SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kpot_stealer (Back to overview)

KPOT Stealer

aka: Khalesi, Kpot
URLhaus    

There is no description at this point.

References
2020-04-26Nullteilerfrei BlogLars Wallenborn
@online{wallenborn:20200426:use:04235ea, author = {Lars Wallenborn}, title = {{use Ghidra to Decrypt Strings of KPOTstealer Malware}}, date = {2020-04-26}, organization = {Nullteilerfrei Blog}, url = {https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/}, language = {English}, urldate = {2020-05-05} } use Ghidra to Decrypt Strings of KPOTstealer Malware
KPOT Stealer
2020-04-12InfoSec Handlers Diary BlogVinnie
@online{vinnie:20200412:dynamic:191820f, author = {Vinnie}, title = {{Dynamic analysis technique to get decrypted KPOT Malware}}, date = {2020-04-12}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/26010}, language = {English}, urldate = {2020-04-26} } Dynamic analysis technique to get decrypted KPOT Malware
KPOT Stealer
2020-03-23SANS ISCDidier Stevens
@online{stevens:20200323:kpot:9f080e7, author = {Didier Stevens}, title = {{KPOT Deployed via AutoIt Script}}, date = {2020-03-23}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/25934}, language = {English}, urldate = {2020-03-26} } KPOT Deployed via AutoIt Script
KPOT Stealer
2019-05-09ProofpointDennis Schwarz, Proofpoint Threat Insight Team
@online{schwarz:20190509:new:19098c9, author = {Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials}}, date = {2019-05-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal}, language = {English}, urldate = {2019-12-20} } New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials
KPOT Stealer
2019-04-11Dr.WebDr. Web
@online{web:20190411:official:b0ce6e2, author = {Dr. Web}, title = {{The official website of a popular video editing software was infected with a banking trojan}}, date = {2019-04-11}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=13242&lng=en}, language = {English}, urldate = {2020-01-10} } The official website of a popular video editing software was infected with a banking trojan
KPOT Stealer
2018-10-25enSiloChen Erlich, Yakov Goldberg
@online{erlich:20181025:game:af49ad1, author = {Chen Erlich and Yakov Goldberg}, title = {{Game of Trojans: Dissecting the #Khalesi Infostealer Malware}}, date = {2018-10-25}, organization = {enSilo}, url = {https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware}, language = {English}, urldate = {2020-01-06} } Game of Trojans: Dissecting the #Khalesi Infostealer Malware
KPOT Stealer
2018-09-12FlashpointPaul Burbage, Mike Mimoso
@online{burbage:20180912:malware:5b7d58a, author = {Paul Burbage and Mike Mimoso}, title = {{Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down}}, date = {2018-09-12}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/}, language = {English}, urldate = {2020-01-08} } Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down
KPOT Stealer
Yara Rules
[TLP:WHITE] win_kpot_stealer_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_kpot_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 56 57 33ff 897dfc eb01 42 }
            // n = 7, score = 400
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   eb01                 | jmp                 3
            //   42                   | inc                 edx

        $sequence_1 = { f6c101 7402 dc08 83c008 d1f9 75f2 }
            // n = 6, score = 400
            //   f6c101               | test                cl, 1
            //   7402                 | je                  4
            //   dc08                 | fmul                qword ptr [eax]
            //   83c008               | add                 eax, 8
            //   d1f9                 | sar                 ecx, 1
            //   75f2                 | jne                 0xfffffff4

        $sequence_2 = { 4f 85ff 7fe1 db4508 8a03 }
            // n = 5, score = 400
            //   4f                   | dec                 edi
            //   85ff                 | test                edi, edi
            //   7fe1                 | jg                  0xffffffe3
            //   db4508               | fild                dword ptr [ebp + 8]
            //   8a03                 | mov                 al, byte ptr [ebx]

        $sequence_3 = { eb0e c1e11b d1ea 0bd1 8bcf c1e11b d1ef }
            // n = 7, score = 400
            //   eb0e                 | jmp                 0x10
            //   c1e11b               | shl                 ecx, 0x1b
            //   d1ea                 | shr                 edx, 1
            //   0bd1                 | or                  edx, ecx
            //   8bcf                 | mov                 ecx, edi
            //   c1e11b               | shl                 ecx, 0x1b
            //   d1ef                 | shr                 edi, 1

        $sequence_4 = { 8bf8 c1e702 57 ff15???????? 8bd8 }
            // n = 5, score = 400
            //   8bf8                 | mov                 edi, eax
            //   c1e702               | shl                 edi, 2
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_5 = { 250f0000f0 0bf8 0fb6c1 c1ef04 }
            // n = 4, score = 400
            //   250f0000f0           | and                 eax, 0xf000000f
            //   0bf8                 | or                  edi, eax
            //   0fb6c1               | movzx               eax, cl
            //   c1ef04               | shr                 edi, 4

        $sequence_6 = { 8bf2 81e600001000 0bce c1e914 81e300000600 8bf2 81e600e00100 }
            // n = 7, score = 400
            //   8bf2                 | mov                 esi, edx
            //   81e600001000         | and                 esi, 0x100000
            //   0bce                 | or                  ecx, esi
            //   c1e914               | shr                 ecx, 0x14
            //   81e300000600         | and                 ebx, 0x60000
            //   8bf2                 | mov                 esi, edx
            //   81e600e00100         | and                 esi, 0x1e000

        $sequence_7 = { e8???????? 59 59 837e0800 75d9 ff36 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   837e0800             | cmp                 dword ptr [esi + 8], 0
            //   75d9                 | jne                 0xffffffdb
            //   ff36                 | push                dword ptr [esi]

        $sequence_8 = { 250f0f0f0f 33d0 c1e004 33c8 8bc2 }
            // n = 5, score = 400
            //   250f0f0f0f           | and                 eax, 0xf0f0f0f
            //   33d0                 | xor                 edx, eax
            //   c1e004               | shl                 eax, 4
            //   33c8                 | xor                 ecx, eax
            //   8bc2                 | mov                 eax, edx

        $sequence_9 = { 758b c60000 2bc3 8d7801 57 ff15???????? 8bf0 }
            // n = 7, score = 400
            //   758b                 | jne                 0xffffff8d
            //   c60000               | mov                 byte ptr [eax], 0
            //   2bc3                 | sub                 eax, ebx
            //   8d7801               | lea                 edi, [eax + 1]
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

    condition:
        7 of them and filesize < 219136
}
[TLP:WHITE] win_kpot_stealer_w0   (20190106 | Kpot)
rule win_kpot_stealer_w0 {
    meta:
        description = "Kpot"
        type = "Stealer"
        author = "Fumik0_"
        date = "30/08/2018"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer"
        malpedia_version = "20190106"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $mz = { 4d 5a }

        // Variant 1
        $v1_s1 = "GET %s HTTP/1.1" wide ascii
        $v1_s2 = "Host: %s" wide ascii
        $v1_s3 = "%02d-%02d-%02d %d:%02d:%02d" wide ascii
        $v1_s4 = "%S/base64.php?_f=%S" wide ascii      
        $v1_s5 = "IP: %S" wide ascii
        $v1_s6 = "MachineGuid: %s" wide ascii
        $v1_s7 = "CPU: %S (%d cores)" wide ascii
        $v1_s8 = "RAM: %S MB" wide ascii
        $v1_s9 = "Screen: %dx%d" wide ascii
        $v1_s10 = "PC: %s" wide ascii
        $v1_s11 = "User: %s" wide ascii
        $v1_s12 = "LT: %S (UTC+%d:%d)" wide ascii
        $v1_s13 = "GPU:" wide ascii
        $v1_s14 = "regbot.php" wide ascii
        $v1_s15 = "ip.php" wide ascii

        // Variant 2
        $v2_s1 = "GET %s HTTP/1.1" wide ascii
        $v2_s2 = "%s/%s.php" wide ascii
        $v2_s3 = "%s/gate.php" wide ascii
        $v2_s4 = "RAM: %s MB" wide ascii
        $v2_s5 = "IP: %s" wide ascii
        $v2_s6 = "CPU: %s (%d cores)" wide ascii
        $v2_s7 = "RAM: %s MB" wide ascii
        $v2_s8 = "Screen: %dx%d" wide ascii
        $v2_s9 = "LT: %s (UTC+%d:%d)" wide ascii
        $v2_s10 = "GPU:" wide ascii
        $v2_s11 = "screen.png" wide ascii

    condition:
        ($mz at 0) and ( (all of ($v1_*)) or (all of ($v2_*)) )
}
Download all Yara Rules