Overview

overview

10

Static

static

Purchase Order.exe

windows7_x64

10

Purchase Order.exe

windows10-2004_x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    771750971a05a00827d90831fd751117160cfb014f8171c9999b13631439deff

  • Size

    255KB

  • Sample

    220521-c72f5saccj

  • MD5

    cace0eb388a12a4c353a36057f401109

  • SHA1

    025fb514ecab7ec0106d56a4d129db2feb47c2f3

  • SHA256

    771750971a05a00827d90831fd751117160cfb014f8171c9999b13631439deff

  • SHA512

    c7fde954bc98d3c2523dc1e5017b85c501d2bbc2c91123e40ddb698c6cd0d775889ee3f07caabb695db6407771c2c5f35a9932649e965c7d6645d33ccce467fc

Score
10/10
cheetahkeyloggeragilenetcollectionkeyloggerstealer

Malware Config

Targets

    • Target

      Purchase Order.exe

    • Size

      399KB

    • MD5

      ab969727c2995cb6f638497bf4c78624

    • SHA1

      5fd9403239d12729020514292af459294a7db885

    • SHA256

      0126bb5bedfa1d8a433bfa4bf885c9a86d0d98630254c7293d70e766f372432e

    • SHA512

      f969bc469981180dc8bad174bc87f86d83f22f20426b4997f8c93d203f434f8a5d273044711a50830a345b81ae24bd876a605322204e3c7214f183a555cd60ed

    Score
    10/10
    cheetahkeyloggeragilenetcollectionkeyloggerstealer

    • Cheetah Keylogger

      Cheetah is a keylogger and info stealer first seen in March 2020.

      stealerkeyloggercheetahkeylogger

    • Cheetah Keylogger Payload

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks