{ "id": "ad0b81bf-3b16-46ab-acec-443f33b7afd2", "created_at": "2026-04-06T00:15:53.270669Z", "updated_at": "2026-04-10T03:36:48.410653Z", "deleted_at": null, "sha1_hash": "7eec762c92720c62e7e6d05000dbec140d7e2cbb", "title": "Deep analysis of KPOT Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 79812, "plain_text": "Deep analysis of KPOT Stealer\r\nBy S2W\r\nPublished: 2021-07-07 · Archived: 2026-04-05 18:14:08 UTC\r\nDetailed Analysis\r\nMalware Information\r\nFilename : klfile.exe\r\nMD5 : 9dc97eaed4e61901afc327ce9f122262\r\nSHA-1 : 41881d3463f4246d4d0146faf39703354bab83e9\r\nSHA-256 : 4412624d06991fa64f684fcc6d66c787d040eaa12356885cf0a0919c732c82a3\r\nFile type : PE32 executable (GUI) Intel 80386, for MS Windows\r\nPDB path : N/A\r\nOriginal name : hita.exe\r\nCertificate : N/A\r\nC\u0026C : kpotuvorot10[.]bit, dolboeb1701[.]com\r\nBehavior\r\n1) Packed with DerpLoader\r\nThis binary is packed with DerpLoader, which is also used for packing Raccoon stealer, Vidar stealer and REvil\r\nransomware. It’s almost impossible to cover every polymorphic variant of this loader with a static method like\r\nYara, since each packed binary has a unique stub built with dummy API calls and exported functions. This packer\r\nhas 3 stages — decryption, decompression, and execution with process hollowing.\r\n2) Using Murmurhash3 for string comparison \u0026 importing procedures\r\nThis stealer calculates 32-bit Murmurhash3 of a given string with a specific seed and compares it against the hash\r\nvalue of the target string, which is hardcoded in binary, to check the value of the given string. For this sample,\r\n-794794744 ( D0A06508 in unsigned hexadecimal) is used for seed value, but it can be changed for other builds.\r\nThis string comparison technique prevents exposure of some keywords like process name or folder name, which\r\nmakes analysis harder. Murmurhash3 is also used for importing procedures from libraries by calculating the hash\r\nof the procedure name and get the address of the procedure only if it matches the target hash value. We can write a\r\nsimple code to brute force these hashes with pre-built word lists.\r\n3) XOR-encoded string\r\nIf plaintext is required to accomplish the job, then the stealer uses XOR encoded strings. Each string is encoded\r\nwith 1-byte XOR key, and these keys are stored along with string length and pointer to the encoded string.\r\nhttps://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd\r\nPage 1 of 5\n\nFollowing IDAPython script will decode the string stored at the given index in the table.\r\n4) Resolve domain name of C2 with Blockchain DNS\r\n.bit and .lib TLD is managed by a decentralized blockchain called Namecoin and Emercoin. This stealer\r\ncan resolve these blockchain-based domain names by using blockchain DNS services like Blockchain-DNS,\r\ndotBit.me, or OpenNIC DNS servers. During the initialization step of the stealer, it tries to resolve\r\nkpotuvorot10[.]bit , and if it fails to resolve .bit or .lib C2 domain then it falls back to other address\r\nhttp://dolboeb1701[.]com . Unfortunately, those C2 servers are not available at this time. Querying\r\ndolboeb1701[.]com on RiskIQ shows that the domain was last seen at 04-01-2021.\r\nThe stealer tests the availability of C2 by sending HTTP GET requests to {resolved_addr}/bgczXibj92HSlSCK . If\r\nit succeeds, then the whole URL is stored in memory and used for other C2 communications.\r\n5) Using volume serial number for mutex name \u0026 victim ID generation\r\nThe stealer calculates a simple hash using the volume serial number of C:\\ drive for mutex name and victim ID.\r\nFollowing code is hash algorithm ported to Python.\r\n6) Download configuration from C2\r\nThe stealer sends HTTP GET request to {resolved_addr}/bgczXibj92HSlSCK/util.php?id={vsn_hash} . The\r\nresponse should be a configuration of the stealer, which is encrypted with XTEA and encoded to the base64 string.\r\nThe stealer decodes the downloaded base64 string, and decrypts it with key TezTfpjNMdcP6FNE , which is stored\r\nin XOR encoded format.\r\nDecrypted configuration is slightly changed from the older version of KPOT 2.0. Now there’s a slot for a shell\r\ncommand between feature flags and the victim’s external IP address.\r\n7) Collect system information\r\nAfter downloading the configuration, the stealer collects some system information.\r\nPrivilege status of the current process (elevated or not)\r\nIntegrity level of the current process\r\nWindows version\r\nVictim ID (generated with volume serial number)\r\nThen, the stealer performs ‘CIS check’ by querying the user’s default language ID. If the language ID belongs to\r\nCIS, the stealer won’t steal information from this computer.\r\nIf the victim’s computer passes a CIS check, then it collects more system information.\r\nWindows product name (with bitness)\r\nMachineGuid\r\nIP (use external one retrieved from C2 server)\r\nCPU (Model, number of cores)\r\nhttps://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd\r\nPage 2 of 5\n\nRAM\r\nScreen size\r\nComputer name \u0026 Username\r\nLocal time\r\nGPUs\r\nKeyboard layout\r\nInstalled softwares\r\nAll pieces of information are written to the stream, which minimizes footprint.\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n8) Steal application data\r\nThe stealer steals data from some apps by default and additional features can be enabled by configuration.\r\nApplications and feature flags annotated with bold characters can be applied to other users in victim PC, if the\r\nstealer process has required privileges. Some stealer functions require registry access for HKCU or HKU.