cheetahkeylogger | d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de

General

Target

d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe
Size

347KB
MD5

0b7b2acd93a784e3af07bd3acaec2e97
SHA1

069c15a1913cd506ffc306a14075e7dd28a3d122
SHA256

d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de
SHA512

aecdfc30af77e6500c0fc5951a5bb0d476d7e932e77b3303044b26a99e6d0b328db72623e076174d6a6d56dfe792ef43d71e145d73500fc39842ef0e061e9807

Score

10^/10

cheetahkeylogger agilenet collection keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.baconplumbing.co.za
Port:
587
Username:
[email protected]
Password:
Andrew@1652

Signatures

Cheetah Keylogger
Cheetah is a keylogger and info stealer first seen in March 2020.
stealer keylogger cheetahkeylogger

Cheetah Keylogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1844-67-0x0000000000430000-0x0000000000466000-memory.dmp	family_cheetahkeylogger

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1904-55-0x00000000003C0000-0x00000000003D8000-memory.dmp	agile_net

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ifconfig.me

flow	ioc
4	ifconfig.me

Suspicious use of SetThreadContext 1 IoCs

Processes:

d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe

description	pid	process	target process
PID 1904 set thread context of 1844	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exeInstallUtil.exe

pid	process
1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe
1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe
1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe
1844	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe
Token: SeDebugPrivilege	1844	InstallUtil.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe

description	pid	process	target process
PID 1904 wrote to memory of 1844	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe	InstallUtil.exe
PID 1904 wrote to memory of 1844	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe	InstallUtil.exe
PID 1904 wrote to memory of 1844	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe	InstallUtil.exe
PID 1904 wrote to memory of 1844	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe	InstallUtil.exe
PID 1904 wrote to memory of 1844	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe	InstallUtil.exe
PID 1904 wrote to memory of 1844	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe	InstallUtil.exe
PID 1904 wrote to memory of 1844	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe	InstallUtil.exe
PID 1904 wrote to memory of 1844	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe	InstallUtil.exe
PID 1904 wrote to memory of 1844	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe	InstallUtil.exe
PID 1904 wrote to memory of 1844	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe	InstallUtil.exe
PID 1904 wrote to memory of 1844	1904	d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe	InstallUtil.exe

outlook_office_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe
"C:\Users\Admin\AppData\Local\Temp\d70b1d7ebfde15715b3e63d8b4cf75c9025de1e3744d83c78278d7e939d459de.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1844-57-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1844-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1844-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1844-61-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1844-62-0x000000000041FE6E-mapping.dmp

Download
memory/1844-64-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1844-66-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1844-67-0x0000000000430000-0x0000000000466000-memory.dmp

Filesize
216KB

Download
memory/1904-54-0x00000000011B0000-0x000000000120E000-memory.dmp

Filesize
376KB

Download
memory/1904-55-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/1904-56-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads