunderbird (If the password is not encrypted with master password)\r\nGroup Mail Free\r\nYahoo! Mail - If the password is saved in Yahoo! Messenger application.\r\nHotmail/MSN mail - If the password is saved in MSN/Windows/Live Messenger application.\r\nGmail - If the password is saved by Gmail Notifier application, Google Desktop, or by Google Talk.\r\nCMemoryExecute - CMemoryExecute.dll\r\nCMemoryExecute, written by Affixiate, is used to run a non .NET executable from memory without storing it on\r\nthe hard-disk first. It uses the native WinAPI and the executable needs to be injected in VBC.EXE, the Visual\r\nBasic Command Line Compiler.\r\nThe syntax is as follows:\r\n0. CMemoryExecute.Run(IO.File.ReadAllBytes( \"C:\\run_me_in_memory.exe\" ),\r\n\"C:\\inject_me_in_memory.exe\" , \"(Optional) Command Line Parameters To Be Passed To\r\nC:\\run_me_in_memory.exe\" )\r\nPredator Pain is thus able to harvest logins and passwords from several mail and browser clients with the help of\r\ntwo incorporated legit programs: WebBrowserPassView and Mail PassView.\r\nPredator Pain will start up VBC.EXE, the Visual Basic Command Line Compiler, which is one of the\r\nrequirements to run a PE from memory.\r\nhttp://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nPage 4 of 12\n\nThe Predator Pain Keylogger will:\r\nRun MAILPV.EXE from memory via VBC.EXE and dump the results to HOLDERMAIL.TXT.\r\nWINLOGON.EXE checks if HOLDERMAIL.TXT exists.\r\nWINLOGON.EXE reads HOLDERMAIL.TXT and uploads the harvested email credentials via mail - to\r\nresults@facebookmarketers.net in our analysis.\r\nhttp://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nPage 5 of 12\n\nThe same tasks will be performed using WEBBROWSERPASSVIEW.EXE \u0026 VBC.EXE to harvest stored\r\npasswords in browsers.\r\nhttp://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nPage 6 of 12\n\nBelow is a screenshot illustrating the flow of processes and services started by Predator Pain. The Protected\r\nStorage and Credential Manager services are started by the injected VBC.EXE process.\r\nhttp://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nPage 7 of 12\n\nBesides harvesting various logins and passwords, Predator Pain reports the local Date and Time, the OS and the\r\nOS language, the internal and external IP address, installed antivirus and / or firewall. The external IP is obtained\r\nby querying whatismyipaddress.com.\r\nIn this sample all harvested information is send to results@facebookmarketers.net. The interval and the chosen\r\nmethod (FTP / PHP / MAIL) can be set in the Predator Pain builder’s options.\r\nPredator Pain is also a Bitcoin Stealer. It steals the WALLET.DAT file that holds the users bitcoin currency.\r\nAfter a while the WINLOGON.EXE process stopped working. It’s hard to tell whether this is on purpose or\r\nsimply because the logger is unstable.\r\nhttp://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nPage 8 of 12\n\nWhen the WINLOGON.EXE process runs, the code in memory is unencrypted and its strings can be dumped from\r\nthe different memory regions. I've posted a small snippet on our Pastebin.\r\nVirusTotal Results\r\nhttp://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nPage 9 of 12\n\nswifttransferrecepts_fdp.exe\r\nAdditional information\r\nMD5: 8ce71e40eda2d9304c1e127c60500e0c\r\nSHA1: 93ef97529dcaa047d023456103827b6f97345caf\r\nSHA256: e63b24adf9119f7d500167a62d62d3b8a35f4694f8488fc764523fd322fb2dce\r\nFile size: 612.0 KB ( 626688 bytes )\r\nDetection ratio: 16 / 51\r\nAnalysis date: 2014-04-26 08:52:43 UTC\r\nAntivirus Result Update\r\nAd-Aware Gen:Variant.Zusy.69824 20140426\r\nAegisLab 20140426\r\nAgnitum 20140425\r\nAhnLab-V3 Trojan/Win32.Inject 20140425\r\nAntiVir 20140425\r\nAntiy-AVL 20140426\r\nAvast Win32:VB-AHWF [Trj] 20140426\r\nAVG 20140426\r\nBaidu-International 20140426\r\nBitDefender Gen:Variant.Zusy.69824 20140426\r\nBkav 20140425\r\nByteHero 20140426\r\nCAT-QuickHeal 20140425\r\nClamAV 20140426\r\nhttp://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nPage 10 of 12\n\nCMC 20140424\r\nCommtouch 20140426\r\nComodo 20140426\r\nDrWeb 20140426\r\nEmsisoft Gen:Variant.Zusy.69824 (B) 20140426\r\nESET-NOD32 a variant of MSIL/Injector.CUZ 20140426\r\nF-Prot 20140426\r\nF-Secure Gen:Variant.Zusy.69824 20140426\r\nFortinet MSIL/Injector.CSZ!tr 20140426\r\nGData Gen:Variant.Zusy.69824 20140426\r\nIkarus 20140426\r\nJiangmin 20140426\r\nK7AntiVirus 20140425\r\nK7GW 20140425\r\nKaspersky Trojan.Win32.Fsysna.zcf 20140426\r\nKingsoft 20140426\r\nMalwarebytes Spyware.Zbot 20140426\r\nMcAfee Artemis!8CE71E40EDA2 20140426\r\nMcAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.E 20140425\r\nMicrosoft 20140426\r\nMicroWorld-eScan Gen:Variant.Zusy.69824 20140426\r\nNANO-Antivirus 20140426\r\nNorman 20140426\r\nnProtect 20140425\r\nPanda 20140425\r\nQihoo-360 Win32/Trojan.53c 20140426\r\nRising 20140425\r\nhttp://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nPage 11 of 12\n\nSophos 20140426\r\nSUPERAntiSpyware 20140426\r\nSymantec 20140426\r\nTheHacker 20140425\r\nTotalDefense 20140426\r\nTrendMicro 20140426\r\nTrendMicro-HouseCall TROJ_GEN.F47V0425 20140426\r\nVBA32 20140425\r\nVIPRE 20140425\r\nViRobot 20140426\r\nSource: http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nhttp://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html\r\nPage 12 of 12\n\nnProtect Panda   20140425 20140425\nQihoo-360 Win32/Trojan.53c  20140426\nRising   20140425\n  Page 11 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html"
	],
	"report_names": [
		"analysis-of-the-predator-pain-keylogger.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434124,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb8606a800da85be5c20fe67194fb9345c1fca0e.pdf",
		"text": "https://archive.orkl.eu/cb8606a800da85be5c20fe67194fb9345c1fca0e.txt",
		"img": "https://archive.orkl.eu/cb8606a800da85be5c20fe67194fb9345c1fca0e.jpg"
	}
}