kutaki | 267c4bb4b2e4c2b06f3b63d58f12a6b4e254d98d36dafab61ac5867b8e7e31b2

General

Target

2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe
Size

501KB
MD5

816cdd0d2e0852404804a683d1cd1b53
SHA1

9842b46047c8ef18a2041a7a35fe3b51515dd829
SHA256

2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d
SHA512

9648bb75a15afb57baeb7c9becf994dece54f499f04df344210c8241839d493599b71cf7ae7a9f4f790009ba3a9b8d2f80df7db41bac5b78edce20bd1a115cf2
SSDEEP

12288:6Ycs+XKy/AZe+e9AP8LP810o4HfyNQlQj0DunOq0Mte9oIopkyd+wMeMIC10pqTO:6Ycs+XKy/AZeJ9AP8LP810o4HfyNQlQn

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

C2

http://linkwotowoto.club/new/two.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eeysvgfk.exe	family_kutaki
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eeysvgfk.exe	family_kutaki

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

Processes:

2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eeysvgfk.exe	2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eeysvgfk.exe	2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe

Executes dropped EXE 1 IoCs

Processes:

eeysvgfk.exe

pid process

3148 eeysvgfk.exe
Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mspaint.exe

pid process

8 mspaint.exe
8 mspaint.exe

pid	process
3148	eeysvgfk.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	cmd.exe

pid	process
8	mspaint.exe
8	mspaint.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exeeeysvgfk.exemspaint.exe

pid	process
976	2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe
976	2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe
976	2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe
3148	eeysvgfk.exe
3148	eeysvgfk.exe
3148	eeysvgfk.exe
8	mspaint.exe
8	mspaint.exe
8	mspaint.exe
8	mspaint.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.execmd.exe

description	pid	process	target process
PID 976 wrote to memory of 4492	976	2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe	cmd.exe
PID 976 wrote to memory of 4492	976	2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe	cmd.exe
PID 976 wrote to memory of 4492	976	2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe	cmd.exe
PID 976 wrote to memory of 3148	976	2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe	eeysvgfk.exe
PID 976 wrote to memory of 3148	976	2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe	eeysvgfk.exe
PID 976 wrote to memory of 3148	976	2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe	eeysvgfk.exe
PID 4492 wrote to memory of 8	4492	cmd.exe	mspaint.exe
PID 4492 wrote to memory of 8	4492	cmd.exe	mspaint.exe
PID 4492 wrote to memory of 8	4492	cmd.exe	mspaint.exe

C:\Users\Admin\AppData\Local\Temp\2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe
"C:\Users\Admin\AppData\Local\Temp\2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:8
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eeysvgfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eeysvgfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eeysvgfk.exe

Filesize
501KB

MD5
816cdd0d2e0852404804a683d1cd1b53

SHA1
9842b46047c8ef18a2041a7a35fe3b51515dd829

SHA256
2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d

SHA512
9648bb75a15afb57baeb7c9becf994dece54f499f04df344210c8241839d493599b71cf7ae7a9f4f790009ba3a9b8d2f80df7db41bac5b78edce20bd1a115cf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eeysvgfk.exe

Filesize
501KB

MD5
816cdd0d2e0852404804a683d1cd1b53

SHA1
9842b46047c8ef18a2041a7a35fe3b51515dd829

SHA256
2114e284c9636a3b015aadb156369d5c55dc29541bc9f27ecf3724f16a65fa8d

SHA512
9648bb75a15afb57baeb7c9becf994dece54f499f04df344210c8241839d493599b71cf7ae7a9f4f790009ba3a9b8d2f80df7db41bac5b78edce20bd1a115cf2

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads