Static

static

Purchase Order.exe

windows7_x64

10

Purchase Order.exe

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    16-08-2020 13:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order.exe

  • Size

    282KB

  • MD5

    b861f4c2cd486258a79a2078c58885e8

  • SHA1

    a52c73cecef8c37bcaf95aeeb456580544a6e27c

  • SHA256

    e0dd9126e9038ec946d016833bad57afb1d3eb06e453ec8a0bdd60661e6a3da2

  • SHA512

    2d51a0096e6c99209bbd020f8523143c1651567296e3123cc4650e9809dc5c5f560fa8b1848d18cd240a53f5ae9fcfbf11bca98eb04d2a678f6d45c682d36371

Score
10/10
cheetahkeyloggerkeyloggerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.aviner.co.za
  • Port:
    587
  • Username:
    christine@aviner.co.za
  • Password:
    NoLimits@

Signatures

  • Cheetah Keylogger

    Cheetah is a keylogger and info stealer first seen in March 2020.

    stealerkeyloggercheetahkeylogger
  • Cheetah Keylogger Payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 188 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\svhost.exe
    MD5

    9af17c8393f0970ee5136bd3ffa27001

    SHA1

    4b285b72c1a11285a25f31f2597e090da6bbc049

    SHA256

    71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

    SHA512

    b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\svhost.exe
    MD5

    9af17c8393f0970ee5136bd3ffa27001

    SHA1

    4b285b72c1a11285a25f31f2597e090da6bbc049

    SHA256

    71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

    SHA512

    b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

    Download Submit
  • memory/628-4-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/628-5-0x0000000000422DDE-mapping.dmp
    Download
  • memory/628-8-0x0000000073940000-0x000000007402E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/628-11-0x0000000002C80000-0x0000000002CB6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/628-12-0x0000000005A20000-0x0000000005A21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/628-14-0x0000000005800000-0x0000000005801000-memory.dmp
    Filesize

    4KB

    Download
  • memory/628-15-0x00000000060F0000-0x00000000060F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/628-16-0x00000000064C0000-0x00000000064C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/628-17-0x0000000006820000-0x0000000006821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2584-0-0x0000000073940000-0x000000007402E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2584-3-0x00000000053C0000-0x00000000053C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2584-1-0x0000000000A60000-0x0000000000A61000-memory.dmp
    Filesize

    4KB

    Download