kutaki | hahaha[.]exe | Triage

Sharing

General

Target

hahaha.exe
Size

2.3MB
MD5

d28dc0c7e546e8f0e4ac5b9106d72fda
SHA1

1d6720b2e4bfe813adfbe2b45e9554e3b4b08542
SHA256

9d6fa0924b1af1e34d01ecf998135140d96ea73bcf1fe28941f66e1ba3f7d9bf
SHA512

e279c197f83cf0bbcedead49f7efa7d8176187740b6f145f1058c714ab2fb7c250aee01b8f8dd625bcd1d7b5d50dd5c5c9e82409a1d06885d026f014b9c9ba7e
SSDEEP

49152:nkWk5cS7a+9XYaQ6Zehc4mTYJ78V9gyBn4czPfmP/SA8N:fajJhZ942KQV9hp44PfmP/SA8

Score

10^/10

kutaki

Malware Config

Extracted

Family

kutaki

C2

http://treysbeatend.com/laptop/squared.php

http://terebinnahicc.club/sec/kool.txt

Signatures

Kutaki family
kutaki
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

hahaha.exe

Files

hahaha.exe
.exe windows:4 windows x86

c2bcb3c119aff2b22df3eb2d5f9fa677

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

ord690
ord696
ord698
MethCallEngine
ord516
ord518
ord626
ord519
ord667
ord591
ord593
ord594
ord595
ord596
ord598
ord520
ord631
ord632
ord525
ord526
EVENT_SINK_AddRef
ord528
ord529
ord560
DllFunctionCall
ord563
ord670
ord564
EVENT_SINK_Release
ord600
ord601
EVENT_SINK_QueryInterface
__vbaExceptHandler
ord711
ord712
ord713
ord714
ord607
ord608
ord716
ord717
ProcCallEngine
ord644
ord537
ord645
ord648
ord570
ord573
ord681
ord576
ord685
ord100
ord689
ord616
ord617
ord618
ord619
ord650
ord581

Sections

.text
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 264KB - Virtual size: 262KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