Static

static

Vital Information.exe

windows7_x64

10

Vital Information.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vital Information.exe

  • Size

    298KB

  • MD5

    83be83f2a2c21bfa43836b8faa2a3f05

  • SHA1

    f9959adb63dcc148071c7ca0dbc7378747ef555a

  • SHA256

    6ee95360b744269183b9f19b9474f831224dbd90d27e67e5b2c5701f69938e4e

  • SHA512

    803672f863747f7b3ccfa53182b06bd59d73fff53dd3c923975065aafdb88d1424f7e76ae4b4f1f89c32e96664fdfd92c88a7e83d178c6723f888d818719fb5a

Score
10/10
cheetahkeyloggeragilenetkeyloggerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.aviner.co.za
  • Port:
    587
  • Username:
    christine@aviner.co.za
  • Password:
    NoLimits@

Signatures

  • Cheetah Keylogger

    Cheetah is a keylogger and info stealer first seen in March 2020.

    stealerkeyloggercheetahkeylogger
  • Cheetah Keylogger Payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vital Information.exe
    "C:\Users\Admin\AppData\Local\Temp\Vital Information.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • memory/644-18-0x00000000024F0000-0x0000000002521000-memory.dmp
    Filesize

    196KB

    Download
  • memory/644-12-0x000000000041FE5E-mapping.dmp
    Download
  • memory/644-24-0x0000000006450000-0x0000000006451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/644-23-0x0000000005F30000-0x0000000005F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/644-22-0x0000000005A60000-0x0000000005A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/644-20-0x0000000005100000-0x0000000005101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/644-16-0x0000000000360000-0x0000000000382000-memory.dmp
    Filesize

    136KB

    Download
  • memory/644-15-0x0000000073DC0000-0x00000000744AE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/652-8-0x00000000065E0000-0x00000000065E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-3-0x00000000014E0000-0x00000000014EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/652-1-0x0000000000B00000-0x0000000000B01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-10-0x0000000006630000-0x0000000006631000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-9-0x0000000006470000-0x0000000006472000-memory.dmp
    Filesize

    8KB

    Download
  • memory/652-0-0x0000000073DC0000-0x00000000744AE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/652-4-0x0000000005900000-0x0000000005901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-7-0x0000000006460000-0x0000000006462000-memory.dmp
    Filesize

    8KB

    Download
  • memory/652-6-0x0000000006020000-0x0000000006021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-5-0x0000000005560000-0x0000000005562000-memory.dmp
    Filesize

    8KB

    Download