kutaki | 58092b88b330eec0e01a54c5ea8715b2206e8775b56ca54400c5cae59bc23f77

Analysis

max time kernel
96s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-01-2023 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IncomeTax_Challan_Copy.exe
Size

1.7MB
MD5

9cebc9cd7dec812aa0891df66d2dfd50
SHA1

739286547c4533f85ba1187acb3d46eb13b1090f
SHA256

58092b88b330eec0e01a54c5ea8715b2206e8775b56ca54400c5cae59bc23f77
SHA512

347b593128ebdc5f519955d788461f6842795fdd18163baa38bae6cf59a73e423018bd4e8446cb1bae42c75b3da821bd45ec36af6329bb1eedec956b4ef4accb
SSDEEP

24576:KeqSDLyQvKTLEXIRtJ4tjhXGT743iX8EFuvXb0lPCDB3oy4LJ1/obfmP/UDMS08s:KeqSDdvKHEXIHJEBGvY+kwyfmP/SA8Ne

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://newloshree.xyz/work/son.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000013406-58.dat	family_kutaki
behavioral1/files/0x0009000000013406-61.dat	family_kutaki
behavioral1/files/0x0009000000013406-59.dat	family_kutaki

Executes dropped EXE 1 IoCs

pid	Process
1344	lnuqtffk.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnuqtffk.exe	IncomeTax_Challan_Copy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnuqtffk.exe	IncomeTax_Challan_Copy.exe

Loads dropped DLL 2 IoCs

pid	Process
1812	IncomeTax_Challan_Copy.exe
1812	IncomeTax_Challan_Copy.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1812	IncomeTax_Challan_Copy.exe
1812	IncomeTax_Challan_Copy.exe
1812	IncomeTax_Challan_Copy.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe
1344	lnuqtffk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1492	1812	IncomeTax_Challan_Copy.exe	29
PID 1812 wrote to memory of 1492	1812	IncomeTax_Challan_Copy.exe	29
PID 1812 wrote to memory of 1492	1812	IncomeTax_Challan_Copy.exe	29
PID 1812 wrote to memory of 1492	1812	IncomeTax_Challan_Copy.exe	29
PID 1812 wrote to memory of 1344	1812	IncomeTax_Challan_Copy.exe	31
PID 1812 wrote to memory of 1344	1812	IncomeTax_Challan_Copy.exe	31
PID 1812 wrote to memory of 1344	1812	IncomeTax_Challan_Copy.exe	31
PID 1812 wrote to memory of 1344	1812	IncomeTax_Challan_Copy.exe	31

C:\Users\Admin\AppData\Local\Temp\IncomeTax_Challan_Copy.exe
"C:\Users\Admin\AppData\Local\Temp\IncomeTax_Challan_Copy.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1492
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnuqtffk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnuqtffk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnuqtffk.exe

Filesize
1.7MB

MD5
9cebc9cd7dec812aa0891df66d2dfd50

SHA1
739286547c4533f85ba1187acb3d46eb13b1090f

SHA256
58092b88b330eec0e01a54c5ea8715b2206e8775b56ca54400c5cae59bc23f77

SHA512
347b593128ebdc5f519955d788461f6842795fdd18163baa38bae6cf59a73e423018bd4e8446cb1bae42c75b3da821bd45ec36af6329bb1eedec956b4ef4accb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnuqtffk.exe

Filesize
1.7MB

MD5
9cebc9cd7dec812aa0891df66d2dfd50

SHA1
739286547c4533f85ba1187acb3d46eb13b1090f

SHA256
58092b88b330eec0e01a54c5ea8715b2206e8775b56ca54400c5cae59bc23f77

SHA512
347b593128ebdc5f519955d788461f6842795fdd18163baa38bae6cf59a73e423018bd4e8446cb1bae42c75b3da821bd45ec36af6329bb1eedec956b4ef4accb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnuqtffk.exe

Filesize
1.7MB

MD5
9cebc9cd7dec812aa0891df66d2dfd50

SHA1
739286547c4533f85ba1187acb3d46eb13b1090f

SHA256
58092b88b330eec0e01a54c5ea8715b2206e8775b56ca54400c5cae59bc23f77

SHA512
347b593128ebdc5f519955d788461f6842795fdd18163baa38bae6cf59a73e423018bd4e8446cb1bae42c75b3da821bd45ec36af6329bb1eedec956b4ef4accb

Download Submit
memory/1812-56-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download