KPOT Malware

URLs from PowerShell Downloader:
hxxp://show1[.]website/OerAS.dat (Obfuscated AutoIt script, Base64 encoded as a certificate)
hxxp://show1[.]website/HeyaL.dat (AutoIt Interpreter) – Legitimate
hxxp://show1[.]website/iPYOy.dat (Encrypted KPOT Malware)

Excerpt from Base64 decoded AutoIt script(‘i8ek7’) showing obfuscation:

 
Decode function at the bottom of AutoIt script:

 
The string is split from ‘*’ and then each encoded character is subtracted from the number after the comma($integer) before being converted from Unicode.

Decoded sample:

 
All files necessary in the same folder ‘Temp’ – Windows 7 Virtual Machine:
 

Utilizing PowerShell to initiate infection chain:

Process chain showing ‘dllhost.exe’ process hollowing:
 CreateProcess: powershell.exe:2428 > "%UserProfile%\Downloads\Temp\r17mi.com i8ek7 "    
- [Child PID: 2452]
CreateProcess: r17mi.com:2452 > "%UserProfile%\Downloads\Temp\r17mi.com i8ek7 "    
- [Child PID: 2064]
CreateProcess: r17mi.com:2064 > "%WinDir%\SysWOW64\dllhost.exe"    
- [Child PID: 2244]
CreateProcess: dllhost.exe:2244 > "%WinDir%\system32\cmd.exe /c ping 127.0.0.1 && del %WinDir%\SysWOW64\dllhost.exe"    
- [Child PID: 536]
CreateProcess: cmd.exe:536 > "ping  127.0.0.1 "

“dllhost.exe” process dump via Task Manager:

String analysis via “strings” show command and control (C2) servers:

Extract executables via “foremost”:

The decrypted KPOT malware has the SHA256 Hash “3fd4aa339bdfee23684ff495d884aa842165e61af85fd09411abfd64b9780146” and VT score of 34/71.
https://www.virustotal.com/gui/file/3fd4aa339bdfee23684ff495d884aa842165e61af85fd09411abfd64b9780146/detection

Sampled VirusTotal signatures:

String analysis of KPOT malware via “FLOSS”:

Strings indicative of information stealers: