kutaki | 86fc1f2dabb60a5c5a30d63d8508240074809554e0630f1d6bed457e3f02e80a

Analysis

max time kernel
98s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-02-2023 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INCOMETAX_RECEIPT.exe
Size

1.0MB
MD5

3983e3e2ea37719a50665ac70316a53d
SHA1

029aaed996072a601fae913597f20c976bc2a452
SHA256

86fc1f2dabb60a5c5a30d63d8508240074809554e0630f1d6bed457e3f02e80a
SHA512

afc55b36136dc5028991adc08d82837476d2d3e5f1976b740445d874ba5bf51fb425e7ff85035e5268d2d270b48d109586086ab202174881d430ffa8a20bc113
SSDEEP

24576:XvPS/SnugUM+4Zt5l1fmP/UDMS08Ckn31E:XvPEwug1jfmP/SA8NlE

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://newloshree.xyz/work/son.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x000900000001311a-58.dat	family_kutaki
behavioral1/files/0x000900000001311a-59.dat	family_kutaki
behavioral1/files/0x000900000001311a-61.dat	family_kutaki

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwwsoxfk.exe	INCOMETAX_RECEIPT.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwwsoxfk.exe	INCOMETAX_RECEIPT.exe

Executes dropped EXE 1 IoCs

pid	Process
952	uwwsoxfk.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	INCOMETAX_RECEIPT.exe
2036	INCOMETAX_RECEIPT.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2036	INCOMETAX_RECEIPT.exe
2036	INCOMETAX_RECEIPT.exe
2036	INCOMETAX_RECEIPT.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe
952	uwwsoxfk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1880	2036	INCOMETAX_RECEIPT.exe	28
PID 2036 wrote to memory of 1880	2036	INCOMETAX_RECEIPT.exe	28
PID 2036 wrote to memory of 1880	2036	INCOMETAX_RECEIPT.exe	28
PID 2036 wrote to memory of 1880	2036	INCOMETAX_RECEIPT.exe	28
PID 2036 wrote to memory of 952	2036	INCOMETAX_RECEIPT.exe	30
PID 2036 wrote to memory of 952	2036	INCOMETAX_RECEIPT.exe	30
PID 2036 wrote to memory of 952	2036	INCOMETAX_RECEIPT.exe	30
PID 2036 wrote to memory of 952	2036	INCOMETAX_RECEIPT.exe	30

C:\Users\Admin\AppData\Local\Temp\INCOMETAX_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\INCOMETAX_RECEIPT.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1880
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwwsoxfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwwsoxfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwwsoxfk.exe

Filesize
1.0MB

MD5
3983e3e2ea37719a50665ac70316a53d

SHA1
029aaed996072a601fae913597f20c976bc2a452

SHA256
86fc1f2dabb60a5c5a30d63d8508240074809554e0630f1d6bed457e3f02e80a

SHA512
afc55b36136dc5028991adc08d82837476d2d3e5f1976b740445d874ba5bf51fb425e7ff85035e5268d2d270b48d109586086ab202174881d430ffa8a20bc113

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwwsoxfk.exe

Filesize
1.0MB

MD5
3983e3e2ea37719a50665ac70316a53d

SHA1
029aaed996072a601fae913597f20c976bc2a452

SHA256
86fc1f2dabb60a5c5a30d63d8508240074809554e0630f1d6bed457e3f02e80a

SHA512
afc55b36136dc5028991adc08d82837476d2d3e5f1976b740445d874ba5bf51fb425e7ff85035e5268d2d270b48d109586086ab202174881d430ffa8a20bc113

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwwsoxfk.exe

Filesize
1.0MB

MD5
3983e3e2ea37719a50665ac70316a53d

SHA1
029aaed996072a601fae913597f20c976bc2a452

SHA256
86fc1f2dabb60a5c5a30d63d8508240074809554e0630f1d6bed457e3f02e80a

SHA512
afc55b36136dc5028991adc08d82837476d2d3e5f1976b740445d874ba5bf51fb425e7ff85035e5268d2d270b48d109586086ab202174881d430ffa8a20bc113

Download Submit
memory/2036-56-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download