Malware Analysis Report

2024-11-30 18:45

Sample ID 220205-lc6l2shhg3
Target d782ae31ebfa573f5c014160b06d8cfbf1b9047a7470b4123846719e85234e20
SHA256 d782ae31ebfa573f5c014160b06d8cfbf1b9047a7470b4123846719e85234e20
Tags
cheetahkeylogger agilenet collection keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d782ae31ebfa573f5c014160b06d8cfbf1b9047a7470b4123846719e85234e20

Threat Level: Known bad

The file d782ae31ebfa573f5c014160b06d8cfbf1b9047a7470b4123846719e85234e20 was found to be: Known bad.

Malicious Activity Summary

cheetahkeylogger agilenet collection keylogger stealer

Cheetah Keylogger Payload

Cheetah Keylogger

Obfuscated with Agile.Net obfuscator

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 09:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 09:24

Reported

2022-02-05 09:26

Platform

win7-en-20211208

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vital Information.exe"

Signatures

Cheetah Keylogger

stealer keylogger cheetahkeylogger

Cheetah Keylogger Payload

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 604 set thread context of 828 N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 604 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 604 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 604 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 604 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 604 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 604 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 604 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 604 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 604 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 604 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 604 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vital Information.exe

"C:\Users\Admin\AppData\Local\Temp\Vital Information.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ifconfig.me udp
US 34.117.59.81:80 ifconfig.me tcp
US 8.8.8.8:53 mail.lubrimax.co.za udp
US 192.185.156.163:587 mail.lubrimax.co.za tcp

Files

memory/604-55-0x0000000000250000-0x00000000002B2000-memory.dmp

memory/604-56-0x00000000003F0000-0x0000000000406000-memory.dmp

memory/604-57-0x0000000000650000-0x0000000000658000-memory.dmp

memory/604-58-0x0000000002130000-0x0000000002131000-memory.dmp

memory/604-59-0x0000000000420000-0x000000000042A000-memory.dmp

memory/828-60-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/828-61-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/828-62-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/828-64-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/828-66-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/828-68-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/828-69-0x0000000000360000-0x0000000000396000-memory.dmp

memory/828-70-0x00000000049E0000-0x00000000049E1000-memory.dmp

memory/828-71-0x0000000076641000-0x0000000076643000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 09:24

Reported

2022-02-05 09:26

Platform

win10v2004-en-20220113

Max time kernel

5s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vital Information.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vital Information.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vital Information.exe

"C:\Users\Admin\AppData\Local\Temp\Vital Information.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp

Files

memory/2596-130-0x0000000000860000-0x00000000008C2000-memory.dmp