Overview

overview

10

Static

static

Payment co...on.exe

windows7_x64

10

Payment co...on.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f073720cea2de6afedd9ae33af93a3ea5f077034274c262d8d484e5aa68dd471

  • Size

    191KB

  • Sample

    220521-pdx8vaacgk

  • MD5

    ff1ea4bdfbbd98c86d10ca47c0381005

  • SHA1

    aa2e791bc63483a89e6d4069d508283d1a91db00

  • SHA256

    f073720cea2de6afedd9ae33af93a3ea5f077034274c262d8d484e5aa68dd471

  • SHA512

    fd306f088170094129d58966075e0384181d4883bdc15e56d549cfb33efeddaeb94c397ea2913f4fab95b5b5a160d59065da733d23f5c67916d716f45fc63501

Score
10/10
cheetahkeyloggeragilenetcollectionkeyloggerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.aviner.co.za
  • Port:
    587
  • Username:
    christine@aviner.co.za
  • Password:
    NoLimits@

Targets

    • Target

      Payment confirmation.exe

    • Size

      340KB

    • MD5

      0d93e6fe85bf79804990d42976ced9e0

    • SHA1

      3d302882eceb550d7c92f042048d210fe84219e0

    • SHA256

      d6de7175146f4b7d262b23adb6b14f3193fc755e10d80353a1a3cc9a164177e8

    • SHA512

      0064a03bcca3b727f4425e32d6c12565c7defd6259f346d316d3f8610e0dc1b3c8cb7db0c7fb5b38725a4675734d40012eecc5cb1ee4cf9c219fffa5ff88ae41

    Score
    10/10
    cheetahkeyloggeragilenetcollectionkeyloggerspywarestealer

    • Cheetah Keylogger

      Cheetah is a keylogger and info stealer first seen in March 2020.

      stealerkeyloggercheetahkeylogger

    • Cheetah Keylogger Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks