SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kpot_stealer (Back to overview)

KPOT Stealer

aka: Khalesi, Kpot
URLhaus    

There is no description at this point.

References
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Ransomware Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zeppelin Ransomware Zloader
2020-12-15Github (Dump-GUY)Jiří Vinopal
@online{vinopal:20201215:reverse:d61ae14, author = {Jiří Vinopal}, title = {{Reverse engineering KPOT v2.0 Stealer}}, date = {2020-12-15}, organization = {Github (Dump-GUY)}, url = {https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md}, language = {English}, urldate = {2020-12-15} } Reverse engineering KPOT v2.0 Stealer
KPOT Stealer
2020-11-04ZDNetCatalin Cimpanu
@online{cimpanu:20201104:revil:02ca78c, author = {Catalin Cimpanu}, title = {{REvil ransomware gang 'acquires' KPOT malware}}, date = {2020-11-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/}, language = {English}, urldate = {2020-11-06} } REvil ransomware gang 'acquires' KPOT malware
KPOT Stealer REvil
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-04-26Nullteilerfrei BlogLars Wallenborn
@online{wallenborn:20200426:use:04235ea, author = {Lars Wallenborn}, title = {{use Ghidra to Decrypt Strings of KPOTstealer Malware}}, date = {2020-04-26}, organization = {Nullteilerfrei Blog}, url = {https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/}, language = {English}, urldate = {2020-05-05} } use Ghidra to Decrypt Strings of KPOTstealer Malware
KPOT Stealer
2020-04-12InfoSec Handlers Diary BlogVinnie
@online{vinnie:20200412:dynamic:191820f, author = {Vinnie}, title = {{Dynamic analysis technique to get decrypted KPOT Malware}}, date = {2020-04-12}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/26010}, language = {English}, urldate = {2020-04-26} } Dynamic analysis technique to get decrypted KPOT Malware
KPOT Stealer
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-23SANS ISCDidier Stevens
@online{stevens:20200323:kpot:9f080e7, author = {Didier Stevens}, title = {{KPOT Deployed via AutoIt Script}}, date = {2020-03-23}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/25934}, language = {English}, urldate = {2020-03-26} } KPOT Deployed via AutoIt Script
KPOT Stealer
2019-05-09ProofpointDennis Schwarz, Proofpoint Threat Insight Team
@online{schwarz:20190509:new:19098c9, author = {Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials}}, date = {2019-05-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal}, language = {English}, urldate = {2019-12-20} } New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials
KPOT Stealer
2019-04-11Dr.WebDr. Web
@online{web:20190411:official:b0ce6e2, author = {Dr. Web}, title = {{The official website of a popular video editing software was infected with a banking trojan}}, date = {2019-04-11}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=13242&lng=en}, language = {English}, urldate = {2020-01-10} } The official website of a popular video editing software was infected with a banking trojan
KPOT Stealer
2018-10-25enSiloChen Erlich, Yakov Goldberg
@online{erlich:20181025:game:af49ad1, author = {Chen Erlich and Yakov Goldberg}, title = {{Game of Trojans: Dissecting the #Khalesi Infostealer Malware}}, date = {2018-10-25}, organization = {enSilo}, url = {https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware}, language = {English}, urldate = {2020-01-06} } Game of Trojans: Dissecting the #Khalesi Infostealer Malware
KPOT Stealer
2018-09-12FlashpointPaul Burbage, Mike Mimoso
@online{burbage:20180912:malware:5b7d58a, author = {Paul Burbage and Mike Mimoso}, title = {{Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down}}, date = {2018-09-12}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/}, language = {English}, urldate = {2020-01-08} } Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down
KPOT Stealer
Yara Rules
[TLP:WHITE] win_kpot_stealer_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_kpot_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f92f 7414 83f95c 740a 83f962 7560 c60008 }
            // n = 7, score = 500
            //   83f92f               | cmp                 ecx, 0x2f
            //   7414                 | je                  0x16
            //   83f95c               | cmp                 ecx, 0x5c
            //   740a                 | je                  0xc
            //   83f962               | cmp                 ecx, 0x62
            //   7560                 | jne                 0x62
            //   c60008               | mov                 byte ptr [eax], 8

