Analysis Overview
SHA256
d782ae31ebfa573f5c014160b06d8cfbf1b9047a7470b4123846719e85234e20
Threat Level: Known bad
The file d782ae31ebfa573f5c014160b06d8cfbf1b9047a7470b4123846719e85234e20 was found to be: Known bad.
Malicious Activity Summary
Cheetah Keylogger Payload
Cheetah Keylogger
Obfuscated with Agile.Net obfuscator
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-02-05 09:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-05 09:24
Reported
2022-02-05 09:26
Platform
win7-en-20211208
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Cheetah Keylogger
Cheetah Keylogger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ifconfig.me | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 604 set thread context of 828 | N/A | C:\Users\Admin\AppData\Local\Temp\Vital Information.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vital Information.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vital Information.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vital Information.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vital Information.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Vital Information.exe
"C:\Users\Admin\AppData\Local\Temp\Vital Information.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ifconfig.me | udp |
| US | 34.117.59.81:80 | ifconfig.me | tcp |
| US | 8.8.8.8:53 | mail.lubrimax.co.za | udp |
| US | 192.185.156.163:587 | mail.lubrimax.co.za | tcp |
Files
memory/604-55-0x0000000000250000-0x00000000002B2000-memory.dmp
memory/604-56-0x00000000003F0000-0x0000000000406000-memory.dmp
memory/604-57-0x0000000000650000-0x0000000000658000-memory.dmp
memory/604-58-0x0000000002130000-0x0000000002131000-memory.dmp
memory/604-59-0x0000000000420000-0x000000000042A000-memory.dmp
memory/828-60-0x0000000000090000-0x00000000000B2000-memory.dmp
memory/828-61-0x0000000000090000-0x00000000000B2000-memory.dmp
memory/828-62-0x0000000000090000-0x00000000000B2000-memory.dmp
memory/828-64-0x0000000000090000-0x00000000000B2000-memory.dmp
memory/828-66-0x0000000000090000-0x00000000000B2000-memory.dmp
memory/828-68-0x0000000000090000-0x00000000000B2000-memory.dmp
memory/828-69-0x0000000000360000-0x0000000000396000-memory.dmp
memory/828-70-0x00000000049E0000-0x00000000049E1000-memory.dmp
memory/828-71-0x0000000076641000-0x0000000076643000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-05 09:24
Reported
2022-02-05 09:26
Platform
win10v2004-en-20220113
Max time kernel
5s
Max time network
10s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vital Information.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Vital Information.exe
"C:\Users\Admin\AppData\Local\Temp\Vital Information.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
Files
memory/2596-130-0x0000000000860000-0x00000000008C2000-memory.dmp