{ "id": "cbc3f512-4440-40b8-8749-f11235675d71", "created_at": "2026-04-06T00:11:58.668884Z", "updated_at": "2026-04-10T03:37:08.53108Z", "deleted_at": null, "sha1_hash": "dd451cc70b566ead7369302162ad68d75c45ec51", "title": "Predator The Thief: In-depth analysis (v2.3.5)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2532221, "plain_text": "Predator The Thief: In-depth analysis (v2.3.5)\r\nPublished: 2018-10-15 · Archived: 2026-04-05 23:07:13 UTC\r\nWell, it’s been a long time without some fresh new contents on my blog. I had some unexpected problems that\r\nkept me away from here and a lot of work (like my tracker) that explain this. But it’s time to come back (slowly)\r\nwith some stuff.\r\nSo today, this is an In-Depth analysis of one stealer: “Predator the thief”, written in C/C++. Like dozen others\r\nmalware, it’s a ready to sell malware delivered as a builder \u0026 C2 panel package.\r\nThe goal is to explain step by step how this malware is working with a lot of extra explanations for some parts.\r\nThis post is mainly addressed for junior reverse engineers or malware analysts who want for future purposes to\r\nunderstand and defeat some techniques/tricks easily.\r\nSo here we go!\r\nClassical life cycle\r\nThe execution order is almost the same, for most of the stealers nowadays. Changes are mostly varying between\r\nevading techniques and how they interact with the C2.  For example, with Predator, the set up is quite simple but\r\ncould vary if the attacker set up a loader on his C2.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 1 of 32\n\nThe life cycle of Predator the thief\r\nPreparing the field\r\nBefore stealing sensitive data, Predator starts by setting up some basics stuff to be able to work correctly. Almost\r\nall the configuration is loaded into memory step by step.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 2 of 32\n\nSo let’s put a breakpoint at “0x00472866” and inspect the code…\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 3 of 32\n\n1. EBX is set to be the length of our loop (in our case here, it will be 0x0F)\r\n2. ESI have all functions addresses stored\r\n3. EAX, will grab one address from ESI and moves it into EBP-8\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 4 of 32\n\n4. EBP is called, so at this point, a config function will unpack some data and saved it into the stack)\r\n5. ESI position is now advanced by 4\r\n6. EDI is incremented until reaching the same value as stored EBX\r\n7. When the EDI == EBX, it means that all required configuration values are stored into the stack. The main\r\npart of the malware could start\r\nSo, for example, let’s see what we have  inside 0040101D at 0x00488278\r\nSo with x32dbg, let’s see what we have… with a simple command\r\nCommand: go 0x0040101D\r\nAs you can see, this is where the C2 is stored, uncovered and saved into the stack.\r\nSo what values are stored with this technique?\r\nC2 Domain\r\n%APPDATA% Folder\r\nPredator Folder\r\ntemporary name of the archive predator file and position\r\nalso, the name of the archive when it will send to the C2\r\netc…\r\nWith the help of the %APPDATA%/Roaming path, the Predator folder is created (\\ptst). Something notable with\r\nthis is that it’s hardcoded behind a Xor string and not generated randomly. By pure speculation, It could be a\r\nshortcut for “Predator The STealer”.\r\nThis is also the same constatation for the name of the temporary archive file during the stealing process:\r\n“zpar.zip”.\r\nThe welcome message…\r\nWhen you are positioned at the main module of the stealer, a lovely text looped over 0x06400000 times is\r\naddressed for people who want to reverse it.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 5 of 32\n\nObfuscation Techniques\r\nThe thief who loves XOR (a little bit too much…)\r\nAlmost all the strings from this stealer sample are XORed, even if this obfuscation technique is really easy to\r\nunderstand and one of the easier to decrypt. Here, its used at multiple forms just to slow down the analysis.