Analysis
-
max time kernel
39s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:35
Static task
static1
Behavioral task
behavioral1
Sample
PO2034900.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO2034900.exe
Resource
win10v2004-20220414-en
General
-
Target
PO2034900.exe
-
Size
336KB
-
MD5
fa5a44cc3ffc8fcacdf9ea7251ae2b85
-
SHA1
377db42b217e4f6f99885afe1e165c19c3b606a5
-
SHA256
7ea6bd01e613bd93a63711630128ebd9e4f51c411db7d87c62031d06d02127cb
-
SHA512
3173cfdb0a1fa4651c5c24e75cec363bc1c3c78853eb7cd83af3ac9f2935f77d7e2ee6c22e2d153553bdad567e71c50cd550f01490a1f122ddfd37ce990c1f5a
Malware Config
Extracted
Protocol: smtp- Host:
mail.sokutuattorneys.co.za - Port:
587 - Username:
admin@sokutuattorneys.co.za - Password:
Qs@9711?
Signatures
-
Cheetah Keylogger
Cheetah is a keylogger and info stealer first seen in March 2020.
-
Cheetah Keylogger Payload 1 IoCs
resource yara_rule behavioral1/memory/956-70-0x00000000001E0000-0x0000000000216000-memory.dmp family_cheetahkeylogger -
Executes dropped EXE 1 IoCs
pid Process 956 svhost.exe -
Loads dropped DLL 1 IoCs
pid Process 1276 PO2034900.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svhost.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svhost.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svhost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ifconfig.me -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1276 set thread context of 956 1276 PO2034900.exe 27 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1276 PO2034900.exe 956 svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1276 PO2034900.exe Token: SeDebugPrivilege 956 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1276 wrote to memory of 956 1276 PO2034900.exe 27 PID 1276 wrote to memory of 956 1276 PO2034900.exe 27 PID 1276 wrote to memory of 956 1276 PO2034900.exe 27 PID 1276 wrote to memory of 956 1276 PO2034900.exe 27 PID 1276 wrote to memory of 956 1276 PO2034900.exe 27 PID 1276 wrote to memory of 956 1276 PO2034900.exe 27 PID 1276 wrote to memory of 956 1276 PO2034900.exe 27 PID 1276 wrote to memory of 956 1276 PO2034900.exe 27 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svhost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO2034900.exe"C:\Users\Admin\AppData\Local\Temp\PO2034900.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:956
-
Network
-
Remote address:8.8.8.8:53Requestifconfig.meIN AResponseifconfig.meIN A34.117.59.81
-
Remote address:34.117.59.81:80RequestGET /ip HTTP/1.1
Host: ifconfig.me
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
content-type: text/plain; charset=utf-8
content-length: 12
date: Sat, 21 May 2022 02:22:55 GMT
x-envoy-upstream-service-time: 1
strict-transport-security: max-age=300; includeSubDomains
Via: 1.1 google
-
Remote address:8.8.8.8:53Requestmail.sokutuattorneys.co.zaIN AResponsemail.sokutuattorneys.co.zaIN A197.221.2.227
-
345 B 754 B 6 5
HTTP Request
GET http://ifconfig.me/ipHTTP Response
200 -
515 B 772 B 9 9
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
Filesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
Filesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3