kpot | 4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c

General

Target

4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe
Size

1.0MB
MD5

595e3b35d8b2e0ccb94f965fe77b3e9b
SHA1

b30700d72c12199bb5cba584c077ec37d690e10e
SHA256

4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c
SHA512

20c24d12fc5dec908df49b52ad4915dff475e05d874575652323d55de014710ea6420b48c6be0edb17606603eda02f763ac2eee7f9fda69b8e74b21b7986a786

Score

10^/10

kpot masslogger vidar 227 discovery spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

4.9

Botnet

227

C2

http://benediktonpoins.ug/

Attributes

profile_id
227

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 3 IoCs

resource	yara_rule
behavioral1/memory/1496-65-0x0000000000400000-0x0000000000484000-memory.dmp	family_kpot
behavioral1/memory/1012-69-0x0000000000080000-0x0000000000097000-memory.dmp	family_kpot
behavioral1/memory/1012-72-0x0000000000080000-0x0000000000097000-memory.dmp	family_kpot

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar log file 1 IoCs

Detects a log file produced by Vidar.

yara_rule
vidar_log_file

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1704-62-0x0000000000400000-0x00000000004D1000-memory.dmp	family_vidar

Executes dropped EXE 2 IoCs

pid	Process
1496	FAC4.tmp
1704	FB61.tmp

Loads dropped DLL 2 IoCs

pid	Process
1212	4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe
1212	4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1496 set thread context of 1012	1496	FAC4.tmp	33

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FB61.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FB61.tmp

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1704	FB61.tmp
1704	FB61.tmp
1704	FB61.tmp
1704	FB61.tmp
1704	FB61.tmp
1704	FB61.tmp
1496	FAC4.tmp
1012	mstsc.exe
1012	mstsc.exe
1012	mstsc.exe
1012	mstsc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	1544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1544	AUDIODG.EXE
Token: 33	1544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1544	AUDIODG.EXE
Token: 33	1544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1544	AUDIODG.EXE
Token: 33	1496	FAC4.tmp
Token: SeIncBasePriorityPrivilege	1496	FAC4.tmp
Token: SeDebugPrivilege	1012	mstsc.exe
Token: SeCreateTokenPrivilege	1012	mstsc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1496	FAC4.tmp

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1496	FAC4.tmp

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1496	1212	4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe	28
PID 1212 wrote to memory of 1496	1212	4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe	28
PID 1212 wrote to memory of 1496	1212	4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe	28
PID 1212 wrote to memory of 1496	1212	4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe	28
PID 1212 wrote to memory of 1704	1212	4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe	29
PID 1212 wrote to memory of 1704	1212	4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe	29
PID 1212 wrote to memory of 1704	1212	4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe	29
PID 1212 wrote to memory of 1704	1212	4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe	29
PID 1496 wrote to memory of 1012	1496	FAC4.tmp	33
PID 1496 wrote to memory of 1012	1496	FAC4.tmp	33
PID 1496 wrote to memory of 1012	1496	FAC4.tmp	33
PID 1496 wrote to memory of 1012	1496	FAC4.tmp	33
PID 1496 wrote to memory of 1012	1496	FAC4.tmp	33

C:\Users\Admin\AppData\Local\Temp\4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe
"C:\Users\Admin\AppData\Local\Temp\4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\FAC4.tmp
  "C:\Users\Admin\AppData\Local\Temp\FAC4.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- C:\Users\Admin\AppData\Local\Temp\FB61.tmp
  "C:\Users\Admin\AppData\Local\Temp\FB61.tmp"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

4

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FAC4.tmp

Filesize
510KB

MD5
d67a0135081b15524de94a9c58ab029d

SHA1
48d4f9573acd255426e9812417d6f773ed726095

SHA256
5e4bdc3df4d21cc7a8a10639b252cb9717953de8880dd03c6d00e91b4594450f

SHA512
694a4dd33532ff0f8bf89a92d87916d518e6b284d09832a7d28fcedfadaf9c10529c167e675318761a0cc0d4f710a2f9537b9eabdca4dae85a0629fbc5f44c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB61.tmp

Filesize
742KB

MD5
c673e62fc1d5d0e646f3ba51f1d8c1d6

SHA1
ccd251089f8fdb7819ddb48305eab19280c8042f

SHA256
fbc9f53e0c980140c0ea7f1228aa01104a280fea5c1dd454ce4530d6c9443618

SHA512
65d57dcb0db426b28ced3b5c7507bb5f3c4c5cf79bd773fbd3ad889b7de79c9eda3307132367ce0b586e871cc5f7f59d0a8e8c32fdebc0ba31e29900e2d7bfba

Download Submit
\Users\Admin\AppData\Local\Temp\FAC4.tmp

Filesize
510KB

MD5
d67a0135081b15524de94a9c58ab029d

SHA1
48d4f9573acd255426e9812417d6f773ed726095

SHA256
5e4bdc3df4d21cc7a8a10639b252cb9717953de8880dd03c6d00e91b4594450f

SHA512
694a4dd33532ff0f8bf89a92d87916d518e6b284d09832a7d28fcedfadaf9c10529c167e675318761a0cc0d4f710a2f9537b9eabdca4dae85a0629fbc5f44c8a

Download Submit
\Users\Admin\AppData\Local\Temp\FB61.tmp

Filesize
742KB

MD5
c673e62fc1d5d0e646f3ba51f1d8c1d6

SHA1
ccd251089f8fdb7819ddb48305eab19280c8042f

SHA256
fbc9f53e0c980140c0ea7f1228aa01104a280fea5c1dd454ce4530d6c9443618

SHA512
65d57dcb0db426b28ced3b5c7507bb5f3c4c5cf79bd773fbd3ad889b7de79c9eda3307132367ce0b586e871cc5f7f59d0a8e8c32fdebc0ba31e29900e2d7bfba

Download Submit
memory/1012-72-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/1012-69-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/1012-67-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/1496-57-0x0000000075731000-0x0000000075733000-memory.dmp

Filesize
8KB

Download
memory/1496-65-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1496-71-0x000000000ED80000-0x000000000ED88000-memory.dmp

Filesize
32KB

Download
memory/1704-64-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1704-62-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing