kutaki | 91b9ab308bdf9f41bf08f6529145a5219c90917be1cca844425a04bf9ee1216e

Analysis

max time kernel
153s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/10/2022, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INCOMETAX_CHALLAN_COPY.exe
Size

1.4MB
MD5

702bb8f393cc2dba7181b407175c2d20
SHA1

5ede8da72c0e18a528edc56c5fb254f894a1aec0
SHA256

5ab0fd363096157c4a3ae912e126b20c7d31d15887b3c0c04a90b6b4d1a2f03b
SHA512

d951434277bc2e4a761fc8ad504bafeaf8e98921d5dc011ceabe3aa3fc36ce0fd06c75d7f10703483a655c80f3ceead706c65330ca94df92c8051abb1e2143ce
SSDEEP

24576:1Sy4uqCSN5l3ksJb7tb1Fdv11KfmP/UDMS08Ckn3f:wyMlafmP/SA8NP

Score

10^/10

kutaki keylogger stealer

Malware Config

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012326-59.dat	family_kutaki
behavioral1/files/0x000a000000012326-58.dat	family_kutaki
behavioral1/files/0x000a000000012326-61.dat	family_kutaki
behavioral1/files/0x000a000000012326-66.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
960	klswxyfk.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klswxyfk.exe	INCOMETAX_CHALLAN_COPY.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klswxyfk.exe	INCOMETAX_CHALLAN_COPY.exe

Loads dropped DLL 2 IoCs

pid	Process
1916	INCOMETAX_CHALLAN_COPY.exe
1916	INCOMETAX_CHALLAN_COPY.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	klswxyfk.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1916	INCOMETAX_CHALLAN_COPY.exe
1916	INCOMETAX_CHALLAN_COPY.exe
1916	INCOMETAX_CHALLAN_COPY.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe
960	klswxyfk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1236	1916	INCOMETAX_CHALLAN_COPY.exe	29
PID 1916 wrote to memory of 1236	1916	INCOMETAX_CHALLAN_COPY.exe	29
PID 1916 wrote to memory of 1236	1916	INCOMETAX_CHALLAN_COPY.exe	29
PID 1916 wrote to memory of 1236	1916	INCOMETAX_CHALLAN_COPY.exe	29
PID 1916 wrote to memory of 960	1916	INCOMETAX_CHALLAN_COPY.exe	31
PID 1916 wrote to memory of 960	1916	INCOMETAX_CHALLAN_COPY.exe	31
PID 1916 wrote to memory of 960	1916	INCOMETAX_CHALLAN_COPY.exe	31
PID 1916 wrote to memory of 960	1916	INCOMETAX_CHALLAN_COPY.exe	31

C:\Users\Admin\AppData\Local\Temp\INCOMETAX_CHALLAN_COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INCOMETAX_CHALLAN_COPY.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1236
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klswxyfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klswxyfk.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klswxyfk.exe

Filesize
1.4MB

MD5
702bb8f393cc2dba7181b407175c2d20

SHA1
5ede8da72c0e18a528edc56c5fb254f894a1aec0

SHA256
5ab0fd363096157c4a3ae912e126b20c7d31d15887b3c0c04a90b6b4d1a2f03b

SHA512
d951434277bc2e4a761fc8ad504bafeaf8e98921d5dc011ceabe3aa3fc36ce0fd06c75d7f10703483a655c80f3ceead706c65330ca94df92c8051abb1e2143ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klswxyfk.exe

Filesize
1.4MB

MD5
702bb8f393cc2dba7181b407175c2d20

SHA1
5ede8da72c0e18a528edc56c5fb254f894a1aec0

SHA256
5ab0fd363096157c4a3ae912e126b20c7d31d15887b3c0c04a90b6b4d1a2f03b

SHA512
d951434277bc2e4a761fc8ad504bafeaf8e98921d5dc011ceabe3aa3fc36ce0fd06c75d7f10703483a655c80f3ceead706c65330ca94df92c8051abb1e2143ce

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klswxyfk.exe

Filesize
1.4MB

MD5
702bb8f393cc2dba7181b407175c2d20

SHA1
5ede8da72c0e18a528edc56c5fb254f894a1aec0

SHA256
5ab0fd363096157c4a3ae912e126b20c7d31d15887b3c0c04a90b6b4d1a2f03b

SHA512
d951434277bc2e4a761fc8ad504bafeaf8e98921d5dc011ceabe3aa3fc36ce0fd06c75d7f10703483a655c80f3ceead706c65330ca94df92c8051abb1e2143ce

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klswxyfk.exe

Filesize
1.4MB

MD5
702bb8f393cc2dba7181b407175c2d20

SHA1
5ede8da72c0e18a528edc56c5fb254f894a1aec0

SHA256
5ab0fd363096157c4a3ae912e126b20c7d31d15887b3c0c04a90b6b4d1a2f03b

SHA512
d951434277bc2e4a761fc8ad504bafeaf8e98921d5dc011ceabe3aa3fc36ce0fd06c75d7f10703483a655c80f3ceead706c65330ca94df92c8051abb1e2143ce

Download Submit
memory/960-65-0x0000000004231000-0x00000000050DD000-memory.dmp

Filesize
14.7MB

Download
memory/1916-56-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download