kutaki | 8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765

General

Target

8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe
Size

795KB
MD5

75ee2cab545b73dc3ffb4a51c188f413
SHA1

a13d169deb59c403ece2e7a53e6413064595ac86
SHA256

8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765
SHA512

4e5d9d60df5e4a7bc4982484e99cd71bdd48c80cf8f40f8f9f7c98d15a646712fe31397f8bb1b43e247fbe785817b433ef39db4f2edcd8996c713908f62429a4

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x0009000000008527-58.dat	family_kutaki
behavioral1/files/0x0009000000008527-59.dat	family_kutaki
behavioral1/files/0x0009000000008527-61.dat	family_kutaki
behavioral1/files/0x0009000000008527-66.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
1704	hyuder.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe

Loads dropped DLL 2 IoCs

pid	Process
1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe
1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hyuder.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	hyuder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	hyuder.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe
1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe
1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe
1704	hyuder.exe
1704	hyuder.exe
1704	hyuder.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1352	1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe	28
PID 1884 wrote to memory of 1352	1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe	28
PID 1884 wrote to memory of 1352	1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe	28
PID 1884 wrote to memory of 1352	1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe	28
PID 1884 wrote to memory of 1704	1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe	30
PID 1884 wrote to memory of 1704	1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe	30
PID 1884 wrote to memory of 1704	1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe	30
PID 1884 wrote to memory of 1704	1884	8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe	30

C:\Users\Admin\AppData\Local\Temp\8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe
"C:\Users\Admin\AppData\Local\Temp\8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1352
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe

Filesize
795KB

MD5
75ee2cab545b73dc3ffb4a51c188f413

SHA1
a13d169deb59c403ece2e7a53e6413064595ac86

SHA256
8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765

SHA512
4e5d9d60df5e4a7bc4982484e99cd71bdd48c80cf8f40f8f9f7c98d15a646712fe31397f8bb1b43e247fbe785817b433ef39db4f2edcd8996c713908f62429a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe

Filesize
795KB

MD5
75ee2cab545b73dc3ffb4a51c188f413

SHA1
a13d169deb59c403ece2e7a53e6413064595ac86

SHA256
8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765

SHA512
4e5d9d60df5e4a7bc4982484e99cd71bdd48c80cf8f40f8f9f7c98d15a646712fe31397f8bb1b43e247fbe785817b433ef39db4f2edcd8996c713908f62429a4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe

Filesize
795KB

MD5
75ee2cab545b73dc3ffb4a51c188f413

SHA1
a13d169deb59c403ece2e7a53e6413064595ac86

SHA256
8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765

SHA512
4e5d9d60df5e4a7bc4982484e99cd71bdd48c80cf8f40f8f9f7c98d15a646712fe31397f8bb1b43e247fbe785817b433ef39db4f2edcd8996c713908f62429a4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe

Filesize
795KB

MD5
75ee2cab545b73dc3ffb4a51c188f413

SHA1
a13d169deb59c403ece2e7a53e6413064595ac86

SHA256
8ea0ce7a60ddf35b65a734e87ff8e1b35c4525105fbf37ba36c1096a8e1c8765

SHA512
4e5d9d60df5e4a7bc4982484e99cd71bdd48c80cf8f40f8f9f7c98d15a646712fe31397f8bb1b43e247fbe785817b433ef39db4f2edcd8996c713908f62429a4

Download Submit
memory/1704-65-0x0000000003231000-0x00000000040DD000-memory.dmp

Filesize
14.7MB

Download
memory/1884-56-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing