kutaki | 5e68db0fc4ba7e505cb1d59e9db3c1c09ab83d0d5f1d2e28e0446ee8c6fa3081

Analysis

max time kernel
111s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
08-02-2023 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Challan.exe
Size

593KB
MD5

ba62a3fe1ef370a7efd7abe232c71619
SHA1

ca160ffe9550aa4c14c37522dade8aafa50a42b3
SHA256

5e68db0fc4ba7e505cb1d59e9db3c1c09ab83d0d5f1d2e28e0446ee8c6fa3081
SHA512

237d2cf167d92e5840651c19f067ffd0140dec6f6c511f704f520c8a262908d96a4b60eaa57736342490dd79b99d51146d156cba01e8768acd2f478f9c4bb8f0
SSDEEP

12288:5AM0xGDBOY+OxjAfwq46A9jmP/uhu/yMS08CkntxYRWL:5z0xGDBOYXQwVfmP/UDMS08Ckn3R

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://newbosslink.xyz/baba/new4.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001230b-58.dat	family_kutaki
behavioral1/files/0x000b00000001230b-59.dat	family_kutaki
behavioral1/files/0x000b00000001230b-61.dat	family_kutaki

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xtlmerfk.exe	Challan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xtlmerfk.exe	Challan.exe

Executes dropped EXE 1 IoCs

pid	Process
320	xtlmerfk.exe

Loads dropped DLL 2 IoCs

pid	Process
1396	Challan.exe
1396	Challan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1128	DllHost.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1396	Challan.exe
1396	Challan.exe
1396	Challan.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe
320	xtlmerfk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 432	1396	Challan.exe	28
PID 1396 wrote to memory of 432	1396	Challan.exe	28
PID 1396 wrote to memory of 432	1396	Challan.exe	28
PID 1396 wrote to memory of 432	1396	Challan.exe	28
PID 1396 wrote to memory of 320	1396	Challan.exe	30
PID 1396 wrote to memory of 320	1396	Challan.exe	30
PID 1396 wrote to memory of 320	1396	Challan.exe	30
PID 1396 wrote to memory of 320	1396	Challan.exe	30

C:\Users\Admin\AppData\Local\Temp\Challan.exe
"C:\Users\Admin\AppData\Local\Temp\Challan.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  PID:432
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xtlmerfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xtlmerfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:320

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xtlmerfk.exe

Filesize
593KB

MD5
ba62a3fe1ef370a7efd7abe232c71619

SHA1
ca160ffe9550aa4c14c37522dade8aafa50a42b3

SHA256
5e68db0fc4ba7e505cb1d59e9db3c1c09ab83d0d5f1d2e28e0446ee8c6fa3081

SHA512
237d2cf167d92e5840651c19f067ffd0140dec6f6c511f704f520c8a262908d96a4b60eaa57736342490dd79b99d51146d156cba01e8768acd2f478f9c4bb8f0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xtlmerfk.exe

Filesize
593KB

MD5
ba62a3fe1ef370a7efd7abe232c71619

SHA1
ca160ffe9550aa4c14c37522dade8aafa50a42b3

SHA256
5e68db0fc4ba7e505cb1d59e9db3c1c09ab83d0d5f1d2e28e0446ee8c6fa3081

SHA512
237d2cf167d92e5840651c19f067ffd0140dec6f6c511f704f520c8a262908d96a4b60eaa57736342490dd79b99d51146d156cba01e8768acd2f478f9c4bb8f0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xtlmerfk.exe

Filesize
593KB

MD5
ba62a3fe1ef370a7efd7abe232c71619

SHA1
ca160ffe9550aa4c14c37522dade8aafa50a42b3

SHA256
5e68db0fc4ba7e505cb1d59e9db3c1c09ab83d0d5f1d2e28e0446ee8c6fa3081

SHA512
237d2cf167d92e5840651c19f067ffd0140dec6f6c511f704f520c8a262908d96a4b60eaa57736342490dd79b99d51146d156cba01e8768acd2f478f9c4bb8f0

Download Submit
memory/1396-56-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download