kutaki | 1de49d29d2f5c485ef935ce6f50176272745d32d258f5996f029f4e78a614af7

Analysis

Target

New Order.scr
Size

632KB
MD5

5cd9d49f5cad5e0910e90ce8183b4366
SHA1

c457eb69ef65e0c02c330f5f2fb0e6e47b8d6a7b
SHA256

1de49d29d2f5c485ef935ce6f50176272745d32d258f5996f029f4e78a614af7
SHA512

87a5aff468b8243e4d542dc6fd639bcf4c3e5b54b9d17c27b4605c9fdafb045a078653d049c96ef3bbfcfdf7feef7f58033da85be98d76c621c3fe5ab13cf65d

Score

10^/10

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygmyrwch.exe	family_kutaki
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygmyrwch.exe	family_kutaki

Executes dropped EXE 1 IoCs

Processes:

ygmyrwch.exe

pid process

1116 ygmyrwch.exe

pid	process
1116	ygmyrwch.exe

Drops startup file 2 IoCs

Processes:

New Order.scr

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygmyrwch.exe	New Order.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygmyrwch.exe	New Order.scr

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

New Order.scrygmyrwch.exe

pid process

1568 New Order.scr
1568 New Order.scr
1568 New Order.scr
1116 ygmyrwch.exe
1116 ygmyrwch.exe
1116 ygmyrwch.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

New Order.scr

description	pid	process	target process
PID 1568 wrote to memory of 656	1568	New Order.scr	cmd.exe
PID 1568 wrote to memory of 656	1568	New Order.scr	cmd.exe
PID 1568 wrote to memory of 656	1568	New Order.scr	cmd.exe
PID 1568 wrote to memory of 1116	1568	New Order.scr	ygmyrwch.exe
PID 1568 wrote to memory of 1116	1568	New Order.scr	ygmyrwch.exe
PID 1568 wrote to memory of 1116	1568	New Order.scr	ygmyrwch.exe

C:\Users\Admin\AppData\Local\Temp\New Order.scr
"C:\Users\Admin\AppData\Local\Temp\New Order.scr" /S
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:656
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygmyrwch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygmyrwch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1116

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygmyrwch.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygmyrwch.exe

Download Submit
memory/656-2-0x0000000000000000-mapping.dmp

Download
memory/1116-3-0x0000000000000000-mapping.dmp

Download