cheetahkeylogger | 2442bbf11c74033e6d36792c671a7f0755912611e1a8a1feb089218fb4605bff

General

Target

2442bbf11c74033e6d36792c671a7f0755912611e1a8a1feb089218fb4605bff
Size

173KB
Sample

220521-dvrxlsgdb5
MD5

3a7c35fe38ceeaecd71d2a1224ea2589
SHA1

49effcb684535fbffb8c2c453a94fbf34aabe62a
SHA256

2442bbf11c74033e6d36792c671a7f0755912611e1a8a1feb089218fb4605bff
SHA512

3390f7c88b6427dddd60d836bc8c24b25227c28784e19c37f422db36503422b23b57cee1dbedbf4dc45b470c96b9137285c76b261c1a86e7e18a4d7cfa21566d

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.aviner.co.za
Port:
587
Username:
[email protected]
Password:
NoLimits@

Targets

- Target
  
  Purchase Order.exe
- Size
  
  282KB
- MD5
  
  b861f4c2cd486258a79a2078c58885e8
- SHA1
  
  a52c73cecef8c37bcaf95aeeb456580544a6e27c
- SHA256
  
  e0dd9126e9038ec946d016833bad57afb1d3eb06e453ec8a0bdd60661e6a3da2
- SHA512
  
  2d51a0096e6c99209bbd020f8523143c1651567296e3123cc4650e9809dc5c5f560fa8b1848d18cd240a53f5ae9fcfbf11bca98eb04d2a678f6d45c682d36371
Score

10^/10

cheetahkeylogger collection keylogger spyware stealer
- Cheetah Keylogger
  Cheetah is a keylogger and info stealer first seen in March 2020.
  stealer keylogger cheetahkeylogger
- Cheetah Keylogger Payload
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Cheetah Keylogger

Cheetah Keylogger Payload

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2