kutaki | c056c58e3d32716447e27dbe38e784b685203dededddf1253ba4051d0a7a174a

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2022, 00:46

Target

c673b09e0527528bbd30c5d03b7af463.exe
Size

812KB
MD5

fad8c7f1f023b519a8bc97f44c845f1b
SHA1

e305349bd0dda9732aaab10499153d6e80ce11bc
SHA256

c056c58e3d32716447e27dbe38e784b685203dededddf1253ba4051d0a7a174a
SHA512

ff1a302e99ad89f01c805517085fd76291ee594edc0e9e9c3980cd47dbf1c2429016b11df3b7621eb96da914809b2bb47e5291ec3cd2894f43ff116f9ce39fb3
SSDEEP

12288:jw/h2mDPAtjj4cv6aiUoIxbU546A9jmP/uhu/yMS08CkntxYRK:EPmjj4cZfmP/UDMS08Ckn3n

Score

10^/10

Family

kutaki

http://newloshree.xyz/work/son.php

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000001daff-136.dat	family_kutaki
behavioral2/files/0x000500000001daff-137.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
1188	oolsupch.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oolsupch.exe	c673b09e0527528bbd30c5d03b7af463.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oolsupch.exe	c673b09e0527528bbd30c5d03b7af463.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4932	1280	c673b09e0527528bbd30c5d03b7af463.exe	83
PID 1280 wrote to memory of 4932	1280	c673b09e0527528bbd30c5d03b7af463.exe	83
PID 1280 wrote to memory of 4932	1280	c673b09e0527528bbd30c5d03b7af463.exe	83
PID 1280 wrote to memory of 1188	1280	c673b09e0527528bbd30c5d03b7af463.exe	87
PID 1280 wrote to memory of 1188	1280	c673b09e0527528bbd30c5d03b7af463.exe	87
PID 1280 wrote to memory of 1188	1280	c673b09e0527528bbd30c5d03b7af463.exe	87

C:\Users\Admin\AppData\Local\Temp\c673b09e0527528bbd30c5d03b7af463.exe
"C:\Users\Admin\AppData\Local\Temp\c673b09e0527528bbd30c5d03b7af463.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oolsupch.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oolsupch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1188

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oolsupch.exe

Filesize
812KB

MD5
fad8c7f1f023b519a8bc97f44c845f1b

SHA1
e305349bd0dda9732aaab10499153d6e80ce11bc

SHA256
c056c58e3d32716447e27dbe38e784b685203dededddf1253ba4051d0a7a174a

SHA512
ff1a302e99ad89f01c805517085fd76291ee594edc0e9e9c3980cd47dbf1c2429016b11df3b7621eb96da914809b2bb47e5291ec3cd2894f43ff116f9ce39fb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oolsupch.exe

Filesize
812KB

MD5
fad8c7f1f023b519a8bc97f44c845f1b

SHA1
e305349bd0dda9732aaab10499153d6e80ce11bc

SHA256
c056c58e3d32716447e27dbe38e784b685203dededddf1253ba4051d0a7a174a

SHA512
ff1a302e99ad89f01c805517085fd76291ee594edc0e9e9c3980cd47dbf1c2429016b11df3b7621eb96da914809b2bb47e5291ec3cd2894f43ff116f9ce39fb3

Download Submit