Overview

overview

10

Static

static

10

NEFT_Payment.exe

windows7-x64

10

NEFT_Payment.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    01/08/2022, 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEFT_Payment.exe

  • Size

    2.6MB

  • MD5

    70e966394bf9947ff01b681bab9d0f71

  • SHA1

    53946411e4e975a9ed354b16cd22041108e9f596

  • SHA256

    c7e3deb446233da1eb6c6df66913065773d510a21750a9ea675b69be46ab245a

  • SHA512

    a71a0b9b265b3c31c01305b121b386b8beb14cb6f670df4cbdad3d2fb7a3b3c508b25b48b253cba4c9aacde77e47fc32481fdc4cfc9221af83ea90ab7a6fc200

Score
10/10
kutakikeyloggerstealer

Malware Config

Extracted

Family

kutaki

C2

http://ojorobia.club/laptop/laptop.php

http://terebinnahicc.club/sec/kool.txt

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

    stealerkeyloggerkutaki
  • Kutaki Executable 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEFT_Payment.exe
    "C:\Users\Admin\AppData\Local\Temp\NEFT_Payment.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
      2⤵
        PID:1372
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bwiexlch.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bwiexlch.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1104

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bwiexlch.exe
      Filesize

      2.6MB

      MD5

      70e966394bf9947ff01b681bab9d0f71

      SHA1

      53946411e4e975a9ed354b16cd22041108e9f596

      SHA256

      c7e3deb446233da1eb6c6df66913065773d510a21750a9ea675b69be46ab245a

      SHA512

      a71a0b9b265b3c31c01305b121b386b8beb14cb6f670df4cbdad3d2fb7a3b3c508b25b48b253cba4c9aacde77e47fc32481fdc4cfc9221af83ea90ab7a6fc200

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bwiexlch.exe
      Filesize

      2.6MB

      MD5

      70e966394bf9947ff01b681bab9d0f71

      SHA1

      53946411e4e975a9ed354b16cd22041108e9f596

      SHA256

      c7e3deb446233da1eb6c6df66913065773d510a21750a9ea675b69be46ab245a

      SHA512

      a71a0b9b265b3c31c01305b121b386b8beb14cb6f670df4cbdad3d2fb7a3b3c508b25b48b253cba4c9aacde77e47fc32481fdc4cfc9221af83ea90ab7a6fc200

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bwiexlch.exe
      Filesize

      2.6MB

      MD5

      70e966394bf9947ff01b681bab9d0f71

      SHA1

      53946411e4e975a9ed354b16cd22041108e9f596

      SHA256

      c7e3deb446233da1eb6c6df66913065773d510a21750a9ea675b69be46ab245a

      SHA512

      a71a0b9b265b3c31c01305b121b386b8beb14cb6f670df4cbdad3d2fb7a3b3c508b25b48b253cba4c9aacde77e47fc32481fdc4cfc9221af83ea90ab7a6fc200

      Download Submit

    • memory/540-56-0x00000000758D1000-0x00000000758D3000-memory.dmp

      Filesize

      8KB

      Download