popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

1.dll

Kpot stealer Malicious Library PWS PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 2, 2021, 10:21 a.m. Aug. 2, 2021, 10:26 a.m.
Size 146.5KB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 1ea7d46d94299fa8bad4043c13100df0
SHA256 12f790d9a0775b5e62effc6ea9e55bbef345fffbfb2f671f85098c4f7661dd0f
CRC32 600C3AB4
ssdeep 3072:duNxJ3d1L5Evs7bV+odOqAfS0OZ7shc6U85lplnizXz4Ls9kmh3:duNxX1L5EvUModfX0OWhc6F4zqs9kA
Yara
  • Win32_PWS_Loki_Zero - Win32 PWS Loki
  • PE_Header_Zero - PE File Signature
  • IsDLL - (no description)
  • Kpot_stealer_IN - Kpot Stealer
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
donattelli.com
A 185.92.244.225
185.92.244.225
IP Address Status Action
164.124.101.2 Active Moloch
185.92.244.225 Active Moloch

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f80000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e92000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x748f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x760e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74af1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c21000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74031000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74021000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74c11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x739f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73931000
process_handle: 0xffffffff
1 0 0
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Ursu.914724
FireEye Gen:Variant.Ursu.914724
CAT-QuickHeal Trojanpws.Kpot
McAfee RDN/Generic PWS.y
Cylance Unsafe
K7AntiVirus Spyware ( 0057fc6a1 )
Alibaba TrojanPSW:Win32/Tiggre.bc58f42a
K7GW Spyware ( 0057fc6a1 )
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta Gen:NN.ZedlaF.34050.jm4@aayQqrk
Cyren W32/Trojan.RFSX-3880
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Spy.Agent.QCF
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan-PSW.Win32.Kpot.acp
BitDefender Gen:Variant.Ursu.914724
Avast Win32:Trojan-gen
Ad-Aware Gen:Variant.Ursu.914724
Emsisoft Gen:Variant.Ursu.914724 (B)
Comodo Malware@#17ov49eddpq4r
TrendMicro TROJ_GEN.R002C0PGQ21
McAfee-GW-Edition RDN/Generic PWS.y
Sophos Mal/Generic-S
Ikarus Trojan-Spy.Agent
Jiangmin Trojan.PSW.Kpot.ex
Avira TR/Spy.Agent.rtyvq
Kingsoft Win32.PSWTroj.Kpot.a.(kcloud)
Gridinsoft Trojan.Win32.Agent.oa
Microsoft Trojan:Win32/Tiggre!rfn
GData Gen:Variant.Ursu.914724
Cynet Malicious (score: 99)
AhnLab-V3 Infostealer/Win.KPot.C4565958
VBA32 TrojanPSW.Kpot
ALYac Gen:Variant.Ursu.914724
MAX malware (ai score=82)
Malwarebytes Spyware.Gozi
TrendMicro-HouseCall TROJ_GEN.R002C0PGQ21
Rising Trojan.Generic@ML.95 (RDMK:Y9FH508plRniVLZcWQpIMQ)
Yandex TrojanSpy.Agent!W/ua8HUFS3s
MaxSecure Trojan.Malware.119882019.susgen
Fortinet W32/Agent.QCF!tr.spy
AVG Win32:Trojan-gen
Panda Trj/GdSda.A
Qihoo-360 Win32/Trojan.Generic.HygBueAA