kutaki | 41ec67a912e7de3898baf0f58013481661ce654144e9334aae2d3baf0f4fecce

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 09:00

Target

mal.exe
Size

465KB
MD5

c41cca4d15c20ffe8b9648ec9e9c7a95
SHA1

2d0ee06b8ad28ad4ee2fdea76eb87967ba98620a
SHA256

41ec67a912e7de3898baf0f58013481661ce654144e9334aae2d3baf0f4fecce
SHA512

bbedcf190672e5b24c11ba3482256fe85f5ac890125cf5a4bc457f0e5508336666686c57dd8c67ee4be6606327b4613dddf549eed8252fa81b22401dc49a62b5
SSDEEP

12288:N8ZCw3cuE046A9jmP/uhu/yMS08CkntxYRsL:N8ZCwXEnfmP/UDMS08Ckn37

Score

10^/10

Family

kutaki

http://newbosslink.xyz/baba/new4.php

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022f6c-136.dat	family_kutaki
behavioral2/files/0x0006000000022f6c-137.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
4908	ispdqmfk.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ispdqmfk.exe	mal.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ispdqmfk.exe	mal.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 4452	1048	mal.exe	80
PID 1048 wrote to memory of 4452	1048	mal.exe	80
PID 1048 wrote to memory of 4452	1048	mal.exe	80
PID 1048 wrote to memory of 4908	1048	mal.exe	82
PID 1048 wrote to memory of 4908	1048	mal.exe	82
PID 1048 wrote to memory of 4908	1048	mal.exe	82

C:\Users\Admin\AppData\Local\Temp\mal.exe
"C:\Users\Admin\AppData\Local\Temp\mal.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4452
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ispdqmfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ispdqmfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4908

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ispdqmfk.exe

Filesize
465KB

MD5
c41cca4d15c20ffe8b9648ec9e9c7a95

SHA1
2d0ee06b8ad28ad4ee2fdea76eb87967ba98620a

SHA256
41ec67a912e7de3898baf0f58013481661ce654144e9334aae2d3baf0f4fecce

SHA512
bbedcf190672e5b24c11ba3482256fe85f5ac890125cf5a4bc457f0e5508336666686c57dd8c67ee4be6606327b4613dddf549eed8252fa81b22401dc49a62b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ispdqmfk.exe

Filesize
465KB

MD5
c41cca4d15c20ffe8b9648ec9e9c7a95

SHA1
2d0ee06b8ad28ad4ee2fdea76eb87967ba98620a

SHA256
41ec67a912e7de3898baf0f58013481661ce654144e9334aae2d3baf0f4fecce

SHA512
bbedcf190672e5b24c11ba3482256fe85f5ac890125cf5a4bc457f0e5508336666686c57dd8c67ee4be6606327b4613dddf549eed8252fa81b22401dc49a62b5

Download Submit