\r\nGetProcAddress Alternatives\r\nFor avoiding to call directly modules from different libraries, it uses some classic stuff to search step by step a\r\nspecific API request and stores it into a register. It permits to hide the direct call of the module into a simple\r\nregister call.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 6 of 32\n\nSo firstly,  a XORed string (a DLL) is decrypted.  So for this case, the kernel32.dll is required for the specific\r\nmodule that the malware wants to call.\r\nWhen the decryption is done, this library is loaded with the help of “LoadLibraryA“. Then, a clear text is pushed\r\ninto EDX: “CreateDirectoryA“… This will be the module that the stealer wants to use.\r\nThe only thing that it needs now, its to retrieve the address of an exported function “CreateDirectoryA” from\r\nkernel32.dll. Usually, this is done with the help of GetProcAddress but this function is in fact not called and\r\nanother trick is used to get the right value.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 7 of 32\n\nSo this string and the IMAGE_DOS_HEADER of kernel32.dll are sent into “func_GetProcesAddress_0”. The\r\nidea is to get manually the pointer of the function address that we want with the help of the Export Table. So let’s\r\nsee what we have in the in it…\r\nstruct IMAGE_EXPORT_DIRECTORY {\r\nlong Characteristics;\r\nlong TimeDateStamp;\r\nshort MajorVersion;\r\nshort MinorVersion;\r\nlong Name;\r\nlong Base;\r\nlong NumberOfFunctions;\r\nlong NumberOfNames;\r\nlong *AddressOfFunctions; \u003c= This good boy\r\nlong *AddressOfNames; \u003c= This good boy\r\nlong *AddressOfNameOrdinals; \u003c= This good boy\r\n}\r\nAfter inspecting the structure de IMAGE_EXPORT_DIRECTORY, three fields are mandatory :\r\nAddressOfFunctions – An Array who contains the relative value address (RVA) of the functions of the\r\nmodule.\r\nAddressOfNames – An array who stores with the ascending order of all functions from this module.\r\nAddressOfNamesOrdinals – An 16 bits array who contains all the associated ordinals of functions names\r\nbased on the AddressOfNames.\r\nsource\r\nSo after saving the absolute position of these 3 arrays, the loop is simple\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 8 of 32\n\n1. Grab the RVA of one function\r\n2. Get the name of this function\r\n3. Compare the string with the desired one.\r\nSo let’s see in details to understand everything :\r\nIf we dig into ds:[eax+edx*4], this where is stored all relative value address of the kernel32.dll export table\r\nfunctions.\r\nWith the next instruction add eax,ecx. This remains to go at the exact position of the string value in the\r\n“AddressOfNames” array.\r\nDLLBaseAddress + AddressOfNameRVA[i] = Function Name\r\n 751F0000 + 0C41D4 = CreateDirectoryA\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 9 of 32\n\nThe comparison is matching,  now it needs to store the “procAddress.  So First the Ordinal Number of the\r\nfunction is saved. Then with the help of this value, the Function Address position is grabbed and saved into ESI.\r\nADD ESI, ECX\r\nProcAddress = Function Address + DLLBaseAddress\r\nIn disassembly, it looks like this :\r\nLet’s inspect the code at the specific procAddress…\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 10 of 32\n\nSo everything is done, the address of the function is now stored into EAX and it only needs now to be called.\r\nAnti-VM Technique\r\nHere is used a simple Anti-VM Technique to check if this stealer is launched on a virtual machine. This is also the\r\nonly Anti-Detection trick used on Predator.\r\nFirst, User32.dll (Xored) is dynamically loaded with the help of “LoadLibraryA“, Then “EnumDisplayDevicesA”\r\nmodule is requested with the help of User32.dll. The idea here is to get the value of the “Device Description” of\r\nthe current display used.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 11 of 32\n\nWhen it’s done, the result is checked with some values (obviously xored too) :\r\nHyper-V\r\nVMware\r\nVirtualBox\r\nIf the string matches, you are redirected to a function renamed here “func_VmDetectedGoodBye.