kpot | 81c734c21b5e15837d01c9766094bc4ffce0e3dc6b04c15e0bc1286d61897dc7[.]zip

General

Target

81c734c21b5e15837d01c9766094bc4ffce0e3dc6b04c15e0bc1286d61897dc7.zip
Size

722KB
MD5

7b074a0fe1e7eba2b3dc0285aa1572d3
SHA1

dcf572793d049405877a11d91043b7c335b16ca7
SHA256

e3350adc9dcf847b4a52744bb43abe4526528d4e9888031b5cad6598060e397b
SHA512

7771de486e1e7f0f306b136712ec860dbe81faa9ab3fc45386798bb8b11209224b7d5d4d505e0b3afe8d01285c4214a69c4c47ee74887d82539b43343fa18459
SSDEEP

12288:G2pMf6zI6ECjlEVtHIMti4H4HsIkjQPIsheFMzki1dtqmyhC21VNzttCDshJ:GvSE6Eh7o8ijsF0IsyMYkdgmm1TJtCoL

Score

10^/10

kpot

Malware Config

Signatures

KPOT Core Executable 1 IoCs

resource	yara_rule
static1/unpack001/81c734c21b5e15837d01c9766094bc4ffce0e3dc6b04c15e0bc1286d61897dc7.exe	family_kpot

Kpot family
kpot

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/81c734c21b5e15837d01c9766094bc4ffce0e3dc6b04c15e0bc1286d61897dc7.exe

Files

81c734c21b5e15837d01c9766094bc4ffce0e3dc6b04c15e0bc1286d61897dc7.zip
.zip

Password: infected
81c734c21b5e15837d01c9766094bc4ffce0e3dc6b04c15e0bc1286d61897dc7.exe
.exe windows:4 windows x86 arch:x86

58471b8a9f8702d1a9e4838d7b7d501a

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

oleaut32

SysFreeString
SysAllocStringLen
SysAllocStringByteLen
SysStringLen

user32

LoadStringW
WaitMessage

kernel32

GetProcAddress
VirtualAlloc
VirtualProtect
GetStartupInfoW
RtlMoveMemory
WideCharToMultiByte
SetFileApisToOEM
GetModuleHandleW
SetFileApisToANSI
GetUserDefaultLCID

msvbvm60

__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaAryMove
__vbaFreeVar
__vbaVarIdiv
__vbaFreeVarList
_adj_fdiv_m64
__vbaVarFix
_adj_fprem1
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaVarForInit
__vbaVarPow
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
ord706
__vbaBoolVarNull
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaVarOr
__vbaRedimPreserve
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaUI1I4
__vbaVarMul
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaVarDiv
__vbaFPException
__vbaUbound
__vbaStrVarVal
_CIlog
__vbaErrorOverflow
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaFreeStrList
_adj_fdivr_m32
__vbaR8Var
_adj_fdiv_r
ord100
__vbaI4Var
__vbaVarCmpEq
__vbaAryLock
__vbaVarAdd
_CIatan
__vbaStrMove
_allmul
_CItan
__vbaAryUnlock
__vbaVarForNext
_CIexp
__vbaFreeStr
__vbaFreeObj
ord581

Sections

.text
Size: 132KB - Virtual size: 130KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 316KB - Virtual size: 313KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

58471b8a9f8702d1a9e4838d7b7d501a

Headers

File Characteristics

Imports

oleaut32

user32

kernel32

msvbvm60

Sections

.text Size: 132KB - Virtual size: 130KB

.data Size: 4KB - Virtual size: 2KB

.rsrc Size: 316KB - Virtual size: 313KB

.text
Size: 132KB - Virtual size: 130KB

.data
Size: 4KB - Virtual size: 2KB

.rsrc
Size: 316KB - Virtual size: 313KB