{
	"id": "97183285-16d4-4672-a3ab-4af2f262f62e",
	"created_at": "2026-04-06T00:11:32.156245Z",
	"updated_at": "2026-04-10T13:12:08.023462Z",
	"deleted_at": null,
	"sha1_hash": "1d2065fc2b7e739eafcd3a1df07acd0f7d74ae15",
	"title": "KPOT Deployed via AutoIt Script - SANS Internet Storm Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 148634,
	"plain_text": "KPOT Deployed via AutoIt Script - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 18:21:35 UTC\r\nI have other samples like the malware I covered in yesterday's diary entry.\r\nAll with the same body and attachment, it's just the sender that varies. The PowerShell scripts are the same and\r\ndownload from show1[.]website. Like I wrote yesterday, three files are downloaded:\r\n1. A legitimate, signed AutoIt interpreter (this is not malware)\r\n2. A heavily obfuscated AutoIt script, that is encoded as a PEM certificate\r\n3. An encrypted EXE: KPOT info stealer\r\nThe PowerShell script uses certutil to BASE64-decode the \"certificate\" to the AutoIt script, and then lauches the\r\nAutoIt interpreter with the script as argument.\r\nThe AutoIt script contains process hollowing shellcode (known as frenchy shellcode), that decrypts the encrypted\r\nPE file as guest and uses 32-bit dllhost.exe as host (as process hollowing host, not as dll host).\r\nThe PH shellcode contains mutex name \"frenchy_shellcode_06\", but this name is randomized by the AutoIt script\r\nbefore it is injected and executed.\r\nAs the decrypted KPOT EXE is never written to disk, it was unknown by VirusTotal. I did submit it today.\r\nKPOT is an infostealer, as can be guessed from the strings found inside the executable:\r\nMore interesting strings are simply XOR-encoded (1-byte key).\r\nhttps://isc.sans.edu/diary/25934\r\nPage 1 of 3\n\nLike the C2:\r\nAnd the targets:\r\nUsually, I explain in detail my analysis steps, so that you can reproduce them. I will do this too for this executable\r\nin one or more upcoming diary entries.\r\nhttps://isc.sans.edu/diary/25934\r\nPage 2 of 3\n\nDidier Stevens\r\nSenior handler\r\nMicrosoft MVP\r\nblog.DidierStevens.com DidierStevensLabs.com\r\nSource: https://isc.sans.edu/diary/25934\r\nhttps://isc.sans.edu/diary/25934\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/25934"
	],
	"report_names": [
		"25934"
	],
	"threat_actors": [],
	"ts_created_at": 1775434292,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1d2065fc2b7e739eafcd3a1df07acd0f7d74ae15.pdf",
		"text": "https://archive.orkl.eu/1d2065fc2b7e739eafcd3a1df07acd0f7d74ae15.txt",
		"img": "https://archive.orkl.eu/1d2065fc2b7e739eafcd3a1df07acd0f7d74ae15.jpg"
	}
}