SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kpot_stealer (Back to overview)

KPOT Stealer

aka: Khalesi, Kpot
URLhaus    

There is no description at this point.

References
2020-11-04ZDNetCatalin Cimpanu
@online{cimpanu:20201104:revil:02ca78c, author = {Catalin Cimpanu}, title = {{REvil ransomware gang 'acquires' KPOT malware}}, date = {2020-11-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/}, language = {English}, urldate = {2020-11-06} } REvil ransomware gang 'acquires' KPOT malware
KPOT Stealer REvil
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-04-26Nullteilerfrei BlogLars Wallenborn
@online{wallenborn:20200426:use:04235ea, author = {Lars Wallenborn}, title = {{use Ghidra to Decrypt Strings of KPOTstealer Malware}}, date = {2020-04-26}, organization = {Nullteilerfrei Blog}, url = {https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/}, language = {English}, urldate = {2020-05-05} } use Ghidra to Decrypt Strings of KPOTstealer Malware
KPOT Stealer
2020-04-12InfoSec Handlers Diary BlogVinnie
@online{vinnie:20200412:dynamic:191820f, author = {Vinnie}, title = {{Dynamic analysis technique to get decrypted KPOT Malware}}, date = {2020-04-12}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/26010}, language = {English}, urldate = {2020-04-26} } Dynamic analysis technique to get decrypted KPOT Malware
KPOT Stealer
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-23SANS ISCDidier Stevens
@online{stevens:20200323:kpot:9f080e7, author = {Didier Stevens}, title = {{KPOT Deployed via AutoIt Script}}, date = {2020-03-23}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/25934}, language = {English}, urldate = {2020-03-26} } KPOT Deployed via AutoIt Script
KPOT Stealer
2019-05-09ProofpointDennis Schwarz, Proofpoint Threat Insight Team
@online{schwarz:20190509:new:19098c9, author = {Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials}}, date = {2019-05-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal}, language = {English}, urldate = {2019-12-20} } New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials
KPOT Stealer
2019-04-11Dr.WebDr. Web
@online{web:20190411:official:b0ce6e2, author = {Dr. Web}, title = {{The official website of a popular video editing software was infected with a banking trojan}}, date = {2019-04-11}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=13242&lng=en}, language = {English}, urldate = {2020-01-10} } The official website of a popular video editing software was infected with a banking trojan
KPOT Stealer
2018-10-25enSiloChen Erlich, Yakov Goldberg
@online{erlich:20181025:game:af49ad1, author = {Chen Erlich and Yakov Goldberg}, title = {{Game of Trojans: Dissecting the #Khalesi Infostealer Malware}}, date = {2018-10-25}, organization = {enSilo}, url = {https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware}, language = {English}, urldate = {2020-01-06} } Game of Trojans: Dissecting the #Khalesi Infostealer Malware
KPOT Stealer
2018-09-12FlashpointPaul Burbage, Mike Mimoso
@online{burbage:20180912:malware:5b7d58a, author = {Paul Burbage and Mike Mimoso}, title = {{Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down}}, date = {2018-09-12}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/}, language = {English}, urldate = {2020-01-08} } Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down
KPOT Stealer
Yara Rules
[TLP:WHITE] win_kpot_stealer_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_kpot_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4204 6a1d e8???????? 837d0c00 59 59 }
            // n = 6, score = 500
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   6a1d                 | push                0x1d
            //   e8????????           |                     
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_1 = { b8???????? 85c9 740e f6c101 7402 dc08 83c008 }
            // n = 7, score = 500
            //   b8????????           |                     
            //   85c9                 | test                ecx, ecx
            //   740e                 | je                  0x10
            //   f6c101               | test                cl, 1
            //   7402                 | je                  4
            //   dc08                 | fmul                qword ptr [eax]
            //   83c008               | add                 eax, 8

        $sequence_2 = { 3bc7 7402 8930 53 ff15???????? ff75ec }
            // n = 6, score = 500
            //   3bc7                 | cmp                 eax, edi
            //   7402                 | je                  4
            //   8930                 | mov                 dword ptr [eax], esi
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   ff75ec               | push                dword ptr [ebp - 0x14]

