MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17
SHA3-384 hash: 8981ed242a823ffb23e9d8278228d0940e9f52abca76f8abe9d5fd8eb1ebd5e9ca5152dd4e9e41b2653dec6882ef7388
SHA1 hash: ce7013abac9be7c9ad1b700e8a3c735b97392819
MD5 hash: 55cb3b1b1f6fcb56f0e8d26cb8a4b8f2
humanhash: edward-nevada-potato-oregon
File name:Payment.exe
Download: download sample
File size:770'096 bytes
First seen:2021-01-15 07:13:32 UTC
Last seen:2021-01-15 09:12:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 17830f35062327be0c330677fdaf5203 (8 x Kutaki)
ssdeep 12288:Hp9HhelXz7j5zQCgLpXslLWbP/x8gz0t9omoIa4S46A9jmP/uhu/yMS08CkntxYf:HpQ6CgLQmEfmP/UDMS08Ckn3A
Threatray 4'941 similar samples on MalwareBazaar
TLSH 1DF48D23EA94F40DF55380B12976D41AAA0A7C3611956D0BFB806F8E35735E3A8F5B0F
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: pro152-34.mxout.rediffmailpro.com
Sending IP: 119.252.152.55
From: Mohammed Zaid Keloth <zaid@enivesh.com>
Subject: Invoice Payment Confirmation
Attachment: Payment.zip (contains "Payment.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment.exe
Verdict:
Malicious activity
Analysis date:
2021-01-15 07:33:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0dc4ad6f-b037-498c-ae96-d26612759014

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112178/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trojan.bh.26718.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file
Searching for the window
Deleting a recently created file
Replacing files
Creating a process from a recently created file
Launching a process
Sending a UDP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Kutaki
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/582253
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected Kutaki Keylogger
Yara detected VB_Keylogger_Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 340164 Sample: Payment.exe Startdate: 15/01/2021 Architecture: WINDOWS Score: 100 26 Antivirus detection for dropped file 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for dropped file 2->30 32 7 other signatures 2->32 7 Payment.exe 1 15 2->7         started        11 xpnoxech.exe 2->11         started        process3 file4 22 C:\Users\user\AppData\...\xpnoxech.exe, PE32 7->22 dropped 34 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->34 36 Drops PE files to the startup folder 7->36 13 cmd.exe 2 7->13         started        16 xpnoxech.exe 1 13 7->16         started        signatures5 process6 dnsIp7 24 192.168.2.1 unknown unknown 13->24 18 conhost.exe 13->18         started        20 WerFault.exe 16->20         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-15 01:31:01 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qf45fq3rsnhh65ep34bt3fvdwutrla2i5b7mehyvoyjw5xs5fulq._file
Verdict:
malicious
Similar samples:
1331627a168114afd060f2e1f87af4c73de8e7960aeb045b3df51b0cd83ee65c
33e6e7a8f9bd94fa61311b96d6d87c77acae7ab7c42ef47e03be3a14ff7d492c
642e374a327b3fb444f13e54572a43376e7323edd70c7775ba9d1e2e4d29ad9b
85bf2d7bda1e66f7264e5681e680c2699edccef020ecbd4173227b244afda2f7
a0ef9fcda78c9700644ecd5b7f1088a2d3d69402f143c6d597d163ec8ec8f956
b0d84eda9fd7bca58e1be9f782495398da3b6b60077015f4d1dfcf74e3428854
b19739ad003d5bbd5f2fcc99f0d19d22cb389ae78ca81f31472cff469e53cf2c
c2f7114f72203d60f4e148408ce3ef51df299ef99635644993ebc5a45603c76a
f4cd872a1e57acff73ad28968e9eabb9892fba1d5e5387a82b914b5c92f6bce7
f61f213b63ca8c02400d9436de006c5b33392f1ea9ab07c0c73c2e1b4b9c0c79
+ 4'931 additional samples on MalwareBazaar
Result
Malware family:
kutaki
Create hunting rule
Score:
  10/10
Tags:
family:kutaki keylogger stealer
Link:
https://tria.ge/reports/210115-dr19vkgxbs/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Drops file in Windows directory
Drops startup file
Loads dropped DLL
Executes dropped EXE
Kutaki
Kutaki Executable
Unpacked files
SH256 hash:
8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17
MD5 hash:
55cb3b1b1f6fcb56f0e8d26cb8a4b8f2
SHA1 hash:
ce7013abac9be7c9ad1b700e8a3c735b97392819
Link:
https://www.unpac.me/results/1e97511a-0adc-4f8c-a6e1-af4c5410afc4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 874f08f05b9ee2fd92c514a5b2be371a012dcc4d791d3406187968f5b0eb4288

Executable exe 8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17

(this sample)

  
Dropped by
MD5 f2eac8dc1fc602439a792e0e66015f40
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 874f08f05b9ee2fd92c514a5b2be371a012dcc4d791d3406187968f5b0eb4288
Cape
Cape
https://www.capesandbox.com/analysis/112178/

Comments