\r\nHow to By-Pass this Anti-VM technique?\r\nFor avoiding this simple trick, the goal is to modify the REG_SZ value of “DriverDesc” into {4d36e968-e325-\r\n11ce-bfc1-08002be10318} to something else.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 12 of 32\n\nAnd voilà!\r\nStealing Part\r\nLet’s talk about the main subject… How this stealer is organized… As far I disassemble the code, this is all the\r\nfolders that the malware is setting on the “ptst” repository before sending it as an archive on the C2.\r\nFolder\r\nFiles: Contains all classical text/documents files at specifics paths\r\nFileZilla: Grab one or two files from this FTP\r\nWinFTP: Grab one file from this FTP\r\nCookies: Saved stolen cookies from different browsers\r\nGeneral: Generic Data\r\nSteam: Steal login account data\r\nDiscord: Steal login account data\r\nFiles\r\nInformation.log\r\nScreenshot.jpeg \u003c= Screenshot of the current screen\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 13 of 32\n\nTelegram\r\nFor checking if Telegram is installed on the machine, the malware is checking if the KeyPath\r\n“Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1”\r\nexists on the machine.\r\nSo let’s inspect what we have inside this “KeyPath”? After digging into the code, the stealer will request the value\r\nof “InstallLocation” because of this where Telegram is installed currently on the machine.\r\nStep by step, the path is recreated (also always, all strings are xored) :\r\n%TELEGRAM_PATH%\r\n\\Telegram Desktop\r\n\\tdata\r\n\\D877F783D5D3EF8C\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 14 of 32\n\nThe folder “D877F783D5D3EF8C” is where all Telegram cache is stored. This is the sensitive data that the stealer\r\nwants to grab. Also during the process, the file map* (i.e: map1) is also checked and this file is, in fact, the\r\nencryption key. So if someone grabs everything for this folder, this leads the attacker to have an access (login\r\nwithout prompt) into the victim account.\r\nSteam\r\nThe technique used by the stealer to get information for one software will remain the same for the next events (for\r\nmost of the cases). This greatly facilitates the understanding of this malware.\r\nSo first, it’s checking the “SteamPath” key value at “HKCU\\Software\\Valve\\Steam” to grab the correct Steam\r\nrepository. This value is after concatenating with a bunch of files that are necessary to compromise a Steam\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 15 of 32\n\nAccount.\r\nSo it will check first if ssfn files are present on the machine with the help of “func_FindFiles”, if it matches, they\r\nare duplicated into the temporary malware folder stored on %APPDATA%/XXXX. Then do the same things with\r\nconfig.vdf\r\nSo what the point with these files? First, after some research, a post on Reddit was quite interesting. it explained\r\nthat ssfn files permit to by-pass SteamGuard during the user log-on.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 16 of 32\n\nNow what the point of the second file? this is where you could know some information about the user account and\r\nall the applications that are installed on the machine. Also, if the ConnectCache field is found on this one, it is\r\npossible to log into the stolen account without steam authentication prompt. if you are curious, this pattern is\r\nrepresented just like this :\r\n\"ConnectCache\"\r\n{\r\n \"STEAM_USERNAME_IN_CRC32_FORMAT\" \"SOME_HEX_STUFF\"\r\n}\r\nThe last file, that the stealer wants to grab is “loginusers.vdf”. This one could be used for multiple purposes but\r\nmainly for setting the account in offline mode manually.\r\nFor more details on the subject there a nice report made by Kapersky for this:\r\nSteam Stealers\r\nWallets\r\nThe stealer is supporting multiple digital wallets such as :\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 17 of 32\n\nEthereum\r\nMultibit\r\nElectrum\r\nArmory\r\nBytecoin\r\nBitcoin\r\nEtc…\r\nThe functionality is rudimentary but it’s enough to grab specific files such as :\r\n*.wallet\r\n*.dat\r\nAnd as usual, all the strings are XORed.\r\nFTP software\r\nThe stealer supports two FTP software :\r\nFilezilla\r\nWInFTP\r\nIt’s really rudimentary because he only search for three files, and they are available a simple copy to the predator\r\nis done :\r\n%APPDATA%\\Filezilla\\sitemanager.xml\r\n%APPDATA%\\Filezilla\\recentservers.xml\r\n%PROGRAMFILES%\\WinFtp Client\\Favorites.dat\r\nBrowsers\r\nIt’s not necessary to have some deeper explanation about what kind of file the stealer will focus on browsers.\r\nThere is currently a dozen articles that explain how this kind of malware manages to steal web data. I recommend\r\nyou to read this article made by @coldshell about an example of overview and well detailed.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 18 of 32\n\nAs usual, popular Chrome-based \u0026 Firefox-based browsers and also Opera are mainly targeted by Predator.\r\nThis is the current official list supported by this stealer :\r\nAmigo\r\nBlackHawk\r\nChromium\r\nComodo Dragon\r\nCyberfox\r\nEpic Privacy Browser\r\nGoogle Chrome\r\nIceCat\r\nK-Meleon\r\nKometa\r\nMaxthon5\r\nMozilla Firefox\r\nNichrome\r\nOpera\r\nOrbitum\r\nPale Moon\r\nSputnik\r\nTorch\r\nVivaldi\r\nWaterfox\r\nEtc…\r\nThis one is also using SQLite for extracting data from browsers and using and saved them into a temporary file\r\nname “vlmi{lulz}yg.col”.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 19 of 32\n\nSo the task is simple :\r\nStole SQL Browser file\r\nExtract data with the help of SQLite and put into a temporary file\r\nThen read and save it into a text file with a specific name (for each browser).\r\nWhen forms data or credentials are found they’re saved into two files on the General repository :\r\nforms.log\r\npassword.log\r\ncards.log\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 20 of 32\n\nDiscord\r\nIf discord is detected on the machine, the stealer will search and copy the “https_discordapp_*localstorage” file\r\ninto the “ptst” folder. This file contains all sensitive information about the account and could permit some\r\nauthentication without a prompt login if this one is pushed into the correct directory of the attacker machine.\r\nPredator is inspecting multiple places…\r\nThis stealer is stealing data from 3 strategical folders :\r\nDesktop\r\nDownloads\r\nDocuments\r\nEach time, the task will be the same, it will search 4 type of files with the help of GetFileAttributesA :\r\n*.doc\r\n*.docx\r\n*.txt\r\n*.log\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 21 of 32\n\nWhen it matches, they have copied into a folder named “Files”.\r\nInformation.log\r\nWhen tasks are done, the malware starts generating a summarize file, who contains some specific and sensitive\r\ndata from the machine victim beside the file “Information.log”. For DFIR, this file is the artifact to identify the\r\nname of the malware because it contains the name and the specific version.\r\nSo first, it writes the Username of the user that has executed the payload, the computer name, and the OS Version.\r\nUser name: lolilol\r\nMachine name: Computer\r\nOS version: Windoge 10\r\nThen copy the content of the clipboard with the help of GetClipBoardData\r\nCurrent clipboard:\r\n--------------\r\nOmelette du fromage\r\nLet’s continue the process…\r\nStartup folder: C:\\Users\\lolilol\\AppData\\Local\\Temp\\predator.exe\r\nSome classic specification about the machine is requested and saved into the file.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 22 of 32\n\nCPU info: Some bad CPU | Amount of kernels: 128 (Current CPU usage: 46.112917%)\r\nGPU info: Fumik0_ graphical display\r\nAmount of RAM: 12 GB (Current RAM usage: 240 MB)\r\nScreen resolution: 1900x1005\r\nThen, all the user accounts are indicated\r\nComputer users:\r\nlolilol\r\nAdministrator\r\nAll Users\r\nDefault\r\nDefault User\r\nPublic\r\nThe last part is about some exotics information that is quite awkward in fact… Firstly, for some reasons that I\r\ndon’t want to understand, there is the compile time hardcoded on the payload.