MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kutaki


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5
SHA3-384 hash: b546ecb6fc6374e6161b2cac205a68cebb8fd195edb81728c0852af1b9966097bb812dd1df8db5f9f98e46ab6ca002d0
SHA1 hash: 81a56cd69bf00ec1fd79543423c59d5ce16c1a45
MD5 hash: 706368098593b234bde3727366651281
humanhash: stairway-tennis-tennessee-magnesium
File name:41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5
Download: download sample
Signature Kutaki
Create hunting rule
File size:835'142 bytes
First seen:2020-08-05 11:29:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e449639e3d5aef200df08087c6240e5e (1 x Kutaki)
ssdeep 24576:em8RI+emRlQIjDlzzTlQ8LmcEd40X0zjnXU9PR1t7drlSpnHuGE5:bzghxO
Threatray 22 similar samples on MalwareBazaar
TLSH 4505F992F328E46CFC1705F634637A89B809483697CC9D03A604A69B143E797F795F2B
Reporter JAMESWT_WT
Tags:keylogger Kutaki spy

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39431/
Detection(s):
SecuriteInfo.com.Trojan.KeyLogger.40461.1386.17112.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a UDP request
Enabling autorun by creating a file
Result
Threat name:
Kutaki
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/410945
Signature
Creates HTML files with .exe extension (expired dropper behavior)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Yara detected AntiVM strings in reverse order
Yara detected Kutaki Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257633 Sample: zmkuNszEHY Startdate: 05/08/2020 Architecture: WINDOWS Score: 72 38 Yara detected Kutaki Keylogger 2->38 40 Yara detected AntiVM strings in reverse order 2->40 42 Machine Learning detection for sample 2->42 44 Machine Learning detection for dropped file 2->44 8 zmkuNszEHY.exe 1 3 2->8         started        12 netrqqch.exe 1 2->12         started        process3 file4 28 C:\Users\user\AppData\...\netrqqch.exe, PE32 8->28 dropped 48 Drops PE files to the startup folder 8->48 14 netrqqch.exe 7 83 8->14         started        18 cmd.exe 1 8->18         started        signatures5 process6 dnsIp7 34 babaobadf.club 91.223.82.89, 49734, 49737, 49741 IWSNETSE Netherlands 14->34 36 192.168.2.1 unknown unknown 14->36 30 C:\Users\user\AppData\Local\Temp\c.exe, PE32 14->30 dropped 20 c.exe 2 14->20         started        24 conhost.exe 18->24         started        file8 process9 dnsIp10 32 aorziada.xyz 164.90.176.43, 49730, 80 DIGITALOCEAN-ASNUS United States 20->32 46 Creates HTML files with .exe extension (expired dropper behavior) 20->46 26 conhost.exe 20->26         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5/
Threat name:
Win32.Trojan.Johnnie
Create hunting rule
Status:
Malicious
First seen:
2019-03-25 06:15:17 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
27 of 30 (90.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
363755d7a78e52ae1314c7c4a485048269a9680e93bc4cb82098ca6139bfd912
Kutaki
3944f17ee85aa8715e333ae14ee99df9b689cac9db693331acb69ce4c70dd7f3
Kutaki
4fbe77777093608a25b248db192e96bb062da46835e2739c07922c39cfbb0d57
Kutaki
5bd645a7783a25d2caa48ee448ad1e47c00ae25e5a7fd9b304ad9422e9e79fd5
Kutaki
736cb1644adf35fc139e7031d9bc5073816784d21b34de83260387f47f13ba43
Kutaki
83db97610db35554df4061ac1370a10dcda2006d212f4d17e741cfdfdf6264cb
Kutaki
a6f34907ae34f485e4091ba122886cb32a2cc27856d580fe289c8861d6241f27
Kutaki
b2db0dad3f1acb31633bc8d135453b5141d75ce89212a303a9148a40f60eb917
Kutaki
df8b72fbc5b86764cdbd998a0cbdbe404f3253f1a51029d5b46a778feb4839a1
Kutaki
e33166cf9f69cdc54b3ca9721a6837d961ee42285c766561a9ff8a1719f39405
Kutaki
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200805-4s4rfhxkma/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Maps connected drives based on registry
Maps connected drives based on registry
Loads dropped DLL
Drops startup file
Drops startup file
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Swisyn
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Kutaki

Executable exe 41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/218101/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/39431/

Comments