kutaki | 35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a

General

Target

35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe
Size

472KB
MD5

62dd3acc62df21dd48cb8a50222b5603
SHA1

27f9ca1e1537d58daa899a0ddd44b1f216d80384
SHA256

35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a
SHA512

9f3404f25c18af16f65183faf393ce9809db41f19a3705a54abcbc79cd604cd101ec344c3715279ecfd1b3d9890263ff0fc65710644d7aded81070345d06c627

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000001dacf-135.dat	family_kutaki
behavioral2/files/0x000800000001dacf-134.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
4276	fqxafxch.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqxafxch.exe	35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqxafxch.exe	35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	fqxafxch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	fqxafxch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4828	35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe
4828	35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe
4828	35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe
4276	fqxafxch.exe
4276	fqxafxch.exe
4276	fqxafxch.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 2992	4828	35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe	79
PID 4828 wrote to memory of 2992	4828	35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe	79
PID 4828 wrote to memory of 2992	4828	35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe	79
PID 4828 wrote to memory of 4276	4828	35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe	82
PID 4828 wrote to memory of 4276	4828	35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe	82
PID 4828 wrote to memory of 4276	4828	35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe	82

C:\Users\Admin\AppData\Local\Temp\35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe
"C:\Users\Admin\AppData\Local\Temp\35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2992
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqxafxch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqxafxch.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of SetWindowsHookEx
  PID:4276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqxafxch.exe

Filesize
472KB

MD5
62dd3acc62df21dd48cb8a50222b5603

SHA1
27f9ca1e1537d58daa899a0ddd44b1f216d80384

SHA256
35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a

SHA512
9f3404f25c18af16f65183faf393ce9809db41f19a3705a54abcbc79cd604cd101ec344c3715279ecfd1b3d9890263ff0fc65710644d7aded81070345d06c627

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqxafxch.exe

Filesize
472KB

MD5
62dd3acc62df21dd48cb8a50222b5603

SHA1
27f9ca1e1537d58daa899a0ddd44b1f216d80384

SHA256
35a124707d778d78543bf3bce873defdad0934144368a9c627bfea3583afbd9a

SHA512
9f3404f25c18af16f65183faf393ce9809db41f19a3705a54abcbc79cd604cd101ec344c3715279ecfd1b3d9890263ff0fc65710644d7aded81070345d06c627

Download Submit

Analysis

Sharing