kutaki | e4adf875355662338b487d33f7235b3987f2d5c06c8c6772a374a8d65e353ee0

General

Target

Tax Payment Challan.exe
Size

617KB
MD5

9b719e21e56dfe22fe282fcd496d83c6
SHA1

f0229d661757258893ca0f0b9daf21ac52d71364
SHA256

314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2
SHA512

c969de50ba51747e457aed23a2f60a131e055d217c8e941ea03e0f51a2f441d4dc4f105ae78418f7be9bec326f7949ebabe174e9c50226c6ef8c59c57418750e
SSDEEP

12288:eFT8EyAFXYN1hP46A9jmP/uhu/yMS08CkntxYRmqL:uYlAFXqAfmP/UDMS08Ckn3A

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

C2

http://linkwotowoto.club/new/two.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130fc-4.dat	family_kutaki
behavioral1/files/0x00040000000130fc-8.dat	family_kutaki
behavioral1/files/0x00040000000130fc-10.dat	family_kutaki
behavioral1/files/0x00040000000130fc-6.dat	family_kutaki

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe	Tax Payment Challan.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe	Tax Payment Challan.exe

Executes dropped EXE 1 IoCs

pid	Process
1704	swrxayfk.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	Tax Payment Challan.exe
2216	Tax Payment Challan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2700	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2216	Tax Payment Challan.exe
2216	Tax Payment Challan.exe
2216	Tax Payment Challan.exe
1704	swrxayfk.exe
1704	swrxayfk.exe
1704	swrxayfk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2388	2216	Tax Payment Challan.exe	28
PID 2216 wrote to memory of 2388	2216	Tax Payment Challan.exe	28
PID 2216 wrote to memory of 2388	2216	Tax Payment Challan.exe	28
PID 2216 wrote to memory of 2388	2216	Tax Payment Challan.exe	28
PID 2216 wrote to memory of 1704	2216	Tax Payment Challan.exe	30
PID 2216 wrote to memory of 1704	2216	Tax Payment Challan.exe	30
PID 2216 wrote to memory of 1704	2216	Tax Payment Challan.exe	30
PID 2216 wrote to memory of 1704	2216	Tax Payment Challan.exe	30

C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe
"C:\Users\Admin\AppData\Local\Temp\Tax Payment Challan.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  PID:2388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1704

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe

Filesize
554KB

MD5
04e70f3aa4a29765ceb21eec716e859d

SHA1
de4d5018f655dd8ffd03ad839219ed1526b3c10c

SHA256
45de6d347a2a366f1b36d6a82bd280146fb72c56cc5719751e7fc3a5d9b6d378

SHA512
fdd31b68893ee1e6389e6a3bbbbef17377c75b50e1d8a90895d4036c55a429eb87d1d299b40e9b755ffce7e9f6a0081ef40beff5b6229d4e2b7c2e0e9e46691a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe

Filesize
513KB

MD5
0a9097fd02b3a5a695dbba18fc162d3c

SHA1
1ed562dfd27f69d893bee450f4f4fc51fb6c39f4

SHA256
1e53a93444d4f46c45ebd1ee9a86078395b6ebea0b0ceed21cf1cb29ccc1bdd1

SHA512
bee15df6fe5b04451b1103e924b0a78bbb811cc9b2bb328b713636130ad0e0aa91cb50fa29eab6312d4e7014d4625a38155f50d205f66dc8f5d79a5c4790db00

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe

Filesize
617KB

MD5
9b719e21e56dfe22fe282fcd496d83c6

SHA1
f0229d661757258893ca0f0b9daf21ac52d71364

SHA256
314354ecd6851e77c74ab85bba3a53c9f2ee6c95010410f8ef3c5c435600ecb2

SHA512
c969de50ba51747e457aed23a2f60a131e055d217c8e941ea03e0f51a2f441d4dc4f105ae78418f7be9bec326f7949ebabe174e9c50226c6ef8c59c57418750e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swrxayfk.exe

Filesize
64KB

MD5
47f42b2a127129df9e8f528a751551d2

SHA1
3fe40f1e8cdcfc22269cdc350261f0db5f451cc9

SHA256
37a7d7840ef9452f3cb1987f3c9056f2bd9820dba1c1c963b7f6194f81ad69d5

SHA512
2c74a43d54eed12b17589cf970e1812dfafac4531ff83d886feaa8f447872f8d704d04484c095843e5e31ef15f9ea86cd7be17eedfb7e3007e5a9843c719e44f

Download Submit
memory/2388-62-0x0000000000490000-0x0000000000492000-memory.dmp

Filesize
8KB

Download
memory/2700-63-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/2700-64-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2700-65-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing