Extracted

• • Target

    094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe

  • Size

    333KB

  • MD5

    ae7312cc7678c08eb133f384eb1a5a47

  • SHA1

    2039eab4bf1c35d168472fc60cec42060ad2c36a

  • SHA256

    094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a

  • SHA512

    7ed8d6d56da079b1af2d0d76d39e8b6ffce3115664b13e869f117c99346e2bd95cc450ab0c47a8575a4642bb5c254db9f33a37991ba005ea034e34b89f593424

  • SSDEEP

    3072:0AaUPmw8yjebV7Nr6JD6u8w/CpLmLyPs/H9I7D+hQI1WgnOgSguVvVvtsRQ2EqrP:ZaUPSy6VEJD6LpFPs/H2+F1l3+J2Ck6

  Score

  10^/10

  cheetahkeyloggeragilenetcollectionkeyloggerspywarestealer

  • Cheetah Keylogger

    Cheetah is a keylogger and info stealer first seen in March 2020.

    stealerkeyloggercheetahkeylogger

  • Cheetah Keylogger payload

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2