Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2023 09:48

General

  • Target

    HDFC_RTGS.exe

  • Size

    1.5MB

  • MD5

    30adcb75b8ce11e32915d329f4292854

  • SHA1

    cda01ae84ef0b9688f8911de661f1adec108a73b

  • SHA256

    8de3fb617df36b4e33432d30ea4fc626c968421d594b0b5102f8d9b1fbb8fbdf

  • SHA512

    d7d21d2a64719ac10e8818b2b775caa83a56e11e198cc60b28036a5631d7121b8d2dc777893d862a47caccee006ccb014e2f810229cf1b36d6492da9e2b031ef

  • SSDEEP

    24576:XMjlxu1t+S0kLaSW/u/a+DzovnwNnxV/gb7e2AsvwbR281z+zfmP/UDMS08Ckn30:ulAR0kL1t8nO/CAsn81z+zfmP/SA8NE

Malware Config

Extracted

Family

kutaki

C2

http://ojorobia.club/laptop/laptop.php

http://terebinnahicc.club/sec/kool.txt

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

  • Kutaki Executable 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HDFC_RTGS.exe
    "C:\Users\Admin\AppData\Local\Temp\HDFC_RTGS.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
      2⤵
        PID:1904
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgklugch.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgklugch.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2056

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgklugch.exe

      Filesize

      1.5MB

      MD5

      30adcb75b8ce11e32915d329f4292854

      SHA1

      cda01ae84ef0b9688f8911de661f1adec108a73b

      SHA256

      8de3fb617df36b4e33432d30ea4fc626c968421d594b0b5102f8d9b1fbb8fbdf

      SHA512

      d7d21d2a64719ac10e8818b2b775caa83a56e11e198cc60b28036a5631d7121b8d2dc777893d862a47caccee006ccb014e2f810229cf1b36d6492da9e2b031ef

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vgklugch.exe

      Filesize

      1.5MB

      MD5

      30adcb75b8ce11e32915d329f4292854

      SHA1

      cda01ae84ef0b9688f8911de661f1adec108a73b

      SHA256

      8de3fb617df36b4e33432d30ea4fc626c968421d594b0b5102f8d9b1fbb8fbdf

      SHA512

      d7d21d2a64719ac10e8818b2b775caa83a56e11e198cc60b28036a5631d7121b8d2dc777893d862a47caccee006ccb014e2f810229cf1b36d6492da9e2b031ef