kutaki | 1de49d29d2f5c485ef935ce6f50176272745d32d258f5996f029f4e78a614af7

General

Target

New Order.scr
Size

632KB
MD5

5cd9d49f5cad5e0910e90ce8183b4366
SHA1

c457eb69ef65e0c02c330f5f2fb0e6e47b8d6a7b
SHA256

1de49d29d2f5c485ef935ce6f50176272745d32d258f5996f029f4e78a614af7
SHA512

87a5aff468b8243e4d542dc6fd639bcf4c3e5b54b9d17c27b4605c9fdafb045a078653d049c96ef3bbfcfdf7feef7f58033da85be98d76c621c3fe5ab13cf65d

Score

10^/10

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mwdfdwch.exe	family_kutaki
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mwdfdwch.exe	family_kutaki
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mwdfdwch.exe	family_kutaki

Executes dropped EXE 1 IoCs

Processes:

mwdfdwch.exe

pid process

1680 mwdfdwch.exe

pid	process
1680	mwdfdwch.exe

Drops startup file 2 IoCs

Processes:

New Order.scr

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mwdfdwch.exe	New Order.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mwdfdwch.exe	New Order.scr

Loads dropped DLL 2 IoCs

Processes:

New Order.scr

pid process

112 New Order.scr
112 New Order.scr

Suspicious use of SetWindowsHookEx 1052 IoCs

Processes:

New Order.scrmwdfdwch.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

New Order.scr

description	pid	process	target process
PID 112 wrote to memory of 1072	112	New Order.scr	cmd.exe
PID 112 wrote to memory of 1072	112	New Order.scr	cmd.exe
PID 112 wrote to memory of 1072	112	New Order.scr	cmd.exe
PID 112 wrote to memory of 1072	112	New Order.scr	cmd.exe
PID 112 wrote to memory of 1680	112	New Order.scr	mwdfdwch.exe
PID 112 wrote to memory of 1680	112	New Order.scr	mwdfdwch.exe
PID 112 wrote to memory of 1680	112	New Order.scr	mwdfdwch.exe
PID 112 wrote to memory of 1680	112	New Order.scr	mwdfdwch.exe

C:\Users\Admin\AppData\Local\Temp\New Order.scr
"C:\Users\Admin\AppData\Local\Temp\New Order.scr" /S
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1072
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mwdfdwch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mwdfdwch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1680

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mwdfdwch.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mwdfdwch.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mwdfdwch.exe

Download Submit
memory/1072-2-0x0000000000000000-mapping.dmp

Download
memory/1680-5-0x0000000000000000-mapping.dmp

Download