cheetahkeylogger | 358f27d29797fdd183f88b02fb2cc8f322a7ccbdb32e927fc14f22004a63b72f

General

Target

358f27d29797fdd183f88b02fb2cc8f322a7ccbdb32e927fc14f22004a63b72f
Size

143KB
Sample

220521-dqqtragbb6
MD5

d0de53b48ebea1bfc7b20c85abea4426
SHA1

afb6fd400e6cbd4a398479a1e35718a795e3c17f
SHA256

358f27d29797fdd183f88b02fb2cc8f322a7ccbdb32e927fc14f22004a63b72f
SHA512

b7f67994d3be38920bbcb84f741d2301af95521d14e218604cb3f5efbb13bbf8e80c4422a563d2855518fdd74f9e785a9db056e2bce5d61e316775544af0f303

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.aviner.co.za
Port:
587
Username:
[email protected]
Password:
NoLimits@

Targets

- Target
  
  Payment confirmation.exe
- Size
  
  316KB
- MD5
  
  09e1f9b49bb6d33d6b88518c9449fde1
- SHA1
  
  accd9fdf8c6166e8e887e3bfc92c4cf3cb91ca46
- SHA256
  
  432feb3811e7e4993eedfdea5735d5790ec0dd0a660a4940841969ffee54194c
- SHA512
  
  d13a7366975ad9ff8a61eaac76d7bf3318b3966341af91b8a7c75d31909ae98e1a8c9e83553f3ffa43a5c54eae220941c9f1dc64607ea5c5320906d5510789e1
Score

10^/10

cheetahkeylogger collection keylogger spyware stealer
- Cheetah Keylogger
  Cheetah is a keylogger and info stealer first seen in March 2020.
  stealer keylogger cheetahkeylogger
- Cheetah Keylogger Payload
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Cheetah Keylogger

Cheetah Keylogger Payload

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2