MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c77fcbc6550d3d9c6e805b0ad7e2658ea6cf814780ca60b2299ce833c02c1a92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Kutaki

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	c77fcbc6550d3d9c6e805b0ad7e2658ea6cf814780ca60b2299ce833c02c1a92
SHA3-384 hash:	1c23014cad5453a5ff111d72beb7142b3c782db32dbbb2659959698e36419bc4390d95c6cc55299e0f22372680f03b9d
SHA1 hash:	ebedc8f851f3c56539815b4864a7342e6eb24fb9
MD5 hash:	2c22126314b7e1e1a7648d971cd733bf
humanhash:	four-idaho-earth-artist
File name:	SecuriteInfo.com.Variant.Symmi.62789.29193.11180
Download:	download sample
Signature	Kutaki Create hunting rule
File size:	1'155'072 bytes
First seen:	2022-04-19 03:31:06 UTC
Last seen:	2022-04-20 10:22:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	18f4afe55dc996836f5ec4e5f3d652c4 (1 x Kutaki)
ssdeep	24576:m1Tn0SHe46D5tKERWpnhNjQlUPnGYI5aDMYfmP/UDMS08Ckn3a:gDy46lgEshNjQmuYMaoYfmP/SA8Nq
Threatray	7'355 similar samples on MalwareBazaar
TLSH	T130350106FAC1AD52DC6D26719D9359F02E73FC6A5F8B434F71A4623F2876B80289134E
TrID	75.8% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	40636eecc0988e22 (1 x Kutaki)
Reporter	SecuriteInfoCom
Tags:	exe Kutaki

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/264464/

Detection(s):

SecuriteInfo.com.Variant.Symmi.62789.29193.11180.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Using the Windows Management Instrumentation requests

Running batch commands

Creating a process with a hidden window

Searching for the window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm cmd.exe control.exe keylogger packed shell32.dll update.exe

Link:

https://www.filescan.io/uploads/625e2d38eab80a7a6c3de1c9/reports/ef205de8-ee4c-4b24-8417-73be6b4109dc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/10366a9a-e8fa-48c4-a6c6-5ea8a15a0dc7

Result

Threat name:

Kutaki

Detection:

malicious

Classification:

spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/978576

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Yara detected Kutaki Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c77fcbc6550d3d9c6e805b0ad7e2658ea6cf814780ca60b2299ce833c02c1a92/

Threat name:

Win32.Trojan.Symmi

Status:

Malicious

First seen:

2022-04-19 00:20:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y574xrsvbu6zy3ualmfnpytfr2tm7akhqdfgbmrjttudhqbmdkja._file

Verdict:

malicious

Kutaki

49d0d2a3b58255fd7c36dacc34c5ef977187f2e1ecc8cfd4cf0e35c47824fa8b

Kutaki

5f3a6968e284a2cfa90ca4318cf7385b9ea468d3bc566a80e81d6cfb44ef5b18

Kutaki

5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f

Kutaki

69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef

Kutaki

84cbffb84b7c9ced79b511f82a15414d9202ab68479dfe44cec7b745ed12f973

Kutaki

a0fb8417720da120c09f19ad62030bf1dc7f51b74326582f2f9d4488d426a800

Kutaki

dc90482c940a4ab897dcb64e468ccc1767ce48c249755bb625d4e48e718edfd6

Kutaki

+ 7'345 additional samples on MalwareBazaar

Result

Malware family:

kutaki

Score:

10/10

Tags:

family:kutaki

Link:

https://tria.ge/reports/220419-d3l2bsddg4/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Unpacked files

SH256 hash:

c77fcbc6550d3d9c6e805b0ad7e2658ea6cf814780ca60b2299ce833c02c1a92

MD5 hash:

2c22126314b7e1e1a7648d971cd733bf

SHA1 hash:

ebedc8f851f3c56539815b4864a7342e6eb24fb9

Link:

https://www.unpac.me/results/c8d9fa27-6dde-4eb0-9a5b-09e02ea0af1c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.21

Link:

https://yomi.yoroi.company/submissions/c77fcbc6550d3d9c6e805b0ad7e2658ea6cf814780ca60b2299ce833c02c1a92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_Kutaki Create hunting rule
Author:	ditekSHen
Description:	Detects Kutaki

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/264464/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample