{
	"id": "d7e62ae5-1859-42c8-9555-104e9a3e16a8",
	"created_at": "2026-04-06T00:08:13.256822Z",
	"updated_at": "2026-04-10T03:21:31.772871Z",
	"deleted_at": null,
	"sha1_hash": "e9c4b7f9cea18c0247ec77806a78e2163f5668d6",
	"title": "Reader Analysis:",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 253164,
	"plain_text": "Reader Analysis:\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 13:50:22 UTC\r\nReader Vinnie shared his analysis of KPOT malware with us:\r\nIn a previous write up, I documented a PowerShell downloader (shown below) pushing KPOT malware. Since then,\r\nall of the files have been submitted to VirusTotal allowing for further analysis. This has also been recently\r\ndocumented by ISC Handler Didier Stevens (ISC Links below).\r\nPowerShell Downloader:\r\n \r\nISC Links:\r\n- https://isc.sans.edu/forums/diary/More+COVID19+Themed+Malware/25930/\r\n- https://isc.sans.edu/forums/diary/KPOT+Deployed+via+AutoIt+Script/25934/\r\nURLs from PowerShell Downloader:\r\nhxxp://show1[.]website/OerAS.dat (Obfuscated AutoIt script, Base64 encoded as a certificate)\r\nhxxp://show1[.]website/HeyaL.dat (AutoIt Interpreter) – Legitimate\r\nhxxp://show1[.]website/iPYOy.dat (Encrypted KPOT Malware)\r\nExcerpt from Base64 decoded AutoIt script(‘i8ek7’) showing obfuscation:\r\n  Decode function at the bottom of AutoIt script:\r\nhttps://isc.sans.edu/diary/26010\r\nPage 1 of 4\n\nThe string is split from ‘*’ and then each encoded character is subtracted from the number after the\r\ncomma($integer) before being converted from Unicode.\r\nDecoded sample:\r\n  All files necessary in the same folder ‘Temp’ – Windows 7 Virtual Machine:\r\nUtilizing PowerShell to initiate infection chain:\r\nProcess chain showing ‘dllhost.exe’ process hollowing:\r\n CreateProcess: powershell.exe:2428 \u003e \"%UserProfile%\\Downloads\\Temp\\r17mi.com i8ek7 \"    \r\n- [Child PID: 2452]\r\nCreateProcess: r17mi.com:2452 \u003e \"%UserProfile%\\Downloads\\Temp\\r17mi.com i8ek7 \"    \r\n- [Child PID: 2064]\r\nCreateProcess: r17mi.com:2064 \u003e \"%WinDir%\\SysWOW64\\dllhost.exe\"    \r\n- [Child PID: 2244]\r\nCreateProcess: dllhost.exe:2244 \u003e \"%WinDir%\\system32\\cmd.exe /c ping 127.0.0.1 \u0026\u0026 del\r\n%WinDir%\\SysWOW64\\dllhost.exe\"    \r\n- [Child PID: 536]\r\nCreateProcess: cmd.exe:536 \u003e \"ping  127.0.0.1 \"\r\nhttps://isc.sans.edu/diary/26010\r\nPage 2 of 4\n\n“dllhost.exe” process dump via Task Manager:\r\nString analysis via “strings” show command and control (C2) servers:\r\nExtract executables via “foremost”:\r\nThe decrypted KPOT malware has the SHA256 Hash\r\n“3fd4aa339bdfee23684ff495d884aa842165e61af85fd09411abfd64b9780146” and VT score of 34/71.\r\nhttps://www.virustotal.com/gui/file/3fd4aa339bdfee23684ff495d884aa842165e61af85fd09411abfd64b9780146/detection\r\nSampled VirusTotal signatures:\r\nhttps://isc.sans.edu/diary/26010\r\nPage 3 of 4\n\nString analysis of KPOT malware via “FLOSS”:\r\nStrings indicative of information stealers:\r\nDidier Stevens\r\nSenior handler\r\nMicrosoft MVP\r\nblog.DidierStevens.com DidierStevensLabs.com\r\nSource: https://isc.sans.edu/diary/26010\r\nhttps://isc.sans.edu/diary/26010\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/26010"
	],
	"report_names": [
		"26010"
	],
	"threat_actors": [],
	"ts_created_at": 1775434093,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e9c4b7f9cea18c0247ec77806a78e2163f5668d6.pdf",
		"text": "https://archive.orkl.eu/e9c4b7f9cea18c0247ec77806a78e2163f5668d6.txt",
		"img": "https://archive.orkl.eu/e9c4b7f9cea18c0247ec77806a78e2163f5668d6.jpg"
	}
}