Overview

overview

10

Static

static

10

Tax Paymen...an.exe

windows7-x64

10

Tax Paymen...an.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-02-2024 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tax Payment Challan.exe

  • Size

    617KB

  • MD5

    9b719e21e56dfe22fe282fcd496d83c6

  • SHA1

    f0229d661757258893ca0f0b9daf21ac52d71364

  • SHA256

    314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2

  • SHA512

    c969de50ba51747e457aed23a2f60a131e055d217c8e941ea03e0f51a2f441d4dc4f105ae78418f7be9bec326f7949ebabe174e9c50226c6ef8c59c57418750e

  • SSDEEP

    12288:eFT8EyAFXYN1hP46A9jmP/uhu/yMS08CkntxYRmqL:uYlAFXqAfmP/UDMS08Ckn3A

Score
10/10
kutakikeyloggerstealer

Malware Config

Extracted

Family

kutaki

C2

http://linkwotowoto.club/new/two.php

Signatures

  • Kutaki

    Information stealer and keylogger that hides inside legitimate Visual Basic applications.

    stealerkeyloggerkutaki
  • Kutaki Executable 4 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe
    "C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
      2⤵
        PID:2388
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1704
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2700

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe
      Filesize

      554KB

      MD5

      04e70f3aa4a29765ceb21eec716e859d

      SHA1

      de4d5018f655dd8ffd03ad839219ed1526b3c10c

      SHA256

      45de6d347a2a366f1b36d6a82bd280146fb72c56cc5719751e7fc3a5d9b6d378

      SHA512

      fdd31b68893ee1e6389e6a3bbbbef17377c75b50e1d8a90895d4036c55a429eb87d1d299b40e9b755ffce7e9f6a0081ef40beff5b6229d4e2b7c2e0e9e46691a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe
      Filesize

      513KB

      MD5

      0a9097fd02b3a5a695dbba18fc162d3c

      SHA1

      1ed562dfd27f69d893bee450f4f4fc51fb6c39f4

      SHA256

      1e53a93444d4f46c45ebd1ee9a86078395b6ebea0b0ceed21cf1cb29ccc1bdd1

      SHA512

      bee15df6fe5b04451b1103e924b0a78bbb811cc9b2bb328b713636130ad0e0aa91cb50fa29eab6312d4e7014d4625a38155f50d205f66dc8f5d79a5c4790db00

      Download Submit
    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe
      Filesize

      617KB

      MD5

      9b719e21e56dfe22fe282fcd496d83c6

      SHA1

      f0229d661757258893ca0f0b9daf21ac52d71364

      SHA256

      314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2

      SHA512

      c969de50ba51747e457aed23a2f60a131e055d217c8e941ea03e0f51a2f441d4dc4f105ae78418f7be9bec326f7949ebabe174e9c50226c6ef8c59c57418750e

      Download Submit
    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe
      Filesize

      64KB

      MD5

      47f42b2a127129df9e8f528a751551d2

      SHA1

      3fe40f1e8cdcfc22269cdc350261f0db5f451cc9

      SHA256

      37a7d7840ef9452f3cb1987f3c9056f2bd9820dba1c1c963b7f6194f81ad69d5

      SHA512

      2c74a43d54eed12b17589cf970e1812dfafac4531ff83d886feaa8f447872f8d704d04484c095843e5e31ef15f9ea86cd7be17eedfb7e3007e5a9843c719e44f

      Download Submit
    • memory/2388-62-0x0000000000490000-0x0000000000492000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2700-63-0x0000000000130000-0x0000000000132000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2700-64-0x0000000000250000-0x0000000000251000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2700-65-0x0000000000250000-0x0000000000251000-memory.dmp
      Filesize

      4KB

      Download