kutaki | 65357d5cab8976dd6cd93dc4a6defc6ec2f03312f60036ecc963684189b93d5f

General

Target

HDFC Payment.exe
Size

1.0MB
MD5

c884ae57f21fbee98f3327583a408412
SHA1

de718911e64d84670c48095febab54d4f130f3cf
SHA256

65357d5cab8976dd6cd93dc4a6defc6ec2f03312f60036ecc963684189b93d5f
SHA512

aa545b01561628aacf03b2e0e131fda681707a52ce4a2e051b0d3946bf776630bc097ffc5c957fa68077b5b445540fa8c28c4aa8f5f686f1aee8f5a6e841a668
SSDEEP

24576:LtVdLmI1ppy9ABspxs140l665y38kQkILfmP/UDMS08Ckn3C:xLxM9ABspxs115fmP/SA8NS

Score

10^/10

kutaki discovery keylogger stealer

Malware Config

Extracted

Family

kutaki

C2

http://newlinkwotolove.club/love/three.php

Signatures

Kutaki
Information stealer and keylogger that hides inside legitimate Visual Basic applications.
stealer keylogger kutaki

Kutaki Executable 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe	family_kutaki

Kutaki family
kutaki

Drops startup file 2 IoCs

Processes:

HDFC Payment.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe	HDFC Payment.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe	HDFC Payment.exe

Executes dropped EXE 1 IoCs

Processes:

iywwlffk.exe

pid process

2272 iywwlffk.exe
Loads dropped DLL 2 IoCs

Processes:

HDFC Payment.exe

pid process

576 HDFC Payment.exe
576 HDFC Payment.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2272	iywwlffk.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

HDFC Payment.execmd.exeiywwlffk.exeDllHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HDFC Payment.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iywwlffk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

iywwlffk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iywwlffk.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iywwlffk.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iywwlffk.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2168 DllHost.exe

pid	process
2168	DllHost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

HDFC Payment.exeiywwlffk.exeDllHost.exe

pid	process
576	HDFC Payment.exe
576	HDFC Payment.exe
576	HDFC Payment.exe
2272	iywwlffk.exe
2272	iywwlffk.exe
2272	iywwlffk.exe
2168	DllHost.exe
2168	DllHost.exe
2168	DllHost.exe
2168	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

HDFC Payment.exe

description	pid	process	target process
PID 576 wrote to memory of 2932	576	HDFC Payment.exe	cmd.exe
PID 576 wrote to memory of 2932	576	HDFC Payment.exe	cmd.exe
PID 576 wrote to memory of 2932	576	HDFC Payment.exe	cmd.exe
PID 576 wrote to memory of 2932	576	HDFC Payment.exe	cmd.exe
PID 576 wrote to memory of 2272	576	HDFC Payment.exe	iywwlffk.exe
PID 576 wrote to memory of 2272	576	HDFC Payment.exe	iywwlffk.exe
PID 576 wrote to memory of 2272	576	HDFC Payment.exe	iywwlffk.exe
PID 576 wrote to memory of 2272	576	HDFC Payment.exe	iywwlffk.exe

C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe
"C:\Users\Admin\AppData\Local\Temp\HDFC Payment.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2272

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\dnserrordiagoff[1]

Filesize
1KB

MD5
47f581b112d58eda23ea8b2e08cf0ff0

SHA1
6ec1df5eaec1439573aef0fb96dabfc953305e5b

SHA256
b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

SHA512
187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\NewErrorPageTemplate[2]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iywwlffk.exe

Filesize
1.0MB

MD5
c884ae57f21fbee98f3327583a408412

SHA1
de718911e64d84670c48095febab54d4f130f3cf

SHA256
65357d5cab8976dd6cd93dc4a6defc6ec2f03312f60036ecc963684189b93d5f

SHA512
aa545b01561628aacf03b2e0e131fda681707a52ce4a2e051b0d3946bf776630bc097ffc5c957fa68077b5b445540fa8c28c4aa8f5f686f1aee8f5a6e841a668

Download Submit
memory/2168-63-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/2272-64-0x0000000004280000-0x00000000052E2000-memory.dmp

Filesize
16.4MB

Download
memory/2932-62-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads