kutaki | e296a3f9af1ee967a9a919495e2a12917dd4077d794a54e25b9e16c02854a74e

Resubmissions

11-07-2022 13:08

220711-qdebeahcgm 10

11-07-2022 03:42

220711-d9b5psgga9 10

Analysis

max time kernel
129s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
11-07-2022 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E-bill.exe
Size

968KB
MD5

e8f5b21f536286d5fb65297300f4b11f
SHA1

c21a5f1668385d581d5ddebdd9907be4c961383a
SHA256

e296a3f9af1ee967a9a919495e2a12917dd4077d794a54e25b9e16c02854a74e
SHA512

21d16e637bdb9849656f949e46b6f37ad1b3f5338555f514804467a30b75c4f6e574ac6058b7d1ec8235c57aa16b190acb532f3905cb2bbbb9f1ad6c4362df7b

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zwkafzch.exe	family_kutaki
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zwkafzch.exe	family_kutaki

Executes dropped EXE 1 IoCs

Processes:

zwkafzch.exe

pid process

4528 zwkafzch.exe

pid	process
4528	zwkafzch.exe

Drops startup file 2 IoCs

Processes:

E-bill.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zwkafzch.exe	E-bill.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zwkafzch.exe	E-bill.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

E-bill.exezwkafzch.exe

pid process

616 E-bill.exe
616 E-bill.exe
616 E-bill.exe
4528 zwkafzch.exe
4528 zwkafzch.exe
4528 zwkafzch.exe

pid	process
616	E-bill.exe
616	E-bill.exe
616	E-bill.exe
4528	zwkafzch.exe
4528	zwkafzch.exe
4528	zwkafzch.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

E-bill.exe

description	pid	process	target process
PID 616 wrote to memory of 1444	616	E-bill.exe	cmd.exe
PID 616 wrote to memory of 1444	616	E-bill.exe	cmd.exe
PID 616 wrote to memory of 1444	616	E-bill.exe	cmd.exe
PID 616 wrote to memory of 4528	616	E-bill.exe	zwkafzch.exe
PID 616 wrote to memory of 4528	616	E-bill.exe	zwkafzch.exe
PID 616 wrote to memory of 4528	616	E-bill.exe	zwkafzch.exe

C:\Users\Admin\AppData\Local\Temp\E-bill.exe
"C:\Users\Admin\AppData\Local\Temp\E-bill.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:1444

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zwkafzch.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zwkafzch.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zwkafzch.exe
Filesize
968KB

MD5
e8f5b21f536286d5fb65297300f4b11f

SHA1
c21a5f1668385d581d5ddebdd9907be4c961383a

SHA256
e296a3f9af1ee967a9a919495e2a12917dd4077d794a54e25b9e16c02854a74e

SHA512
21d16e637bdb9849656f949e46b6f37ad1b3f5338555f514804467a30b75c4f6e574ac6058b7d1ec8235c57aa16b190acb532f3905cb2bbbb9f1ad6c4362df7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zwkafzch.exe
Filesize
968KB

MD5
e8f5b21f536286d5fb65297300f4b11f

SHA1
c21a5f1668385d581d5ddebdd9907be4c961383a

SHA256
e296a3f9af1ee967a9a919495e2a12917dd4077d794a54e25b9e16c02854a74e

SHA512
21d16e637bdb9849656f949e46b6f37ad1b3f5338555f514804467a30b75c4f6e574ac6058b7d1ec8235c57aa16b190acb532f3905cb2bbbb9f1ad6c4362df7b

Download Submit
memory/1444-132-0x0000000000000000-mapping.dmp

Download
memory/4528-133-0x0000000000000000-mapping.dmp

Download