kutaki | Invoice No 80659[.]bat | Triage

Sharing

General

Target

Invoice No 80659.bat
Size

420KB
MD5

faab4fd3a2fe8cb413f08e09435a6163
SHA1

48635d53b9f4e46debc72bebc86b67a8e2fc5050
SHA256

5859447c59da8ccf030681f8e0bcfdce10caf46532c624fa63b6e9009f840c39
SHA512

9db97c93d006540e2c089d9e97836a506af1c24c364b80b2920d5c1a0a7e03e3165496d384fafc978db33657b9cd6fc757203c256233992c80ed10c6e5c31ffd
SSDEEP

12288:lzQkJorB46A9jmP/uhu/yMS08CkntxYRZJL:lzd2ufmP/UDMS08Ckn3uh

Score

10^/10

kutaki

Malware Config

Extracted

Family

kutaki

C2

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki family
kutaki

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Invoice No 80659.bat

Files

Invoice No 80659.bat
.exe windows x86

a8c6af890817aa3b69692601c070d9ed

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

ord690
ord696
ord698
MethCallEngine
ord516
ord518
ord626
ord519
ord667
ord591
ord593
ord594
ord595
ord596
ord598
ord520
ord631
ord525
ord632
ord526
EVENT_SINK_AddRef
ord528
ord529
DllFunctionCall
ord563
ord670
ord564
EVENT_SINK_Release
ord600
ord601
EVENT_SINK_QueryInterface
__vbaExceptHandler
ord711
ord712
ord713
ord714
ord607
ord608
ord716
ord717
ProcCallEngine
ord644
ord537
ord645
ord648
ord570
ord573
ord681
ord576
ord685
ord100
ord689
ord616
ord617
ord618
ord619
ord581

Sections

.text
Size: 140KB - Virtual size: 138KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 276KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