kutaki | 976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a

General

Target

976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
Size

1.1MB
MD5

89070447b67e5906a567c61c88024e9c
SHA1

1953e631b3b7cc106d2c34dfe5d4bc95d0c458e5
SHA256

976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a
SHA512

2b2c3d5306e10ea7e93e6aeaa0240d4fca5d91aa5186b49e1a7493b58efa90373f072762ab12c395b86d6153cee070e9e1f3948702a12357f983e7228ddf28a8

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000000731-134.dat	family_kutaki
behavioral2/files/0x0008000000000731-135.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
4892	eifankch.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1292	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
1292	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
1292	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
4892	eifankch.exe
4892	eifankch.exe
4892	eifankch.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2972	1292	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	81
PID 1292 wrote to memory of 2972	1292	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	81
PID 1292 wrote to memory of 2972	1292	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	81
PID 1292 wrote to memory of 4892	1292	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	83
PID 1292 wrote to memory of 4892	1292	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	83
PID 1292 wrote to memory of 4892	1292	976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe	83

C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe
"C:\Users\Admin\AppData\Local\Temp\976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2972
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe

Filesize
1.1MB

MD5
89070447b67e5906a567c61c88024e9c

SHA1
1953e631b3b7cc106d2c34dfe5d4bc95d0c458e5

SHA256
976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a

SHA512
2b2c3d5306e10ea7e93e6aeaa0240d4fca5d91aa5186b49e1a7493b58efa90373f072762ab12c395b86d6153cee070e9e1f3948702a12357f983e7228ddf28a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eifankch.exe

Filesize
1.1MB

MD5
89070447b67e5906a567c61c88024e9c

SHA1
1953e631b3b7cc106d2c34dfe5d4bc95d0c458e5

SHA256
976ef2ef359ebd6fff5e206f9586d17bab0ee5e4d1bfe9334cc33a3986365f4a

SHA512
2b2c3d5306e10ea7e93e6aeaa0240d4fca5d91aa5186b49e1a7493b58efa90373f072762ab12c395b86d6153cee070e9e1f3948702a12357f983e7228ddf28a8

Download Submit

Analysis

Sharing