SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kpot_stealer (Back to overview)

KPOT Stealer

aka: Khalesi, Kpot
URLhaus    

KPOT is an information-stealing Trojan horse that can steal information from infected computers. It is distributed through phishing emails and malicious websites. Once executed on a computer, KPOT can steal passwords, credit card numbers, and other personal information.

References
2021-07-07Medium s2wlabSeunghoe Kim
@online{kim:20210707:deep:3903b28, author = {Seunghoe Kim}, title = {{Deep analysis of KPOT Stealer}}, date = {2021-07-07}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd}, language = {English}, urldate = {2021-07-09} } Deep analysis of KPOT Stealer
KPOT Stealer
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2020-12-15Github (Dump-GUY)Jiří Vinopal
@online{vinopal:20201215:reverse:d61ae14, author = {Jiří Vinopal}, title = {{Reverse engineering KPOT v2.0 Stealer}}, date = {2020-12-15}, organization = {Github (Dump-GUY)}, url = {https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md}, language = {English}, urldate = {2020-12-15} } Reverse engineering KPOT v2.0 Stealer
KPOT Stealer
2020-11-04ZDNetCatalin Cimpanu
@online{cimpanu:20201104:revil:02ca78c, author = {Catalin Cimpanu}, title = {{REvil ransomware gang 'acquires' KPOT malware}}, date = {2020-11-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/}, language = {English}, urldate = {2020-11-06} } REvil ransomware gang 'acquires' KPOT malware
KPOT Stealer REvil
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-04-26Nullteilerfrei BlogLars Wallenborn
@online{wallenborn:20200426:use:04235ea, author = {Lars Wallenborn}, title = {{use Ghidra to Decrypt Strings of KPOTstealer Malware}}, date = {2020-04-26}, organization = {Nullteilerfrei Blog}, url = {https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/}, language = {English}, urldate = {2020-05-05} } use Ghidra to Decrypt Strings of KPOTstealer Malware
KPOT Stealer
2020-04-12InfoSec Handlers Diary BlogVinnie
@online{vinnie:20200412:dynamic:191820f, author = {Vinnie}, title = {{Dynamic analysis technique to get decrypted KPOT Malware}}, date = {2020-04-12}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/26010}, language = {English}, urldate = {2020-04-26} } Dynamic analysis technique to get decrypted KPOT Malware
KPOT Stealer
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-23SANS ISCDidier Stevens
@online{stevens:20200323:kpot:9f080e7, author = {Didier Stevens}, title = {{KPOT Deployed via AutoIt Script}}, date = {2020-03-23}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/25934}, language = {English}, urldate = {2020-03-26} } KPOT Deployed via AutoIt Script
KPOT Stealer
2019-05-09ProofpointDennis Schwarz, Proofpoint Threat Insight Team
@online{schwarz:20190509:new:19098c9, author = {Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials}}, date = {2019-05-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal}, language = {English}, urldate = {2019-12-20} } New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials
KPOT Stealer
2019-04-11Dr.WebDr. Web
@online{web:20190411:official:b0ce6e2, author = {Dr. Web}, title = {{The official website of a popular video editing software was infected with a banking trojan}}, date = {2019-04-11}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=13242&lng=en}, language = {English}, urldate = {2020-01-10} } The official website of a popular video editing software was infected with a banking trojan
KPOT Stealer
2018-10-25enSiloChen Erlich, Yakov Goldberg
@online{erlich:20181025:game:af49ad1, author = {Chen Erlich and Yakov Goldberg}, title = {{Game of Trojans: Dissecting the #Khalesi Infostealer Malware}}, date = {2018-10-25}, organization = {enSilo}, url = {https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware}, language = {English}, urldate = {2020-01-06} } Game of Trojans: Dissecting the #Khalesi Infostealer Malware
KPOT Stealer
2018-09-12FlashpointPaul Burbage, Mike Mimoso
@online{burbage:20180912:malware:5b7d58a, author = {Paul Burbage and Mike Mimoso}, title = {{Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down}}, date = {2018-09-12}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/}, language = {English}, urldate = {2020-01-08} } Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down
KPOT Stealer
Yara Rules
[TLP:WHITE] win_kpot_stealer_auto (20230715 | Detects win.kpot_stealer.)
rule win_kpot_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.kpot_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0bc1 0fb64f04 c1e208 0bca 0fb65707 c1e208 0bd6 }
            // n = 7, score = 500
            //   0bc1                 | or                  eax, ecx
            //   0fb64f04             | movzx               ecx, byte ptr [edi + 4]
            //   c1e208               | shl                 edx, 8
            //   0bca                 | or                  ecx, edx
            //   0fb65707             | movzx               edx, byte ptr [edi + 7]
            //   c1e208               | shl                 edx, 8
            //   0bd6                 | or                  edx, esi

        $sequence_1 = { 83f80f 7703 6a0f 58 3d00e00100 7605 83c8ff }
            // n = 7, score = 500
            //   83f80f               | cmp                 eax, 0xf
            //   7703                 | ja                  5
            //   6a0f                 | push                0xf
            //   58                   | pop                 eax
            //   3d00e00100           | cmp                 eax, 0x1e000
            //   7605                 | jbe                 7
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_2 = { ff15???????? 85c0 7406 395df8 0f95c3 ff75fc ff15???????? }
            // n = 7, score = 500
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7406                 | je                  8
            //   395df8               | cmp                 dword ptr [ebp - 8], ebx
            //   0f95c3               | setne               bl
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     

        $sequence_3 = { 8b4508 6a00 56 e8???????? 8b5604 8b0e 8bc2 }
            // n = 7, score = 500
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b5604               | mov                 edx, dword ptr [esi + 4]
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8bc2                 | mov                 eax, edx

        $sequence_4 = { 89560c 6a10 5a 8bce e8???????? }
            // n = 5, score = 500
            //   89560c               | mov                 dword ptr [esi + 0xc], edx
            //   6a10                 | push                0x10
            //   5a                   | pop                 edx
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_5 = { 8365f400 c745f039300000 c745fc00010000 57 }
            // n = 4, score = 500
            //   8365f400             | and                 dword ptr [ebp - 0xc], 0
            //   c745f039300000       | mov                 dword ptr [ebp - 0x10], 0x3039
            //   c745fc00010000       | mov                 dword ptr [ebp - 4], 0x100
            //   57                   | push                edi

        $sequence_6 = { 8bf2 81e600001000 0bce c1e914 81e300000600 8bf2 81e600e00100 }
            // n = 7, score = 500
            //   8bf2                 | mov                 esi, edx
            //   81e600001000         | and                 esi, 0x100000
            //   0bce                 | or                  ecx, esi
            //   c1e914               | shr                 ecx, 0x14
            //   81e300000600         | and                 ebx, 0x60000
            //   8bf2                 | mov                 esi, edx
            //   81e600e00100         | and                 esi, 0x1e000

        $sequence_7 = { 8bf0 7504 33c0 eb31 83feff 750a 8b4d08 }
            // n = 7, score = 500
            //   8bf0                 | mov                 esi, eax
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb31                 | jmp                 0x33
            //   83feff               | cmp                 esi, -1
            //   750a                 | jne                 0xc
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_8 = { 250f0f0f0f 33d0 c1e004 33c8 8bc2 }
            // n = 5, score = 500
            //   250f0f0f0f           | and                 eax, 0xf0f0f0f
            //   33d0                 | xor                 edx, eax
            //   c1e004               | shl                 eax, 4
            //   33c8                 | xor                 ecx, eax
            //   8bc2                 | mov                 eax, edx

        $sequence_9 = { c1e108 ff7514 0bc1 0fb64f02 ff7510 c1e110 }
            // n = 6, score = 500
            //   c1e108               | shl                 ecx, 8
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   0bc1                 | or                  eax, ecx
            //   0fb64f02             | movzx               ecx, byte ptr [edi + 2]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   c1e110               | shl                 ecx, 0x10

    condition:
        7 of them and filesize < 219136
}
[TLP:WHITE] win_kpot_stealer_w0   (20190106 | Kpot)
rule win_kpot_stealer_w0 {
    meta:
        description = "Kpot"
        type = "Stealer"
        author = "Fumik0_"
        date = "30/08/2018"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer"
        malpedia_version = "20190106"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $mz = { 4d 5a }

        // Variant 1
        $v1_s1 = "GET %s HTTP/1.1" wide ascii
        $v1_s2 = "Host: %s" wide ascii
        $v1_s3 = "%02d-%02d-%02d %d:%02d:%02d" wide ascii
        $v1_s4 = "%S/base64.php?_f=%S" wide ascii      
        $v1_s5 = "IP: %S" wide ascii
        $v1_s6 = "MachineGuid: %s" wide ascii
        $v1_s7 = "CPU: %S (%d cores)" wide ascii
        $v1_s8 = "RAM: %S MB" wide ascii
        $v1_s9 = "Screen: %dx%d" wide ascii
        $v1_s10 = "PC: %s" wide ascii
        $v1_s11 = "User: %s" wide ascii
        $v1_s12 = "LT: %S (UTC+%d:%d)" wide ascii
        $v1_s13 = "GPU:" wide ascii
        $v1_s14 = "regbot.php" wide ascii
        $v1_s15 = "ip.php" wide ascii

        // Variant 2
        $v2_s1 = "GET %s HTTP/1.1" wide ascii
        $v2_s2 = "%s/%s.php" wide ascii
        $v2_s3 = "%s/gate.php" wide ascii
        $v2_s4 = "RAM: %s MB" wide ascii
        $v2_s5 = "IP: %s" wide ascii
        $v2_s6 = "CPU: %s (%d cores)" wide ascii
        $v2_s7 = "RAM: %s MB" wide ascii
        $v2_s8 = "Screen: %dx%d" wide ascii
        $v2_s9 = "LT: %s (UTC+%d:%d)" wide ascii
        $v2_s10 = "GPU:" wide ascii
        $v2_s11 = "screen.png" wide ascii

    condition:
        ($mz at 0) and ( (all of ($v1_*)) or (all of ($v2_*)) )
}
Download all Yara Rules