Malware Analysis Report

2024-11-30 18:47

Sample ID 220521-b1yagacgh3
Target 7303654c2cc6af60f1d7033505de273c4291f65a04d252732e9a3abb2684404a
SHA256 7303654c2cc6af60f1d7033505de273c4291f65a04d252732e9a3abb2684404a
Tags
cheetahkeylogger collection keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7303654c2cc6af60f1d7033505de273c4291f65a04d252732e9a3abb2684404a

Threat Level: Known bad

The file 7303654c2cc6af60f1d7033505de273c4291f65a04d252732e9a3abb2684404a was found to be: Known bad.

Malicious Activity Summary

cheetahkeylogger collection keylogger stealer

Cheetah Keylogger Payload

Cheetah Keylogger

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 01:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 01:37

Reported

2022-05-21 02:30

Platform

win7-20220414-en

Max time kernel

98s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"

Signatures

Cheetah Keylogger

stealer keylogger cheetahkeylogger

Cheetah Keylogger Payload

Description Indicator Process Target
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1600 set thread context of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1600 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1600 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1600 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1600 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1600 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1600 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1600 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1600 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1600 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1600 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bank Details.exe

"C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ifconfig.me udp
US 34.117.59.81:80 ifconfig.me tcp
US 8.8.8.8:53 mail.aviner.co.za udp
ZA 102.130.117.53:587 mail.aviner.co.za tcp

Files

memory/1600-54-0x00000000011B0000-0x000000000121C000-memory.dmp

memory/1600-55-0x00000000002F0000-0x0000000000306000-memory.dmp

memory/1600-56-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

memory/1600-57-0x00000000004A0000-0x00000000004A8000-memory.dmp

memory/1600-58-0x0000000000600000-0x0000000000608000-memory.dmp

memory/1600-59-0x0000000000650000-0x000000000065A000-memory.dmp

memory/1772-60-0x00000000000F0000-0x0000000000112000-memory.dmp

memory/1772-61-0x00000000000F0000-0x0000000000112000-memory.dmp

memory/1772-63-0x00000000000F0000-0x0000000000112000-memory.dmp

memory/1772-65-0x000000000041FEBE-mapping.dmp

memory/1772-66-0x00000000000F0000-0x0000000000112000-memory.dmp

memory/1772-67-0x00000000000F0000-0x0000000000112000-memory.dmp

memory/1772-70-0x00000000000F0000-0x0000000000112000-memory.dmp

memory/1772-72-0x00000000000F0000-0x0000000000112000-memory.dmp

memory/1772-73-0x0000000000510000-0x0000000000546000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 01:37

Reported

2022-05-21 02:31

Platform

win10v2004-20220414-en

Max time kernel

154s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"

Signatures

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2832 set thread context of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bank Details.exe

"C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 52.178.17.2:443 tcp
IE 20.54.89.106:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 ifconfig.me udp
US 34.117.59.81:80 ifconfig.me tcp
US 8.8.8.8:53 mail.aviner.co.za udp
ZA 102.130.117.53:587 mail.aviner.co.za tcp

Files

memory/2832-130-0x0000000000290000-0x00000000002FC000-memory.dmp

memory/2832-131-0x0000000005A80000-0x0000000006024000-memory.dmp

memory/2832-132-0x00000000055B0000-0x0000000005642000-memory.dmp

memory/2832-133-0x00000000059C0000-0x0000000005A04000-memory.dmp

memory/2832-134-0x0000000005100000-0x0000000005122000-memory.dmp

memory/1196-135-0x0000000000000000-mapping.dmp

memory/1196-136-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1196-137-0x0000000005330000-0x00000000053CC000-memory.dmp

memory/1196-138-0x0000000005DB0000-0x0000000005F72000-memory.dmp

memory/1196-139-0x00000000061F0000-0x0000000006256000-memory.dmp

memory/1196-140-0x00000000061E0000-0x00000000061EA000-memory.dmp