MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3944f17ee85aa8715e333ae14ee99df9b689cac9db693331acb69ce4c70dd7f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kutaki


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3944f17ee85aa8715e333ae14ee99df9b689cac9db693331acb69ce4c70dd7f3
SHA3-384 hash: 0164e03527bf60245f72d1b88a456f5b7814c620bf260e93b344d8afba3b55866fae6e4fe8c2edf43d737fa79ade48bc
SHA1 hash: c0eb935bf18928d394b9b8960a244521454d00d1
MD5 hash: b88eb3c494c252d1ebca8c882fdc8113
humanhash: network-lake-mirror-mirror
File name:3944f17ee85aa8715e333ae14ee99df9b689cac9db693331acb69ce4c70dd7f3
Download: download sample
Signature Kutaki
Create hunting rule
File size:755'682 bytes
First seen:2020-08-05 11:29:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f22d9236f49ab3b36677f1f97fcf4003 (1 x Kutaki)
ssdeep 12288:5YRQGHjRFh5T4uh801VqpGPqlSpwhm4s5bsGSCc5:5YRQGHjDh5Tzh8IqrlSpnHuGu5
Threatray 95 similar samples on MalwareBazaar
TLSH 5EF4C502A6D0B72ED4CED4F42AD4955AE066FCF2216895C37BF35A8667203CFAC74607
Reporter JAMESWT_WT
Tags:keylogger Kutaki spy

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a UDP request
Enabling autorun with the shell\open\command registry branches
Enabling autorun by creating a file
Result
Threat name:
Kutaki
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/410944
Signature
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AntiVM strings in reverse order
Yara detected Kutaki Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257632 Sample: 4bRJPzZ8Wd Startdate: 05/08/2020 Architecture: WINDOWS Score: 72 23 Yara detected Kutaki Keylogger 2->23 25 Yara detected AntiVM strings in reverse order 2->25 27 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->27 29 2 other signatures 2->29 7 4bRJPzZ8Wd.exe 5 14 2->7         started        11 lfkvasch.exe 2->11         started        process3 file4 21 C:\Users\user\AppData\...\lfkvasch.exe, PE32 7->21 dropped 31 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->31 33 Drops PE files to the startup folder 7->33 13 lfkvasch.exe 1 13 7->13         started        15 cmd.exe 1 7->15         started        signatures5 process6 process7 17 WerFault.exe 13->17         started        19 conhost.exe 15->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3944f17ee85aa8715e333ae14ee99df9b689cac9db693331acb69ce4c70dd7f3/
Threat name:
Win32.Trojan.Antivm
Create hunting rule
Status:
Malicious
First seen:
2019-04-10 03:40:29 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
205a2f88f490388970c68b7512acfb90756655b4115e3bbe7b2b77efeab58bdf
Kutaki
2bd4a68bf90d7d007980c8c9a6ca3859507d6f8ad00c4d53b859ffe9e7311751
Kutaki
3174e8d8ef60806faa8b1e19a54ad0d89912ad75bbe63af481c5007af6fe1ea0
Kutaki
3460bddb22bbd2c03da5dbcc68e6ce1d54cfb1d5991196eff039acb093d96307
Kutaki
363755d7a78e52ae1314c7c4a485048269a9680e93bc4cb82098ca6139bfd912
Kutaki
4fbe77777093608a25b248db192e96bb062da46835e2739c07922c39cfbb0d57
Kutaki
5bd645a7783a25d2caa48ee448ad1e47c00ae25e5a7fd9b304ad9422e9e79fd5
Kutaki
b2db0dad3f1acb31633bc8d135453b5141d75ce89212a303a9148a40f60eb917
Kutaki
b48c6ee90905955194c2864cd4ff8618c7df2a301df6740ce9f9065f5cb04fa9
Kutaki
e33166cf9f69cdc54b3ca9721a6837d961ee42285c766561a9ff8a1719f39405
Kutaki
+ 85 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200805-jr5xqqyw8s/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Maps connected drives based on registry
Maps connected drives based on registry
Drops startup file
Loads dropped DLL
Drops startup file
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3944f17ee85aa8715e333ae14ee99df9b689cac9db693331acb69ce4c70dd7f3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/39430/

Comments