MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56f092288a058f47cf4a38c04dac8f8fd19a6ba34039bf7803df8928fe03d630. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kutaki


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56f092288a058f47cf4a38c04dac8f8fd19a6ba34039bf7803df8928fe03d630
SHA3-384 hash: 0f2ec0535d40948241f3dbd2ca0936ff29aa55e982115adf238ba30a2a14ddb2dc26eb5eec05d4617d78bc31b81248d9
SHA1 hash: a056e0fd07a3c3a3ad1481fea682a9ef5c8189f2
MD5 hash: d865c99466454a9ff4c0defef66a0223
humanhash: hawaii-nineteen-eleven-iowa
File name:PPS Ford Payment Receipt.exe
Download: download sample
Signature Kutaki
Create hunting rule
File size:1'196'032 bytes
First seen:2020-10-07 04:46:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 339420629791b54876a6782e0b2f5f07 (2 x Kutaki)
ssdeep 12288:0IHKkV+TvGxB0uY7BMcF46A9jmP/uhu/yMS08CkntxYRW:0IHKw+zGxBdfmP/UDMS08Ckn3X
Threatray 2'377 similar samples on MalwareBazaar
TLSH CB455C09E6E40C41DCB515355DD6ECB035B3FC298B02A21B37EE7ABF2DB2A904E1535A
Reporter abuse_ch
Tags:exe Kutaki


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mx47.ctrls.in
Sending IP: 182.18.138.45
From: PPS Ford <tlshowroom.vizag@ppsford.com>
Subject: PPS Ford RGTS PAYMENT
Attachment: PPS Ford Payment Receipt.zip (contains "PPS Ford Payment Receipt.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68738/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file
Searching for the window
Deleting a recently created file
Replacing files
Creating a process from a recently created file
Launching a process
Enabling autorun by creating a file
Result
Threat name:
Kutaki
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483575
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected Kutaki Keylogger
Yara detected VB_Keylogger_Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294230 Sample: PPS Ford Payment Receipt.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 20 Antivirus detection for dropped file 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for dropped file 2->24 26 8 other signatures 2->26 7 PPS Ford Payment Receipt.exe 1 16 2->7         started        10 jussaach.exe 2->10         started        process3 file4 18 C:\Users\user\AppData\...\jussaach.exe, PE32 7->18 dropped 12 cmd.exe 2 7->12         started        14 jussaach.exe 1 14 7->14         started        process5 process6 16 conhost.exe 12->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56f092288a058f47cf4a38c04dac8f8fd19a6ba34039bf7803df8928fe03d630/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 03:23:34 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3yjekekawhupt2khdae3lepr7izu25dia4366ad36esr7qd2yya._file
Verdict:
unknown
Similar samples:
033d1c64c903216b32c03af9406373ab18aff0192e2b0181a5ac5733bbd94238
Kutaki
0d803d4ab4cc06e12ba51d6af2a2c5d4b6a2d0c38bd766972e2d7b96a10372e2
Kutaki
18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055
Kutaki
1f3155a17517ae07b481c78d6611f7053275b9d488d7475aec599683a80d8a85
Kutaki
39d176c59fce7adab56191645e64f1092a405db9c2c85dc9fe78d419d70f5b6c
Kutaki
5a1ff51485fd7f49e413093ab5c705265a6d5ec108c1ce955fbe99da3d29aa33
Kutaki
9a44822008b9184aa988783e60654bf9d9311cb43fe96711e7cfe7aaf4e7756b
Kutaki
a1ca46a8c41e45116351ecd3926bca9bc16b95a2aacecc100a7c62716e8f1274
Kutaki
cf02bb3aa058cc571d6c3368f98a96fefa3db05a813ea479d002edc1c3cbdb95
Kutaki
dedad3d7a97da9f0103dd87d86a422e38f581879c41ab07594d141eb303d2de9
Kutaki
+ 2'367 additional samples on MalwareBazaar
Result
Malware family:
kutaki
Create hunting rule
Score:
  10/10
Tags:
stealer keylogger family:kutaki
Link:
https://tria.ge/reports/201007-7e5yw2t9ze/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Drops file in Windows directory
Drops startup file
Loads dropped DLL
Executes dropped EXE
Kutaki
Kutaki Executable
Unpacked files
SH256 hash:
56f092288a058f47cf4a38c04dac8f8fd19a6ba34039bf7803df8928fe03d630
MD5 hash:
d865c99466454a9ff4c0defef66a0223
SHA1 hash:
a056e0fd07a3c3a3ad1481fea682a9ef5c8189f2
Link:
https://www.unpac.me/results/704798f3-4e2f-4daa-ba41-20e710ce09dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56f092288a058f47cf4a38c04dac8f8fd19a6ba34039bf7803df8928fe03d630

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Kutaki

zip 85a34f356f30eb049c28f2fdd1a2a248efc04281b66091a4477fb2df70b6a03c

Kutaki

Executable exe 56f092288a058f47cf4a38c04dac8f8fd19a6ba34039bf7803df8928fe03d630

(this sample)

  
Dropped by
MD5 34a55febf97a3ac2edd9ef5554b42747
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68738/
  
Dropped by
SHA256 85a34f356f30eb049c28f2fdd1a2a248efc04281b66091a4477fb2df70b6a03c

Comments