cheetahkeylogger | d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de | Triage

Submit
Reports

Overview

overview

Static

static

d70b1d7ebf...de.exe

windows7_x64

d70b1d7ebf...de.exe

windows10-2004_x64

Sharing

General

Target

d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de
Size

347KB
Sample

220521-n2c25shfbp
MD5

0b7b2acd93a784e3af07bd3acaec2e97
SHA1

069c15a1913cd506ffc306a14075e7dd28a3d122
SHA256

d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de
SHA512

aecdfc30af77e6500c0fc5951a5bb0d476d7e932e77b3303044b26a99e6d0b328db72623e076174d6a6d56dfe792ef43d71e145d73500fc39842ef0e061e9807

Score

10^/10

cheetahkeylogger agilenet collection keylogger stealer

Static task

static1

Behavioral task

behavioral1

Sample

d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe

Resource

win7-20220414-en

cheetahkeylogger agilenet collection keylogger stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.baconplumbing.co.za
Port:
587
Username:
[email protected]
Password:
Andrew@1652

Targets

- Target
  
  d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de
- Size
  
  347KB
- MD5
  
  0b7b2acd93a784e3af07bd3acaec2e97
- SHA1
  
  069c15a1913cd506ffc306a14075e7dd28a3d122
- SHA256
  
  d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de
- SHA512
  
  aecdfc30af77e6500c0fc5951a5bb0d476d7e932e77b3303044b26a99e6d0b328db72623e076174d6a6d56dfe792ef43d71e145d73500fc39842ef0e061e9807
Score

10^/10

cheetahkeylogger agilenet collection keylogger stealer
- Cheetah Keylogger
  Cheetah is a keylogger and info stealer first seen in March 2020.
  stealer keylogger cheetahkeylogger
- Cheetah Keylogger Payload
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cheetahkeyloggeragilenetcollectionkeyloggerstealer

behavioral2

© 2018-2024

Terms | Privacy