        $sequence_3 = { 8b7508 83c6f8 894dfc 8955f8 897508 0f88c8000000 }
            // n = 6, score = 500
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   83c6f8               | add                 esi, -8
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   897508               | mov                 dword ptr [ebp + 8], esi
            //   0f88c8000000         | js                  0xce

        $sequence_4 = { 7501 42 897df4 83ceff 0fbe1a 8ac3 }
            // n = 6, score = 500
            //   7501                 | jne                 3
            //   42                   | inc                 edx
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   83ceff               | or                  esi, 0xffffffff
            //   0fbe1a               | movsx               ebx, byte ptr [edx]
            //   8ac3                 | mov                 al, bl

        $sequence_5 = { 250f0000f0 0bf8 0fb6c1 c1ef04 }
            // n = 4, score = 500
            //   250f0000f0           | and                 eax, 0xf000000f
            //   0bf8                 | or                  edi, eax
            //   0fb6c1               | movzx               eax, cl
            //   c1ef04               | shr                 edi, 4

        $sequence_6 = { 0bd1 8bcf c1e11b d1ef }
            // n = 4, score = 500
            //   0bd1                 | or                  edx, ecx
            //   8bcf                 | mov                 ecx, edi
            //   c1e11b               | shl                 ecx, 0x1b
            //   d1ef                 | shr                 edi, 1

        $sequence_7 = { 8bd6 e8???????? c6043700 8bc7 5f }
            // n = 5, score = 500
            //   8bd6                 | mov                 edx, esi
            //   e8????????           |                     
            //   c6043700             | mov                 byte ptr [edi + esi], 0
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi

        $sequence_8 = { 884b07 8945fc 8b45f0 83c308 }
            // n = 4, score = 500
            //   884b07               | mov                 byte ptr [ebx + 7], cl
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83c308               | add                 ebx, 8

        $sequence_9 = { 53 56 57 8bf8 8b4518 0fb67005 }
            // n = 6, score = 500
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf8                 | mov                 edi, eax
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   0fb67005             | movzx               esi, byte ptr [eax + 5]

    condition:
        7 of them and filesize < 219136
}
[TLP:WHITE] win_kpot_stealer_w0   (20190106 | Kpot)
rule win_kpot_stealer_w0 {
    meta:
        description = "Kpot"
        type = "Stealer"
        author = "Fumik0_"
        date = "30/08/2018"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer"
        malpedia_version = "20190106"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $mz = { 4d 5a }

        // Variant 1
        $v1_s1 = "GET %s HTTP/1.1" wide ascii
        $v1_s2 = "Host: %s" wide ascii
        $v1_s3 = "%02d-%02d-%02d %d:%02d:%02d" wide ascii
        $v1_s4 = "%S/base64.php?_f=%S" wide ascii      
        $v1_s5 = "IP: %S" wide ascii
        $v1_s6 = "MachineGuid: %s" wide ascii
        $v1_s7 = "CPU: %S (%d cores)" wide ascii
        $v1_s8 = "RAM: %S MB" wide ascii
        $v1_s9 = "Screen: %dx%d" wide ascii
        $v1_s10 = "PC: %s" wide ascii
        $v1_s11 = "User: %s" wide ascii
        $v1_s12 = "LT: %S (UTC+%d:%d)" wide ascii
        $v1_s13 = "GPU:" wide ascii
        $v1_s14 = "regbot.php" wide ascii
        $v1_s15 = "ip.php" wide ascii

        // Variant 2
        $v2_s1 = "GET %s HTTP/1.1" wide ascii
        $v2_s2 = "%s/%s.php" wide ascii
        $v2_s3 = "%s/gate.php" wide ascii
        $v2_s4 = "RAM: %s MB" wide ascii
        $v2_s5 = "IP: %s" wide ascii
        $v2_s6 = "CPU: %s (%d cores)" wide ascii
        $v2_s7 = "RAM: %s MB" wide ascii
        $v2_s8 = "Screen: %dx%d" wide ascii
        $v2_s9 = "LT: %s (UTC+%d:%d)" wide ascii
        $v2_s10 = "GPU:" wide ascii
        $v2_s11 = "screen.png" wide ascii

    condition:
        ($mz at 0) and ( (all of ($v1_*)) or (all of ($v2_*)) )
}
Download all Yara Rules