kutaki | 026fd16b5f3c3d9d23e9a9dbd29af68d89e6ed4d8cadc250e00d798fd489d74a

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-03-2024 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tax Payment Confirmation.exe
Size

805KB
MD5

ff22cbacd681684e683e3cc90b5eeb49
SHA1

ff242e78602ea1c38bf81830932858188a682040
SHA256

026fd16b5f3c3d9d23e9a9dbd29af68d89e6ed4d8cadc250e00d798fd489d74a
SHA512

d012ee702f1566fd99658bc231ddb5152001c11f665351c6a269293f00a5d9d67ade90e3d342f30a4b709067c59e7d01c4eecf5d418f0ea638d1857f5f0c3b25
SSDEEP

12288:cwU/v0YM3/BJzGG6bBiNH46A9jmP/uhu/yMS08CkntxYRjL:BK2BN6BiNYfmP/UDMS08Ckn3W

Score

10^/10

kutaki keylogger stealer

Malware Config

Extracted

Family

kutaki

http://linkwotowoto.club/new/two.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000016813-4.dat	family_kutaki

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ysvpkxfk.exe	Tax Payment Confirmation.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ysvpkxfk.exe	Tax Payment Confirmation.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	ysvpkxfk.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	Tax Payment Confirmation.exe
2316	Tax Payment Confirmation.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2564	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2316	Tax Payment Confirmation.exe
2316	Tax Payment Confirmation.exe
2316	Tax Payment Confirmation.exe
3016	ysvpkxfk.exe
3016	ysvpkxfk.exe
3016	ysvpkxfk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2912	2316	Tax Payment Confirmation.exe	28
PID 2316 wrote to memory of 2912	2316	Tax Payment Confirmation.exe	28
PID 2316 wrote to memory of 2912	2316	Tax Payment Confirmation.exe	28
PID 2316 wrote to memory of 2912	2316	Tax Payment Confirmation.exe	28
PID 2316 wrote to memory of 3016	2316	Tax Payment Confirmation.exe	30
PID 2316 wrote to memory of 3016	2316	Tax Payment Confirmation.exe	30
PID 2316 wrote to memory of 3016	2316	Tax Payment Confirmation.exe	30
PID 2316 wrote to memory of 3016	2316	Tax Payment Confirmation.exe	30

C:\Users\Admin\AppData\Local\Temp\Tax Payment Confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\Tax Payment Confirmation.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  PID:2912
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ysvpkxfk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ysvpkxfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3016

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ysvpkxfk.exe

Filesize
805KB

MD5
ff22cbacd681684e683e3cc90b5eeb49

SHA1
ff242e78602ea1c38bf81830932858188a682040

SHA256
026fd16b5f3c3d9d23e9a9dbd29af68d89e6ed4d8cadc250e00d798fd489d74a

SHA512
d012ee702f1566fd99658bc231ddb5152001c11f665351c6a269293f00a5d9d67ade90e3d342f30a4b709067c59e7d01c4eecf5d418f0ea638d1857f5f0c3b25

Download Submit
memory/2564-63-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2564-64-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2564-65-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2912-62-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download