Threat Research

Predator the Thief Malware: Analysis of Recent Versions

By Yueh-Ting Chen | January 06, 2020

FortiGuard Labs Threat Analysis Report

FortiGuard Labs has been monitoring a new release of the malware known as Predator the Thief, labeled as version 3.3.4. After our last article about Predator the Thief, we have continued monitoring this malware family. There were small development differences between each minor version, making version 3.3.4 very different from version 3.0.8.

In early December 2019, we observed a new Predator the Thief malware campaign using version 3.3.3. We analyzed the new campaign, and found that it is both stealthier and more complicated than its predecessors. In addition, it was upgraded again to version 3.3.4 on Christmas Eve. In this report we will analyze its latest set of capabilities.

Predator the Thief Malware Analysis

Firstly, we discovered that the campaign now uses multiple phishing documents designed to look like invoices, all pushing the same payload of Predator the Thief. Figure 1 shows the infection chain, and Figure 2 shows an example of the phishing document.

Figure 1: Infection chain of recent Predator the Thief malware campaign

Figure 2: Example phishing document

Malware Loading

Once the document is opened the malware performs the following four operations:

1. AutoOpen macro runs the malware VBA script.

2. It downloads three files through PowerShell.

  • VjUea.dat: Legitimate AutoIt3.exe
  • SevSS.dat: Base64-encoded AutoIt script with certificate header.
  • apTz.dat: RC4-encrypted Predator the Thief
Figure 3: PowerShell for downloading files, compiling loader, and running loader to load Predator the Thief

3. It then uses a legitimate AutoIt3.exe to run decoded AutoIt script. “” is decoded by certutil.exe, a legitimate command line program that is part of the Certificate Service in Windows. The script is then run to decrypt apTz.dat into the payload of Predator the Thief.

Figure 4: Certificate header and base64-encoded AutoIt script(.au3)

4. It then loads Predator the Thief into a specific hollow process (dllhost.exe, in this sample).

Figure 5: Decoding and injecting Predator the Thief into dllhost.exe

Predator the Thief Malware Hash:


After running the malware, we found it connected with the C2 server corp2[.]site. In the data sent to its C2 server we found the information file “information.txt” contained its version. 

Figure 6: Information.txt shows Version 3.3.3

As is often the case, the authors use Telegram to promote their malware business, upgrading the panel and stealer almost every month. We checked the following channel, used for providing update notes for their customers:


The malware was upgraded in early December 2019 to version 3.3.3, and it was soon upgraded again to a new version 3.3.4 on Christmas Eve. Here are notes for both versions:

Figure 7: Notes for version 3.3.3 in its Telegram channel

Figure 8: Notes for version 3.3.4 in its Telegram channel

The stealer’s side does not change much in either version released in December. However, there were some new features added since the previous article. In the following section, we will analyze the features found in version 3.3.3 to determine what changes have been made during this period.

Featuresof Version 3.3.3

More Anti-Debug Tricks

More anti-debug trickswere added to Predator the Thief since the previous version of the malware was released. This includes the following:

  1. NtSetInformationThread
  2. NtQueryInformationProcess
  3. BeingDebugged flag
  4. CheckRemoteDebuggerPresent
  5. Breakpoint detection with AddVectoredExceptionHandler
  6. Thread for permanently monitoring debugger
  7. Descriptor table register check
  8. GetTickCount check

We also found that it copies a portion of ntdll.dll into an allocated memory. It then hooks the copied portion with a simple shellcode to call the function NtQueryInformationProcess for anti-debug purposes. It also prevents analysts from hooking NtQueryInformationProcess to avoid being detected. Further, it checks the crc32 checksum of the allocated memory to prevent any changes.

Figure 9: Anti-debug with NtQueryInformationProcess

This version of the Predator the Thief malware also includes multi-level anti-debug functions, in which a thread is used to detect debuggers every five seconds.

Figure 10: Multi-level anti-debug before main routine

More Complicated Assembly Code

In contrast with the previous version, 3.0.8, most of the junk code in the main routine of version 3.3.3 was removed. We can also observe that the assembly code is much shorter but more complicated. For example, all strings are decoded at runtime with XOR or SUB, and those string-decoding loops cause the flow to be more complicated.

Figure 11 Graph comparison between version 3.0.8 and 3.3.3

Being File-less

We also found that the stolen information is sent as a zip file. However, those files are never generated in the file system. Instead, the malware allocates a memory space to locate the entire zip file structure, and then adds the zip file directly from memory to the request data. 

Figure 12: Data in packet and the decompressed files

Figure 13: Allocated memory for locating zip file

C2 Analysis – check.get

This is an API used to get the configuration from C2 server. The configuration is more complex and detailed than previous versions, and is encrypted during the connection. One example returned the following base64-encoded-like data. 

Figure 14 Encrypted data in response packets

In fact, the string is encrypted using basic base64 and RC4 algorithms. The RC4 algorithm uses the C2 domain name as its key. After decoding the string shown in the previous figure, we found the following configuration string. Note that the IP information is masked.

[0;1;0;0;0;1;1;0;1;;;1]#[]#[City;Country;Longitude;Latitude;IP;Timezone;Postal code]#[]#[]

The string can be divided into five parts using “#”. "[]" Indicates an empty configuration.

1. The first part of the string first analyzed in version 3.3.3 contains 12 arguments split with semicolons. In version 3.3.4 the configuration related to the CIS region check was removed:

  • Webcam bmp capture
  • Enable anti-VM check:
  • Collect Skype information
  • Collect Steam information
  • Screen capture
  • Enable CIS region check with default language:
    • We found the following languages are checked in version 3.3.3: Russian, Armenian, Azeri, Belarusian, Georgian, Kazakh, Tajik, Turkmen, Uzbek, and Ukrainian. However, in version 3.3.4, the code related to the default language check had been removed. According to the information found in the author’s notes in Figure 8, this may imply that a CIS region check is now performed on the server side.
  • Remove itself after running
  • Collect Telegram information
  • Collect InetCookies
  • File search limits
  • Base64-encoded PowerShell command (Added in version 3.3.2)
  • Browser history (Added in version 3.3.3)

2. The second part contains a file grabber configuration. The following is an example of its configuration structure:

[%userprofile%\Desktop|%userprofile%\Downloads;*.txt,*doc;2048;test.txt;0]:[another grabber configuration]

It may contain multiple grabber configurations. There are five parts in each grabber configuration:

  • Initial folders for grabber
  • Target file types
  • Maximum file size
  • Exclusion list of file names
  • Option for maintaining directory structure

3. The third part is the victim’s IP information, which is checked and returned by the C2 server.

  • City
  • Country
  • Longitude
  • Latitude
  • IP
  • Time zone
  • Postal code

4. The fourth part is a sub-configuration for running the download module or other malware. Interestingly, Predator the Thief has become a possible loader for other malware due to its ability to download other malware.

There are multiple ways to run files, including hollow process injection, reflective DLL injection, and general API usage, such as CreateProcessA and ShellExecuteA.

Because this section has a complex configuration structure, we have simplified it to the following items:

  • Download URL
  • File execution method option
  • Command line string for hollow process
  • Download filename
  • Registry for persistence
  • Download file type (.dll or .exe)

5. The fifth and final part is another configuration for downloading and executing modules. Different from the fourth part of the configuration, it defines an API list. Each API downloads files from [APIName].get and [APIName].post.

The URL is in the following format:


“.get” is a PE file section named “.rdata”.

“.post” is the main part of the PE file.

Eventually, it creates an executable “Werfault.exe” in the “%ProgramData%\[5-random-lowercase-letters name]” folder and then immediately executes it with ShellExecuteA. Interestingly, it is not only an API name. It is also implemented as an API list, so multiple files can be downloaded from different APIs and executed immediately.

C2 Analysis – gate.get

This is used for sending collected information to C2 server. The format is as follows:


The meaning of each argument is shown below:

  • p1: Number of passwords
  • p2: Number of cookies
  • p3: Number of cards
  • p4: Number of forms
  • p5: Number of Steam accounts
  • p6: Number of wallets
  • p7: Number of Telegram accounts
  • p8: Crc32 checksum anti-debug result
  • p9: Module execution method configuration

This item is related to the configuration of the fourth part. If the fourth part is enabled, this argument will set to 1.

  • p10: Encrypted string of registry key name and OS version
    • This item is encrypted by RC4 and base64. It also uses domain name as its RC4 key. For example, we have the following encrypted string at the beginning of this section.


It can be decrypted into the following string.

|Windows 7 Enterprise x64

The format is “Registry Key Name|OS Version”. The registry key name comes from the fourth part of the configuration. If the configuration is not set, it will be empty. By setting this configuration, it will create a registry key at HKCU\Software\AdviceService Ltd.\[Name].

Monitoring the Predator the Thief Malware

In this recent malware campaign, a simple but tricky way to abuse legitimate AutoIt software to execute the payload of Predator the Thief has been added. In addition, the whole program flow has been changed. More anti-analysis features are used, and the configurations are more detailed and complex. It is also able to collect information in a file-less manner and delete itself immediately after sending information to C2. This makes it more difficult for analysts to analyze its damage to the victim system. It also has added new features to execute its additional modules and second stage malware in different ways.

We will continue to monitor this malware family and its related activities and report on important new changes.

As part of our membership in the Cyber Threat Alliance, details of this threat were shared in real time with other Alliance members to help create better protections for customers.


Fortinet customers are protected from malicious threats mentioned in this analysis with the following solutions:


Malicious document: Detected as VBA/Agent.5C0F!tr


Encoded AutoIt script:

36fe75ca8ca8bcef475737dae530e50eb262484ba0cd4dac0081d8508412d0ad - Autoit/Injector.ESA!tr

RC4 Encrypted Predator the Thief 3.3.3:

dce3bb2609c710339569404f8dce4e0786521bb0de46ad9358fc27d5b687f043 - W32/Agent.PTM!tr

Predator the Thief version 3.3.3:

7195659c846b13069d19341b6da99d925acc7db827dd84e7dbe00815511d30b1 - W32/Agent.PTM!tr

Predator the Thief version 3.3.4:

b7e0218883dfb06a4bf5bab7bf5ad4038258dd0e925d4fdd772def810ee2c92d - W32/Agent.PTM!tr

C2: Detected as Malware:


Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolioSign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert programNetwork Security Academy program, and FortiVet program.