cheetahkeylogger | e0dd9126e9038ec946d016833bad57afb1d3eb06e453ec8a0bdd60661e6a3da2

General

Target

Purchase Order.exe
Size

282KB
Sample

200816-5yklmkd61s
MD5

b861f4c2cd486258a79a2078c58885e8
SHA1

a52c73cecef8c37bcaf95aeeb456580544a6e27c
SHA256

e0dd9126e9038ec946d016833bad57afb1d3eb06e453ec8a0bdd60661e6a3da2
SHA512

2d51a0096e6c99209bbd020f8523143c1651567296e3123cc4650e9809dc5c5f560fa8b1848d18cd240a53f5ae9fcfbf11bca98eb04d2a678f6d45c682d36371

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.aviner.co.za
Port:
587
Username:
[email protected]
Password:
NoLimits@

Targets

- Target
  
  Purchase Order.exe
- Size
  
  282KB
- MD5
  
  b861f4c2cd486258a79a2078c58885e8
- SHA1
  
  a52c73cecef8c37bcaf95aeeb456580544a6e27c
- SHA256
  
  e0dd9126e9038ec946d016833bad57afb1d3eb06e453ec8a0bdd60661e6a3da2
- SHA512
  
  2d51a0096e6c99209bbd020f8523143c1651567296e3123cc4650e9809dc5c5f560fa8b1848d18cd240a53f5ae9fcfbf11bca98eb04d2a678f6d45c682d36371
Score

10^/10

cheetahkeylogger keylogger spyware stealer
- Cheetah Keylogger
  Cheetah is a keylogger and info stealer first seen in March 2020.
  stealer keylogger cheetahkeylogger
- Cheetah Keylogger Payload
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Cheetah Keylogger

Cheetah Keylogger Payload

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2