kutaki | b47dc07388cf0646f0cc080abaebd9e357b188f2f4b8d6de0c7a3e67b989a718

Analysis

max time kernel
96s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
09/09/2022, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Income_Tax_Receipt.exe
Size

656KB
MD5

d039b5c37d260eda505b03f97b963b3a
SHA1

f7d4b2a09d147cc05d63f8ae20f6e72ad0912bbb
SHA256

8f541e14c1eae40515b2abc8bb11aa584cd754f668eec02f6a2bf7974d686357
SHA512

935c665290617855d4a60ba6b2a458a4d3cc086893df8549101fd04f704d00b57c4460981c20fb6a701ae73a776dddf7f2823d0a466590bbcb68298e1500e9d7
SSDEEP

12288:j7k+QuuMas9dpZHV10DSpbgJ2y+OC1HwJ5tChW4kZdnNrv750F46A9jmP/uhu/y8:vQkxZHV10DFikZdnNxfmP/UDMS08Ckn0

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://newloshree.xyz/work/son.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x000500000000b2d2-58.dat	family_kutaki
behavioral1/files/0x000500000000b2d2-61.dat	family_kutaki
behavioral1/files/0x000500000000b2d2-59.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
1532	ziuqqech.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ziuqqech.exe	Income_Tax_Receipt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ziuqqech.exe	Income_Tax_Receipt.exe

Loads dropped DLL 2 IoCs

pid	Process
832	Income_Tax_Receipt.exe
832	Income_Tax_Receipt.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
832	Income_Tax_Receipt.exe
832	Income_Tax_Receipt.exe
832	Income_Tax_Receipt.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe
1532	ziuqqech.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 276	832	Income_Tax_Receipt.exe	29
PID 832 wrote to memory of 276	832	Income_Tax_Receipt.exe	29
PID 832 wrote to memory of 276	832	Income_Tax_Receipt.exe	29
PID 832 wrote to memory of 276	832	Income_Tax_Receipt.exe	29
PID 832 wrote to memory of 1532	832	Income_Tax_Receipt.exe	31
PID 832 wrote to memory of 1532	832	Income_Tax_Receipt.exe	31
PID 832 wrote to memory of 1532	832	Income_Tax_Receipt.exe	31
PID 832 wrote to memory of 1532	832	Income_Tax_Receipt.exe	31

C:\Users\Admin\AppData\Local\Temp\Income_Tax_Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Income_Tax_Receipt.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:276
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ziuqqech.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ziuqqech.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ziuqqech.exe

Filesize
656KB

MD5
d039b5c37d260eda505b03f97b963b3a

SHA1
f7d4b2a09d147cc05d63f8ae20f6e72ad0912bbb

SHA256
8f541e14c1eae40515b2abc8bb11aa584cd754f668eec02f6a2bf7974d686357

SHA512
935c665290617855d4a60ba6b2a458a4d3cc086893df8549101fd04f704d00b57c4460981c20fb6a701ae73a776dddf7f2823d0a466590bbcb68298e1500e9d7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ziuqqech.exe

Filesize
656KB

MD5
d039b5c37d260eda505b03f97b963b3a

SHA1
f7d4b2a09d147cc05d63f8ae20f6e72ad0912bbb

SHA256
8f541e14c1eae40515b2abc8bb11aa584cd754f668eec02f6a2bf7974d686357

SHA512
935c665290617855d4a60ba6b2a458a4d3cc086893df8549101fd04f704d00b57c4460981c20fb6a701ae73a776dddf7f2823d0a466590bbcb68298e1500e9d7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ziuqqech.exe

Filesize
656KB

MD5
d039b5c37d260eda505b03f97b963b3a

SHA1
f7d4b2a09d147cc05d63f8ae20f6e72ad0912bbb

SHA256
8f541e14c1eae40515b2abc8bb11aa584cd754f668eec02f6a2bf7974d686357

SHA512
935c665290617855d4a60ba6b2a458a4d3cc086893df8549101fd04f704d00b57c4460981c20fb6a701ae73a776dddf7f2823d0a466590bbcb68298e1500e9d7

Download Submit
memory/832-56-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download