Home / malware Infostealer.Predet
First posted on 13 November 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Predet.
Explanation :
When the Trojan is executed, it modifies the following registry entry:
%System%\drivers\etc\hosts
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "%AppData%\WindowsUpdate.exe"
The Trojan may attempt to run with Administrator privileges.
The Trojan deletes the following files:
%AppData%\WindowsUpdate.exe%AppData%\pid.txt%AppData%\pidloc.txt%AppData%\.minecraft\lastlogin%AppData%\Roaming\jagex_cache\reg\%AppData%\Roaming\jagex_cache\regPin\[COMPUTER NAME]_Pin[DIGIT].jpeg%Temp%\SysInfo.txt%Temp%\[COMPUTER NAME]\_wallet.dat%Temp%\wallet.dat%Temp%\screens\screenshot[DIGIT]_[COMPUTER NAME].jpeg%Temp%\EBFile_[DIGIT].exe%Temp%\BFile_[DIGIT].[EXTENSION][REMOVABLE DRIVE]:\autorun.inf[REMOVABLE DRIVE]:\Sys.exe
Note: The Trojan may also clear web browser's cookies and Steam session files.
The Trojan may terminate (and prevent from running) the following processes:
Task managerCommand line interpreterMS ConfigRegistry Editor
The Trojan collects the following information from the compromised computer:
Computer nameCPU nameServer nameOS platformOS version.NET versionPredator versionPredator services status: keylogger, clipboard-logger, report frequency, stealersLocal date and timeInstalled languageInstalled AVsInstalled FirewallsInternal and External IPs
The Trojan may perform the following actions:
Display fake error messagesLog all keystrokesDownload and execute filesVisit websitesDelete cookies from IE and Firefox browsersBlock certain websitesSpread to removable drives
The Trojan may attempt to steal the following information:
Bitcoin wallet.datEmail credentialsBrowser credentialsJDownloader credentialsInternet Downloader Manager credentialsMinecraft credentialsSteam credentialsPIN screenshots from RuneScape and EpicBot video gamesLast update 13 November 2015
