kutaki | ad4105a0782f6efc19aa2b31dd763f9059baf00a517ea3b8a8d0636363faf000

General

Target

7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe
Size

812KB
MD5

cbcc3c668fdc2ee5f01487855bb38a03
SHA1

426f69456a1923749cc85e1f9b4cce43ea1050bb
SHA256

7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429
SHA512

302478083f792fcb779749c993d18d88e33aa855de8641dc4b02d7a29cff2074ccdcc931efeb6eeb46dbf8f5cddec2bdbf4814f73c2dc4daba99fd6775ca138e
SSDEEP

12288:Iw/h2mDPAtjj4cv6aiUoIxbUV46A9jmP/uhu/yMS08CkntxYRq:7Pmjj4c5fmP/UDMS08Ckn3j

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

C2

http://newloshree.xyz/work/son.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llkvblch.exe	family_kutaki
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llkvblch.exe	family_kutaki
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llkvblch.exe	family_kutaki
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llkvblch.exe	family_kutaki

Drops startup file 2 IoCs

Processes:

7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llkvblch.exe	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llkvblch.exe	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe

Executes dropped EXE 1 IoCs

Processes:

llkvblch.exe

pid process

2548 llkvblch.exe

pid	process
2548	llkvblch.exe

Loads dropped DLL 2 IoCs

Processes:

7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe

pid	process
1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe
1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exellkvblch.exe

pid	process
1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe
1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe
1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe
2548	llkvblch.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe

description	pid	process	target process
PID 1068 wrote to memory of 1356	1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe	cmd.exe
PID 1068 wrote to memory of 1356	1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe	cmd.exe
PID 1068 wrote to memory of 1356	1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe	cmd.exe
PID 1068 wrote to memory of 1356	1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe	cmd.exe
PID 1068 wrote to memory of 2548	1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe	llkvblch.exe
PID 1068 wrote to memory of 2548	1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe	llkvblch.exe
PID 1068 wrote to memory of 2548	1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe	llkvblch.exe
PID 1068 wrote to memory of 2548	1068	7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe	llkvblch.exe

C:\Users\Admin\AppData\Local\Temp\7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe
"C:\Users\Admin\AppData\Local\Temp\7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
2⤵
PID:1356

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llkvblch.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llkvblch.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llkvblch.exe
Filesize
812KB

MD5
cbcc3c668fdc2ee5f01487855bb38a03

SHA1
426f69456a1923749cc85e1f9b4cce43ea1050bb

SHA256
7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429

SHA512
302478083f792fcb779749c993d18d88e33aa855de8641dc4b02d7a29cff2074ccdcc931efeb6eeb46dbf8f5cddec2bdbf4814f73c2dc4daba99fd6775ca138e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llkvblch.exe
Filesize
812KB

MD5
cbcc3c668fdc2ee5f01487855bb38a03

SHA1
426f69456a1923749cc85e1f9b4cce43ea1050bb

SHA256
7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429

SHA512
302478083f792fcb779749c993d18d88e33aa855de8641dc4b02d7a29cff2074ccdcc931efeb6eeb46dbf8f5cddec2bdbf4814f73c2dc4daba99fd6775ca138e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llkvblch.exe
Filesize
812KB

MD5
cbcc3c668fdc2ee5f01487855bb38a03

SHA1
426f69456a1923749cc85e1f9b4cce43ea1050bb

SHA256
7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429

SHA512
302478083f792fcb779749c993d18d88e33aa855de8641dc4b02d7a29cff2074ccdcc931efeb6eeb46dbf8f5cddec2bdbf4814f73c2dc4daba99fd6775ca138e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llkvblch.exe
Filesize
812KB

MD5
cbcc3c668fdc2ee5f01487855bb38a03

SHA1
426f69456a1923749cc85e1f9b4cce43ea1050bb

SHA256
7177cf9f393364d37caa1cf3d970bd5381333fb655ec3f83becdb8c4861ed429

SHA512
302478083f792fcb779749c993d18d88e33aa855de8641dc4b02d7a29cff2074ccdcc931efeb6eeb46dbf8f5cddec2bdbf4814f73c2dc4daba99fd6775ca138e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads