kutaki | 84e3f0c265ad68515c39ce4eb91e19a2edf1307feb67300673b1945159eae024

Analysis

max time kernel
100s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/09/2022, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IncomeTax_Challan_Receipt.exe
Size

656KB
MD5

7e2f0c09b110bbe733f16ae53896b39a
SHA1

6892e6a98ce3291fc9c81976b9cea12853b01c23
SHA256

84e3f0c265ad68515c39ce4eb91e19a2edf1307feb67300673b1945159eae024
SHA512

55dab9dc9b4532988260d3af609b258ffd54f5e4a6149da2f61afe0688938c2b687fc0f53ed70175e1cf22365ce469a1a42e31f6991c7d655cde1ea913056ff8
SSDEEP

12288:N7k+QuuMas9dpZHV10DSpbgJ2y+OC1HwJ5tChW4kZdnNrv750i46A9jmP/uhu/yc:5QkxZHV10DFikZdnNafmP/UDMS08Cknk

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://newloshree.xyz/work/son.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000054a8-58.dat	family_kutaki
behavioral1/files/0x000c0000000054a8-59.dat	family_kutaki
behavioral1/files/0x000c0000000054a8-61.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
2036	gxqvbtch.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxqvbtch.exe	IncomeTax_Challan_Receipt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxqvbtch.exe	IncomeTax_Challan_Receipt.exe

Loads dropped DLL 2 IoCs

pid	Process
1504	IncomeTax_Challan_Receipt.exe
1504	IncomeTax_Challan_Receipt.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1504	IncomeTax_Challan_Receipt.exe
1504	IncomeTax_Challan_Receipt.exe
1504	IncomeTax_Challan_Receipt.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe
2036	gxqvbtch.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1732	1504	IncomeTax_Challan_Receipt.exe	29
PID 1504 wrote to memory of 1732	1504	IncomeTax_Challan_Receipt.exe	29
PID 1504 wrote to memory of 1732	1504	IncomeTax_Challan_Receipt.exe	29
PID 1504 wrote to memory of 1732	1504	IncomeTax_Challan_Receipt.exe	29
PID 1504 wrote to memory of 2036	1504	IncomeTax_Challan_Receipt.exe	31
PID 1504 wrote to memory of 2036	1504	IncomeTax_Challan_Receipt.exe	31
PID 1504 wrote to memory of 2036	1504	IncomeTax_Challan_Receipt.exe	31
PID 1504 wrote to memory of 2036	1504	IncomeTax_Challan_Receipt.exe	31

C:\Users\Admin\AppData\Local\Temp\IncomeTax_Challan_Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\IncomeTax_Challan_Receipt.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxqvbtch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxqvbtch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxqvbtch.exe

Filesize
656KB

MD5
7e2f0c09b110bbe733f16ae53896b39a

SHA1
6892e6a98ce3291fc9c81976b9cea12853b01c23

SHA256
84e3f0c265ad68515c39ce4eb91e19a2edf1307feb67300673b1945159eae024

SHA512
55dab9dc9b4532988260d3af609b258ffd54f5e4a6149da2f61afe0688938c2b687fc0f53ed70175e1cf22365ce469a1a42e31f6991c7d655cde1ea913056ff8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxqvbtch.exe

Filesize
656KB

MD5
7e2f0c09b110bbe733f16ae53896b39a

SHA1
6892e6a98ce3291fc9c81976b9cea12853b01c23

SHA256
84e3f0c265ad68515c39ce4eb91e19a2edf1307feb67300673b1945159eae024

SHA512
55dab9dc9b4532988260d3af609b258ffd54f5e4a6149da2f61afe0688938c2b687fc0f53ed70175e1cf22365ce469a1a42e31f6991c7d655cde1ea913056ff8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxqvbtch.exe

Filesize
656KB

MD5
7e2f0c09b110bbe733f16ae53896b39a

SHA1
6892e6a98ce3291fc9c81976b9cea12853b01c23

SHA256
84e3f0c265ad68515c39ce4eb91e19a2edf1307feb67300673b1945159eae024

SHA512
55dab9dc9b4532988260d3af609b258ffd54f5e4a6149da2f61afe0688938c2b687fc0f53ed70175e1cf22365ce469a1a42e31f6991c7d655cde1ea913056ff8

Download Submit
memory/1504-56-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download