        $sequence_1 = { c1e11b d1ef 23d0 0bf9 }
            // n = 4, score = 500
            //   c1e11b               | shl                 ecx, 0x1b
            //   d1ef                 | shr                 edi, 1
            //   23d0                 | and                 edx, eax
            //   0bf9                 | or                  edi, ecx

        $sequence_2 = { c1eb10 885801 884802 8bca }
            // n = 4, score = 500
            //   c1eb10               | shr                 ebx, 0x10
            //   885801               | mov                 byte ptr [eax + 1], bl
            //   884802               | mov                 byte ptr [eax + 2], cl
            //   8bca                 | mov                 ecx, edx

        $sequence_3 = { 6a01 56 e8???????? 8b4508 6a00 56 }
            // n = 6, score = 500
            //   6a01                 | push                1
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   56                   | push                esi

        $sequence_4 = { ff15???????? 56 ff15???????? 83c40c c3 }
            // n = 5, score = 500
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   c3                   | ret                 

        $sequence_5 = { 884303 884b04 8bc1 c1e808 }
            // n = 4, score = 500
            //   884303               | mov                 byte ptr [ebx + 3], al
            //   884b04               | mov                 byte ptr [ebx + 4], cl
            //   8bc1                 | mov                 eax, ecx
            //   c1e808               | shr                 eax, 8

        $sequence_6 = { 895df0 85f6 7904 8bf7 eb01 4f }
            // n = 6, score = 500
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx
            //   85f6                 | test                esi, esi
            //   7904                 | jns                 6
            //   8bf7                 | mov                 esi, edi
            //   eb01                 | jmp                 3
            //   4f                   | dec                 edi

        $sequence_7 = { e8???????? 85c0 7404 33c0 5d c3 33c0 }
            // n = 7, score = 500
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7404                 | je                  6
            //   33c0                 | xor                 eax, eax
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax

        $sequence_8 = { 59 ebe0 8bc6 5e c3 55 8bec }
            // n = 7, score = 500
            //   59                   | pop                 ecx
            //   ebe0                 | jmp                 0xffffffe2
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_9 = { e8???????? 894608 85c0 750a 56 ff15???????? }
            // n = 6, score = 500
            //   e8????????           |                     
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   56                   | push                esi
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 219136
}
[TLP:WHITE] win_kpot_stealer_w0   (20190106 | Kpot)
rule win_kpot_stealer_w0 {
    meta:
        description = "Kpot"
        type = "Stealer"
        author = "Fumik0_"
        date = "30/08/2018"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer"
        malpedia_version = "20190106"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $mz = { 4d 5a }

        // Variant 1
        $v1_s1 = "GET %s HTTP/1.1" wide ascii
        $v1_s2 = "Host: %s" wide ascii
        $v1_s3 = "%02d-%02d-%02d %d:%02d:%02d" wide ascii
        $v1_s4 = "%S/base64.php?_f=%S" wide ascii      
        $v1_s5 = "IP: %S" wide ascii
        $v1_s6 = "MachineGuid: %s" wide ascii
        $v1_s7 = "CPU: %S (%d cores)" wide ascii
        $v1_s8 = "RAM: %S MB" wide ascii
        $v1_s9 = "Screen: %dx%d" wide ascii
        $v1_s10 = "PC: %s" wide ascii
        $v1_s11 = "User: %s" wide ascii
        $v1_s12 = "LT: %S (UTC+%d:%d)" wide ascii
        $v1_s13 = "GPU:" wide ascii
        $v1_s14 = "regbot.php" wide ascii
        $v1_s15 = "ip.php" wide ascii

        // Variant 2
        $v2_s1 = "GET %s HTTP/1.1" wide ascii
        $v2_s2 = "%s/%s.php" wide ascii
        $v2_s3 = "%s/gate.php" wide ascii
        $v2_s4 = "RAM: %s MB" wide ascii
        $v2_s5 = "IP: %s" wide ascii
        $v2_s6 = "CPU: %s (%d cores)" wide ascii
        $v2_s7 = "RAM: %s MB" wide ascii
        $v2_s8 = "Screen: %dx%d" wide ascii
        $v2_s9 = "LT: %s (UTC+%d:%d)" wide ascii
        $v2_s10 = "GPU:" wide ascii
        $v2_s11 = "screen.png" wide ascii

    condition:
        ($mz at 0) and ( (all of ($v1_*)) or (all of ($v2_*)) )
}
Download all Yara Rules