kutaki | 620fafa603b8414c4bb1616f52c37335f2903df7af4da487926a6c6965ee2f78

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-02-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

597KB
MD5

ec665f89e74d25d37731652989ad3c2e
SHA1

82818a05e393db30f6c72c13cf8086b1dd6f67c7
SHA256

620fafa603b8414c4bb1616f52c37335f2903df7af4da487926a6c6965ee2f78
SHA512

c774ded25b26229a97e42575b6b13415807c43b76b7eb36081a507ca407090885821e336d4f23ae61cdd627f3daad2a433c6d55eeab7039623c5c152a8a099f8
SSDEEP

12288:qK1aFT8EUJHvXH/Xgv46A9jmP/uhu/yMS08CkntxYRWaL:qBYLJvXH/wgfmP/UDMS08Ckn3E

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://linkwotowoto.club/new/two.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001444d-4.dat	family_kutaki

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsirxxfk.exe	file.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsirxxfk.exe	file.exe

Executes dropped EXE 1 IoCs

pid	Process
860	jsirxxfk.exe

Loads dropped DLL 2 IoCs

pid	Process
1812	file.exe
1812	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2096	DllHost.exe
2096	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1812	file.exe
1812	file.exe
1812	file.exe
860	jsirxxfk.exe
860	jsirxxfk.exe
860	jsirxxfk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2536	1812	file.exe	28
PID 1812 wrote to memory of 2536	1812	file.exe	28
PID 1812 wrote to memory of 2536	1812	file.exe	28
PID 1812 wrote to memory of 2536	1812	file.exe	28
PID 1812 wrote to memory of 860	1812	file.exe	30
PID 1812 wrote to memory of 860	1812	file.exe	30
PID 1812 wrote to memory of 860	1812	file.exe	30
PID 1812 wrote to memory of 860	1812	file.exe	30

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  PID:2536
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsirxxfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsirxxfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:860

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsirxxfk.exe

Filesize
597KB

MD5
ec665f89e74d25d37731652989ad3c2e

SHA1
82818a05e393db30f6c72c13cf8086b1dd6f67c7

SHA256
620fafa603b8414c4bb1616f52c37335f2903df7af4da487926a6c6965ee2f78

SHA512
c774ded25b26229a97e42575b6b13415807c43b76b7eb36081a507ca407090885821e336d4f23ae61cdd627f3daad2a433c6d55eeab7039623c5c152a8a099f8

Download Submit
memory/2096-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2096-64-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2536-62-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download