\r\nStealing data from these applications are enabled by default.\r\nNordVPN\r\nmRemoteNG\r\nRDP connection profiles\r\nEarthVPN (Registry access required)\r\nOutlook\r\nWindows Mail\r\nThe first 16-bit digit of the stealer configuration controls the optional feature of the stealer. Bit 0~13 enables or\r\ndisables info-stealing functions.\r\nflag[0]: Steal data from Chromium-based browsers\r\nflag[1]: Steal data from Firefox-based browsers and Mozilla products\r\nflag[2]: Steal wininet cookies\r\nflag[3]: Steal cryptocurrency wallets (Registry access required for Namecoin and Monero)\r\nflag[4]: Steal Skype database\r\nflag[5]: Steal Telegram database (Registry access required)\r\nflag[6]: Steal Discord database\r\nhttps://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd\r\nPage 3 of 5\n\nflag[7]: Steal Battle.net configuration files (including auto-login information)\r\nflag[8]: Steal data from IE (including FTP accounts and Windows Vault)\r\nflag[9]: Steal Steam accounts (loginusers.vdf and SSFN files)\r\nflag[10]: Take a screenshot\r\nflag[11]: Steal accounts from Total Commander, SmartFTP, Filezilla, WS_FTP, and WinSCP (Registry access\r\nrequired for WinSCP)\r\nflag[12]: Steal Windows user credentials and Pstore (for the older version of Windows)\r\nflag[13]: Steal XMPP(Jabber) accounts from Psi, Psi+, Pidgin, and libpurple based clients\r\nIf the stealer process has a high integrity level, SeDebugPrivilege is enabled to duplicate SeCreateTokenPrivilege\r\nfrom other processes.\r\nAfter acquiring SeCreateTokenPrivilege, the stealer process creates a new process token with SeBackupPrivilege\r\nenabled which allows accessing other users’ folders and files by ignoring ACL.\r\n9) Exfiltrate \u0026 drop files\r\nThe stealer can be configured to exfiltrate files from the victim's PC. Configuration can contain multiple file\r\ngrabber settings delimited by keyword __DELIMM__ , and each element of grabber settings like filter or path is\r\ndelimited by keyword __GRABBER__ . The path can be set as %FULLDISK% to exfiltrate files from all drives of the\r\nsystem, or %NETWORK% to exfiltrate files from all resources on the network. If the stealer process has\r\nSeCreateTokenPrivilege, it can exfiltrate files owned by other users by creating a new process token with\r\nSeBackupPrivilege enabled.\r\nThe stealer can drop files after exfiltration based on configured URLs. If the downloaded file is DLL, then it is\r\nmanually loaded by a custom PE mapper and the entry point of DLL will be called with\r\nDLL_PROCESS_ATTACH. If it’s not a DLL, then it is executed by ShellExecuteW with open command.\r\n10) Send collected information to C2\r\nThe stream of stolen data is encrypted with Chacha20 using with hard-coded key and nonce. If the victim PC\r\nbelongs to one of CIS countries, then the data is limited to privilege \u0026 integrity level of the current process,\r\nWindows version, and victim ID generated with VSN. Otherwise, the data would also contain stolen information\r\nlike accounts, cookies, browsing history, crypto wallets, and exfiltrated files.\r\nKey: TezTfpjNMdcP6FNE (Same as XTEA key used for config decryption)\r\nNonce: OX8Qe3j7BczD\r\nThe stealer uploads encrypted data to C2 by sending an HTTP POST request to\r\n{resolved_addr}/bgczXibj92HSlSCK/util.php , with Content-Type set as application/octet-stream and\r\nContent-Encoding set as binary .\r\nhttps://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd\r\nPage 4 of 5\n\n11) Execute shell command\r\nShell command parsed from configuration is executed after the information is uploaded to the C2 server. The only\r\ncondition determining the execution of the command is the existence of command, which means that the\r\ncommand will be executed even on CIS machines.\r\n12) Cleanup\r\nThe stealer destroys the input stream by filling the stream with zeros, which makes it hard to be detected by\r\nscanning memory. It also closes the handle for a mutex, frees allocated memory, and calls WSACleanup to\r\nterminate Winsock2. Finally, the stealer checks bit 14 of the feature flag and executes the shell command for self-destruction if it is enabled.\r\nAttribution\r\nIn November 2020, the Source code of KPOT was sold to REvil ransomware gang. It’s not clear that these updates\r\nfor KPOT were done by the original authors or REvil operators.\r\nConclusion\r\nStealers are becoming more evasive thanks to packers and new technologies like blockchain-based domain names.\r\nNot only applying security patches and updates but also awareness of social engineering techniques can help to\r\nminimize the risk of becoming a victim of this malware.\r\nAppendix 1. Actionable Items\r\nC2 domains\r\nkpotuvorot10[.]bit\r\ndolboeb1701[.]com\r\nHashes of unpacked binary\r\nMD5: 989b32b7094ccb9493e6c2ca58696c1a\r\nSHA1: f4d8ab987da7e199b62cac0ffd3d2ccab1634a61\r\nSHA256: b8ceee160c1b674d336fed3027425cbd6228475c1a738d7a41cf176fc42fd1f2\r\nSource: https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd\r\nhttps://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd" ], "report_names": [ "deep-analysis-of-kpot-stealer-fb1d2be9c5dd" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434553, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7eec762c92720c62e7e6d05000dbec140d7e2cbb.pdf", "text": "https://archive.orkl.eu/7eec762c92720c62e7e6d05000dbec140d7e2cbb.txt", "img": "https://archive.orkl.eu/7eec762c92720c62e7e6d05000dbec140d7e2cbb.jpg" } }