Extracted

• • Target

    PO23294248429.exe

  • Size

    320KB

  • MD5

    1eae5284068cbc12ec56e10c79a7373a

  • SHA1

    22c8709aac17b8854ac9733123c7a964f1f9d090

  • SHA256

    e8f02457c0ce811c8b7e3574ec86609d52021d2cb59782ee6ef1efb0bb6e0af2

  • SHA512

    a51ed3bb0d9a6c6130e83584b68d06b316c1628b0abaa37ddf5a5141f312b1cd22aa6ae13c9a21afa8c8cd59e54ca2d1f21d423f072bcf31229e2dc0dbf2618c

  Score

  10^/10

  cheetahkeyloggercollectionkeyloggerspywarestealer

  • Cheetah Keylogger

    Cheetah is a keylogger and info stealer first seen in March 2020.

    stealerkeyloggercheetahkeylogger

  • Cheetah Keylogger Payload

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2