Malware Analysis Report

2024-11-13 14:55

Sample ID 220712-gndyysdhak
Target 4c8403e48c8fc0203b2472ec3e0d32445528e2081e07a5ae5ccedc8cf6fa1172
SHA256 4c8403e48c8fc0203b2472ec3e0d32445528e2081e07a5ae5ccedc8cf6fa1172
Tags
kutaki keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c8403e48c8fc0203b2472ec3e0d32445528e2081e07a5ae5ccedc8cf6fa1172

Threat Level: Known bad

The file 4c8403e48c8fc0203b2472ec3e0d32445528e2081e07a5ae5ccedc8cf6fa1172 was found to be: Known bad.

Malicious Activity Summary

kutaki keylogger stealer

Kutaki family

Kutaki Executable

Kutaki

Executes dropped EXE

Drops startup file

Loads dropped DLL

Maps connected drives based on registry

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-12 05:56

Signatures

Kutaki Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kutaki family

kutaki

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-12 05:56

Reported

2022-07-12 08:08

Platform

win10v2004-20220414-en

Max time kernel

152s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TDS Payment Challan.exe"

Signatures

Kutaki

stealer keylogger kutaki

Kutaki Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe C:\Users\Admin\AppData\Local\Temp\TDS Payment Challan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe C:\Users\Admin\AppData\Local\Temp\TDS Payment Challan.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\TDS Payment Challan.exe

"C:\Users\Admin\AppData\Local\Temp\TDS Payment Challan.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe"

Network

Country Destination Domain Proto
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
IE 13.69.239.72:443 tcp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
FR 2.16.119.157:443 tcp

Files

memory/2200-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

MD5 62aea7e47f647f9d6d2cdacb15e4b163
SHA1 884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512 59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

memory/4884-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

MD5 62aea7e47f647f9d6d2cdacb15e4b163
SHA1 884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512 59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-12 05:56

Reported

2022-07-12 08:08

Platform

win7-20220414-en

Max time kernel

150s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TDS Payment Challan.exe"

Signatures

Kutaki

stealer keylogger kutaki

Kutaki Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe C:\Users\Admin\AppData\Local\Temp\TDS Payment Challan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe C:\Users\Admin\AppData\Local\Temp\TDS Payment Challan.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TDS Payment Challan.exe

"C:\Users\Admin\AppData\Local\Temp\TDS Payment Challan.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe"

Network

N/A

Files

memory/848-56-0x0000000075951000-0x0000000075953000-memory.dmp

memory/1904-57-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

MD5 62aea7e47f647f9d6d2cdacb15e4b163
SHA1 884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512 59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

MD5 62aea7e47f647f9d6d2cdacb15e4b163
SHA1 884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512 59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

MD5 62aea7e47f647f9d6d2cdacb15e4b163
SHA1 884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512 59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283

memory/1352-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe

MD5 62aea7e47f647f9d6d2cdacb15e4b163
SHA1 884550e92ac4ad9c24f3473d889b9247775f5ee5
SHA256 73a3c2d670bc63cd77c0ccbfd6fc92972531897317c630f26f02ad58dbbf0af3
SHA512 59cdbc399225f2bf6fb3f56cfaa4c3705a0a5f23ae7d59ccf14467c19adc6ef5694fa91afae80ebeedd44ac3974923b6d8c616d87cc55a0d2fd8e2310108c283