MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d720af33d2bfd971d3b8e281c5f1b463389f9923eff1efa81351fd0e1a413e94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


KPOTStealer


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d720af33d2bfd971d3b8e281c5f1b463389f9923eff1efa81351fd0e1a413e94
SHA3-384 hash: 829c0c3557c5b5467d38fc48c97696cfbd1098a134ed16c057770c40f96b53daa0176da9c6dbb3eeff60f84beb1381d4
SHA1 hash: 1527840208b7b5be20bb2f4950715888ddfcaf0e
MD5 hash: 69faed1cc72cef8fae38ebf4b275b42c
humanhash: pennsylvania-venus-fillet-equal
File name:COVID-19 Relief Payment Approval RefC19V202991.pdf.exe
Download: download sample
Signature KPOTStealer
Create hunting rule
File size:357'888 bytes
First seen:2020-05-13 15:48:15 UTC
Last seen:2020-05-13 17:07:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b47567c69827e13eace24f99991ee43 (1 x KPOTStealer)
ssdeep 6144:PZxt7KNA7ywSG9p82qiLMoB7YRGuVP7NSVhL1Ws:hx5JT9pqiTBfuRRSf
Threatray 104 similar samples on MalwareBazaar
TLSH 0874BE20F6D1C072C5B6057084D2C6BF5ABEB8E557215AC32B9417AFFE303D28A35A4E
Reporter abuse_ch
Tags:COVID-19 exe geo KPOTStealer ZAF


Avatar
abuse_ch
Malspam distributing KPOTStealer:

HELO: host.sarmcol.com
Sending IP: 199.217.117.157
From: covid19fund@smmesa.gov.za
Subject: COVID-19 Relief Payment Approval (Ref: C19V202991)
Attachment: COVID-19 Relief Payment Approval Ref C19V202991.pdf.gz (contains "COVID-19 Relief Payment Approval Ref C19V202991.pdf.exe")

KPOTStealer C2:
http://golaantsystem.xyz/EAVwqwP1NXrvn9uF/util.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 16:36:25 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=24qk6m6sx7mxdu5y4ka4l4numm4j7gjd57y67katkh6q4gsbh2ka._file
Verdict:
malicious
Similar samples:
0b7b7e73fba7b8967e403df8b6ccc237c0185093e05ce7c3044457accb6ad335
KPOTStealer
471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
KPOTStealer
4b3bed149062abeddef6fe68cbb439f5ae3d3044a4870a125f83dfd37c34ca6c
KPOTStealer
70ccb52e4c78d8b68d562fb7088d143577ad35a4b0bd01581a383c41580f1b2d
KPOTStealer
8598147a91005830b94021bf5bf401e1b10d55ff940244394e8fb3bb8f494539
KPOTStealer
a5d9ffc80b57f0144f4fc99b8ee1061247372134f80b25f8bcbfabfa058e5e53
KPOTStealer
b3ded80c7b59052aef7e34aa7e3807c2afef634b11bd884377bed9682a4b9f9d
KPOTStealer
ccbe3d3c56f67ca2eae06209050bfb086fdbc579d8511585533e841e4d9b5dfe
KPOTStealer
dc68a0a13aa0a1bf5394dd04e59ef2916f0b31a964730a17b0ff4afeac5888dc
KPOTStealer
ecb89e9f66cd7f37efefec4cb211770200ccb17c810ad741cb3ec141e41c361c
KPOTStealer
+ 94 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-94rfbjwgbj/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

KPOTStealer

gz e52b17c6650c369b3180c825865bf244ff1f4fda8aeeaaa12f36d43ffe210816

KPOTStealer

Executable exe d720af33d2bfd971d3b8e281c5f1b463389f9923eff1efa81351fd0e1a413e94

(this sample)

  
Dropped by
MD5 aaa4881d3bb2408774f17a3c8e9e845e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e52b17c6650c369b3180c825865bf244ff1f4fda8aeeaaa12f36d43ffe210816

Comments