Extracted

• • Target

    Payment confirmation.exe

  • Size

    336KB

  • MD5

    6ba0cbf90fe2345758a0dd2ca208eae5

  • SHA1

    006ce0f80d66be944de8fdf28a59c39e97bd05c1

  • SHA256

    11e4751c7596400128cc3f4cdfdf1876ac917256400d42c39e651301a536de4f

  • SHA512

    343a44ef969031862c5ceaa58b9b4e12035aa518715bd95bda34a3f376d64e6fbb3b988d11cd0b4fb0abd360b6f2a51152413b5d7fea853024c8907f05b9dafe

  Score

  10^/10

  cheetahkeyloggeragilenetcollectionkeyloggerspywarestealer

  • Cheetah Keylogger

    Cheetah is a keylogger and info stealer first seen in March 2020.

    stealerkeyloggercheetahkeylogger

  • Cheetah Keylogger Payload

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2