kutaki | 976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a

General

Target

976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
Size

1.1MB
MD5

89070447b67e5906a567c61c88024e9c
SHA1

1953e631b3b7cc106d2c34dfe5d4bc95d0c458e5
SHA256

976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a
SHA512

2b2c3d5306e10ea7e93e6aeaa0240d4fca5d91aa5186b49e1a7493b58efa90373f072762ab12c395b86d6153cee070e9e1f3948702a12357f983e7228ddf28a8

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x000a000000003d4a-61.dat	family_kutaki
behavioral1/files/0x000a000000003d4a-59.dat	family_kutaki
behavioral1/files/0x000a000000003d4a-58.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
1744	vevneach.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe

Loads dropped DLL 2 IoCs

pid	Process
1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
1744	vevneach.exe
1744	vevneach.exe
1744	vevneach.exe
1744	vevneach.exe
1744	vevneach.exe
1744	vevneach.exe
1744	vevneach.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1748	1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	28
PID 1400 wrote to memory of 1748	1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	28
PID 1400 wrote to memory of 1748	1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	28
PID 1400 wrote to memory of 1748	1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	28
PID 1400 wrote to memory of 1744	1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	30
PID 1400 wrote to memory of 1744	1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	30
PID 1400 wrote to memory of 1744	1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	30
PID 1400 wrote to memory of 1744	1400	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	30

C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
"C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe

Filesize
1.1MB

MD5
89070447b67e5906a567c61c88024e9c

SHA1
1953e631b3b7cc106d2c34dfe5d4bc95d0c458e5

SHA256
976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a

SHA512
2b2c3d5306e10ea7e93e6aeaa0240d4fca5d91aa5186b49e1a7493b58efa90373f072762ab12c395b86d6153cee070e9e1f3948702a12357f983e7228ddf28a8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe

Filesize
1.1MB

MD5
89070447b67e5906a567c61c88024e9c

SHA1
1953e631b3b7cc106d2c34dfe5d4bc95d0c458e5

SHA256
976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a

SHA512
2b2c3d5306e10ea7e93e6aeaa0240d4fca5d91aa5186b49e1a7493b58efa90373f072762ab12c395b86d6153cee070e9e1f3948702a12357f983e7228ddf28a8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vevneach.exe

Filesize
1.1MB

MD5
89070447b67e5906a567c61c88024e9c

SHA1
1953e631b3b7cc106d2c34dfe5d4bc95d0c458e5

SHA256
976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a

SHA512
2b2c3d5306e10ea7e93e6aeaa0240d4fca5d91aa5186b49e1a7493b58efa90373f072762ab12c395b86d6153cee070e9e1f3948702a12357f983e7228ddf28a8

Download Submit
memory/1400-56-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing