kutaki | 40418497967b8c7c4d92587f9f34854f1eef670cb95a0908f066d81a7bcc3d96

General

Target

TDS Challan.exe
Size

755KB
MD5

645be265d5378cdfdda8a059a228b9a2
SHA1

2d7816de252f0881583fce21ccd4ef2e9bfe1dff
SHA256

a09fd5ecf91fcdc892b38fb7fb356a972134863f8b639f307d01d688d2e3c050
SHA512

55ccb2dfdf6776550bda7b476bdaac6ba6dac2d97f215d57b0e164544befbabb8732006cc1d8920452553f38dc453f497266d12d184bee79bb2ce3f5c7702f7a

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e46d-134.dat	family_kutaki
behavioral2/files/0x000400000001e46d-135.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
2764	hyuder.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe	TDS Challan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe	TDS Challan.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hyuder.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hyuder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4116	TDS Challan.exe
4116	TDS Challan.exe
4116	TDS Challan.exe
2764	hyuder.exe
2764	hyuder.exe
2764	hyuder.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 5108	4116	TDS Challan.exe	81
PID 4116 wrote to memory of 5108	4116	TDS Challan.exe	81
PID 4116 wrote to memory of 5108	4116	TDS Challan.exe	81
PID 4116 wrote to memory of 2764	4116	TDS Challan.exe	90
PID 4116 wrote to memory of 2764	4116	TDS Challan.exe	90
PID 4116 wrote to memory of 2764	4116	TDS Challan.exe	90

C:\Users\Admin\AppData\Local\Temp\TDS Challan.exe
"C:\Users\Admin\AppData\Local\Temp\TDS Challan.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:5108
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of SetWindowsHookEx
  PID:2764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe

Filesize
755KB

MD5
645be265d5378cdfdda8a059a228b9a2

SHA1
2d7816de252f0881583fce21ccd4ef2e9bfe1dff

SHA256
a09fd5ecf91fcdc892b38fb7fb356a972134863f8b639f307d01d688d2e3c050

SHA512
55ccb2dfdf6776550bda7b476bdaac6ba6dac2d97f215d57b0e164544befbabb8732006cc1d8920452553f38dc453f497266d12d184bee79bb2ce3f5c7702f7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe

Filesize
755KB

MD5
645be265d5378cdfdda8a059a228b9a2

SHA1
2d7816de252f0881583fce21ccd4ef2e9bfe1dff

SHA256
a09fd5ecf91fcdc892b38fb7fb356a972134863f8b639f307d01d688d2e3c050

SHA512
55ccb2dfdf6776550bda7b476bdaac6ba6dac2d97f215d57b0e164544befbabb8732006cc1d8920452553f38dc453f497266d12d184bee79bb2ce3f5c7702f7a

Download Submit

Analysis

Sharing