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 23 of 32\n\nThen the second exotic data saved into Information.log is the grabbing execution time for stealing contents from\r\nthe machine… This information could be useful for debugging some tweaks with the features.\r\nAdditional information:\r\nCompile time: Aug 31 2018\r\nGrabbing time: 0.359375 second(s)\r\nC2 Communications\r\nFor finishing the information.log, a GET request is made for getting some network data about the victim…\r\nFirst, it set up the request by uncovered some Data like :\r\nA user-agent\r\nThe content-type\r\nThe API URL ( /api/info.get )\r\nWe can have for example this result :\r\nAmsterdam;Netherlands;52.3702;4.89517;51.15.43.205;Europe/Amsterdam;1012;\r\nWhen the request is done, the data is consolidated step by step with the help of different loops and conditions.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 24 of 32\n\nWhen the task is done, there are saved into Information.log\r\nCity: Nopeland\r\nCountry: NopeCountry\r\nCoordinates: XX.XXXX N, X.XXXX W\r\nIP: XXX.XXX.XXX.XXX\r\nTimezone: Nowhere\r\nZip code: XXXXX\r\nThe Archive is not complete, it only needs for the stealer to send it to the C2.\r\nSo now it set up some pieces of information into the gate.get request with specifics arguments, from p1 to p7, for\r\nexample :\r\np1: Number of accounts stolen\r\np2: Number of cookies stolen\r\np4: Number of forms stolen\r\netc…\r\nresults :\r\nThe POST request is now complete, the stealer will clean everything and quit.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 25 of 32\n\nExample of Predator C2 Panel with fancy background…\r\nUpdate – v2.3.7\r\nSo during the analysis,  new versions were pushed… Currently (at the time where this post was redacted), the v3\r\nhas been released, but without possession of this specific version, I won’t talk anything about it and will me be\r\nfocus only on the 2.3.7.\r\nIt’s useless to review from scratch, the mechanic of this stealer is still the same, just some tweak or other\r\narrangements was done for multiple purposes… Without digging too much into it, let’s see some changes (not all)\r\nthat I found interesting.\r\nChangelog of v2.3.7 explained by the author\r\nAs usual, this is the same patterns :\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 26 of 32\n\nCode optimizations (Faster / Lightweight)\r\nMore features…\r\nAs you can see v2.3.7 on the right is much longer than v2.3.5 (left), but the backbone is still the same.\r\nMutex\r\nOn 2.3.7,  A mutex is integrated with a specific string called “SyystemServs”\r\nXor / Obfuscated Strings\r\nDuring the C2 requests, URL arguments are generated byte per byte and unXOR.\r\nFor example :\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 27 of 32\n\npush 04\r\n...\r\npush 61\r\n...\r\npush 70\r\n...\r\nleads to this\r\nHEX : 046170692F676174652E6765743F70313D\r\nSTRING : .api/gate.get?p1=\r\nThis is basic and simple but enough to just slow down the review of the strings. but at least, it’s really easy to\r\nuncover it, so it doesn’t matter.\r\nThis tweak by far is why the code is much longer than v2.3.5.\r\nLoader\r\nNot seen before (as far I saw), it seems on 2.3.7, it integrates a loader feature to push another payload on the\r\nvictim machine, easily recognizable with the adequate GET Request\r\n/api/download.get\r\nThe API request permits to the malware to get an URL into text format. Then Download and saved it into disk and\r\nexecute it with the help of ShellExecuteA\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 28 of 32\n\nThere also some other tweaks, but it’s unnecessary to detail on this review, I let you this task by yourself if you are\r\ncurious 🙂\r\nIoC\r\nv2.3.5\r\n299f83d5a35f17aa97d40db667a52dcc | Sample Packed\r\n3cb386716d7b90b4dca1610afbd5b146 | Sample Unpacked\r\nkent-adam.myjino.ru | C2 Domain\r\nv2.3.7\r\n cbcc48fe0fa0fd30cb4c088fae582118 | Sample Unpacked\r\n denbaliberdin.myjino.ru | C2 Domain\r\nHTTP Patterns\r\nGET    –   /api/info.get\r\nPOST  –  /api//gate.get?p1=X\u0026p2=X\u0026p3=X\u0026p4=X\u0026p5=X\u0026p6=X\u0026p7=X\r\nGET    –  /api/download.get\r\nMITRE ATT\u0026CK\r\nv2.3.5\r\nDiscovery – Peripheral Device Discovery\r\nDiscovery – System Information Discovery\r\nDiscovery – System Time Discovery\r\nDiscovery – Query Registry\r\nCredential Access – Credentials in Files\r\nExfiltration – Data Compressed\r\nv2.3.7\r\nDiscovery – Peripheral Device Discovery\r\nDiscovery – System Information Discovery\r\nDiscovery – System Time Discovery\r\nDiscovery – Query Registry\r\nCredential Access – Credentials in Files\r\nExfiltration – Data Compressed\r\nExecution –  Execution through API\r\nAuthor / Threat Actor\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 29 of 32\n\nAlexuiop1337\r\nYara Rule\r\nrule Predator_The_Thief : Predator_The_Thief {\r\n meta:\r\n description = \"Yara rule for Predator The Thief v2.3.5 \u0026 +\"\r\n author = \"Fumik0_\"\r\n date = \"2018/10/12\"\r\n update = \"2018/12/19\"\r\n strings:\r\n $mz = { 4D 5A }\r\n // V2\r\n $hex1 = { BF 00 00 40 06 }\r\n $hex2 = { C6 04 31 6B }\r\n $hex3 = { C6 04 31 63 }\r\n $hex4 = { C6 04 31 75 }\r\n $hex5 = { C6 04 31 66 }\r\n \r\n $s1 = \"sqlite_\" ascii wide\r\n \r\n // V3\r\n $x1 = { C6 84 24 ?? ?? 00 00 8C }\r\n $x2 = { C6 84 24 ?? ?? 00 00 1A }\r\n $x3 = { C6 84 24 ?? ?? 00 00 D4 }\r\n $x4 = { C6 84 24 ?? ?? 00 00 03 }\r\n $x5 = { C6 84 24 ?? ?? 00 00 B4 }\r\n $x6 = { C6 84 24 ?? ?? 00 00 80 }\r\n \r\n condition:\r\n $mz at 0 and\r\n ( ( all of ($hex*) and all of ($s*) ) or (all of ($x*)))\r\n}\r\nRecommendations\r\nAlways running stuff inside a VM, be sure to install a lot of stuff linked to the hypervisor (like Guest\r\nAddons tools)  to trigger as much as possible all kind of possible Anti-VM detection and closing malware.\r\nWhen you have done with your activities stop the VM and restore it a Specific clean snapshot when it’s\r\ndone.\r\nAvoid storing files at a pre-destined path (Desktop, Documents, Downloads), put at a place that is not\r\ncommon.\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 30 of 32\n\nAvoiding Cracks and other stupid fake hacks, stealers are usually behind the current game trendings\r\n(especially in those times with Fortnite…).\r\nUse containers for software that you are using, this will reduce the risk of stealing data.\r\nFlush your browser after each visit, never saved your passwords directly on your browser or using auto-fill\r\nfeatures.\r\nDon’t use the same password for all your websites (use 2FA and it’s possible), we are in 2018, and this still\r\nsadly everywhere like this.\r\nMake some noise with your data, that will permit to lose some attacker minds to find some accurate values\r\ninto the junk information.\r\nUse a Vault Password software.\r\nTroll/Not Troll: Learn Russian and put your keyboard in Cyrillic 🙂\r\nConclusion\r\nStealers are not sophisticated malware, but they are enough effective to make some irreversible damage for\r\nvictims. Email accounts and other credentials are more and more impactful and this will be worse with the years.\r\nBehaviors must changes for the account management to limit this kind of scenario. Awareness and good practices\r\nare the keys and this will not be a simple security software solution that will solve everything.\r\nWell for me I’ve enough work, it’s time to sleep a little…\r\n#HappyHunting\r\nUpdate 2018-10-23 : Yara Rules now working also for v3\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 31 of 32\n\nSource: https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nhttps://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/\r\nPage 32 of 32", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/" ], "report_names": [ "predator-the-thief-in-depth-analysis-v2-3-5" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434318, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dd451cc70b566ead7369302162ad68d75c45ec51.pdf", "text": "https://archive.orkl.eu/dd451cc70b566ead7369302162ad68d75c45ec51.txt", "img": "https://archive.orkl.eu/dd451cc70b566ead7369302162ad68d75c45ec51.jpg" } }