Overview

overview

10

Static

static

Payment Co...on.exe

windows7_x64

10

Payment Co...on.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Comfirmation.exe

  • Size

    379KB

  • MD5

    8cc7544c09deb420b50ef840f6f1c289

  • SHA1

    d2e1989c3efc56909510b6aec7ee20f720afb1df

  • SHA256

    cdf96811c3ce5645b19c096fa4fffca84bcb7dc4885008f83373fe580ea57f01

  • SHA512

    a211d88e815dcd246202a69b2ea8ac02ee8a6a1329eb4b4c3112e490572de9995c7ececee2239f463f5fcd90a3f9455fb98c8225b46a01dab77f661acfcc297c

Score
10/10
cheetahkeyloggeragilenetcollectionkeyloggerstealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.baconplumbing.co.za
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Andrew@1652

Signatures

  • Cheetah Keylogger

    Cheetah is a keylogger and info stealer first seen in March 2020.

    stealerkeyloggercheetahkeylogger
  • Cheetah Keylogger Payload 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Comfirmation.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Comfirmation.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1656
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 752
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:564

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/564-67-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-55-0x00000000003B0000-0x0000000000414000-memory.dmp

    Filesize

    400KB

    Download

  • memory/1436-56-0x0000000000320000-0x0000000000338000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1436-57-0x0000000002250000-0x00000000043C0000-memory.dmp

    Filesize

    33.4MB

    Download

  • memory/1656-58-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1656-59-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1656-60-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1656-61-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1656-62-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1656-63-0x0000000000330000-0x0000000000366000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1656-64-0x0000000004B60000-0x0000000004B61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1656-65-0x00000000769D1000-0x00000000769D3000-memory.dmp

    Filesize

    8KB

    Download