Game of Trojans: Dissecting the #Khalesi Infostealer Malware


During the end of August 2018, the security community discovered an infostealer malware in the wild named Khalesi. This malware was identified by the security community as part of the Kpot malware campaign. Some of the recent Khalesi variants in this campaign were compiled with a Visual Basic 6 (VB6) compiler while the others were compiled via a regular Portable Executable (PE) compiler.  The Khalesi infostealer variants appearing in this blog post were compiled around the same time. For the most part, the functionality of all these variants is similar. When executed, the malware communicates with a Command and Control (C2) domain and collects a wide variety of data from multiple sources on the affected systems. It steals Windows and browser credentials, credit card information, virtual coins, data from messaging apps (such as Skype and Telegram) and so on. The two variants mentioned in this report also present Anti-Analysis techniques. Also, both of the variants attempt to communicate with the same C2 domain. Online resources suggest that this C2 domain was created around the same time when both of the Khalesi variants were compiled. However, this C2 was short lived and is no longer online.

This blog post provides a technical analysis of two Khalesi infostealer variants, including dynamic and static analysis, a brief analysis of the variant compiled with a VB6 compiler and a more detailed analysis of the variant compiled with a regular PE compiler. In addition, we will explain how the enSilo Endpoint Security Platform with post-infection protection blocks the malicious operation in real-time. Finally, this blog post provides static and network Indicators of Compromise (IOCs).

Technical Analysis

The following are the static characteristics of the Khalesi variant compiled with a VB6 compiler:

  • File Name: finalvr.exe
  • File SHA1:C37B9B9FEA73C95DE363E8746FF305F4B23F0C28
  • File Size:786432 bytes
  • Compile Time: 2018-08-29 15:11:00 

Upon execution, this variant runs through the VB6 DLL file MSVBVM60.DLL and starts its “unpacking” process. Then it tests to see if it is running through a debugger by calling the Windows API KiUserExceptionDispatcher()from ntdll:

image 1 trojan blog

Figure 1: KiUserExceptionDispatcher

The Windows API RtlRaiseException()is called from inside the  KiUserExceptionDispatcher, con() and contains the following instructions:

image 2 trojan blog

Figure 2: RtlRaiseException

When this function is called, it causes an exception to be consumed by the debugger application rather than the debuggee of the variant itself. As a result, the debugger fails to execute this variant further and the OS generates an error which causes the executable to terminate. However, this variant executes normally outside of a debugger, or if the exception is bypassed. In this case, the variant will drop another variant of itself under the program data folder. The following are the static characteristics of this variant:

  • File Path:C:\ProgramData
  • File Name:Kip1.exe
  • File SHA1: 70DF9DF1FFE20E7EAC54E424C2E76242696904D2
  • File Size: 786432 bytes
  • Compile Time: 2018-08-29 15:11:00

Thereafter, in an effort to sustain persistency, it adds itself as a scheduled task as shown in Figure 3.

image 3 trojan blog

Figure 3: Schedule Task

This scheduled task is set to run every 1 minute. The name of this task is Ebrin. The scheduled task registration is achieved by using the schtask.exe command.

image 4 trojan blog

Figure 4: schtasks.exe command

After this process is completed it changes the Internet settings on the system by modifying the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect


It spawns Internet explorer and communicates with the C2 domain seeyouonlineservice[.]com as shown in Figure 5.

image 5 trojan blog

Figure 5: C2 Communication

More in this campaign, enSilo has come across the following variant of Khalesi:


File Name: soft.exe

File SHA1: FCF2918829132CD43890129B8255F1D1533E07AB

File Size: 87040 bytes

Compile Time: 2018-08-28 01:06:58

Upon execution, this variant calls CoInitialize (will be described later in the blog), initializes multiple strings and constructs the C2 URL shown in Figure 6.

image 6 trojan blog
Figure 6: List of initialized strings

The list of initialized strings in Figure 6 provide a great view, of the malware objectives and communication techniques. The strings suggest that this variant also communicates with the same C2 domain seeyouonlineservice[.]com we observed earlier.

During the execution process, Khalesi uses the FCICreate to create cabinet files, as shown in Figure 7.

image 7 trojan blog

Figure 7: FCICreate

According to Microsoft, the FCI (File Compression Interface) is a library that provides the ability to create cabinets (also known as "CAB files") and this reduces the size of the file data. The table below indicates the functions of that library, also used during the execution.




Adds a file to the cabinet currently being constructed.


Creates an FCI context.


Deletes an open FCI context, freeing any memory and temporary files associated with the context.


Completes the current cabinet.


Forces the current folder under construction to be completed immediately.

Table 1: Functions of the FCI Library

After it executes Khalesi creates multiple .tmp files in the %TEMP% directory as shown below:

image 8 trojan blog
Figure 8: Temp Files

These .tmp files contain all the information the malware has gathered from the victim.  The files named CAB[0-9A-Z]{4}.tmp are gathered (including snapshots) into a cabinet file that is created as a system file (which will make it hidden by default). The cabinet file and the screenshots are named [0-9]{10}.

After that, Khalesi documents the Security Identifier of the running process and the Operating System (OS) version. This will be sent later to the C2. For now, if the Security Identifier is bigger than SECURITY_MENDATORY_UNTRUSTED_RID it will follow up the CoInitialize that was called earlier and create a COM Instance using the CoCreateInstance function:

image 9 trojan blog

Figure 9: CoCreateInstance Function

When the rclsid value is checked, it matches the Internet Explorer rclsid as shown in Figure 10.

image 10 trojan blog

Figure 10: Internet Explorer rclsid

Khalesi uses this procedure to launch two Internet Explorer processes shown below:




Figure 11: Launching Internet Explorer

The use of the COM technique for communication has few advantages:


  1. 1.   It obscures malicious traffic with the remote host within an iexplore.exe process instead of the malware process.
  2. 2.   It complicates reverse engineering because there is no immediate evidence for network communication while statically inspecting the malware.

This results in a stealthier communication.


After Internet Explorer was launched, Khalesi verifies the connection to the constructed URL (seeyouonlineservice[.]com). If it does not succeed, Khalesi will use one of the following hardcoded IP addresses as the new C2:

  • 174[.]138[.]48[.]29
  • 46[.]101[.]70[.]183
  • 91[.]217[.]137[.]44
  • 80[.]233[.]248[.]109

All of these IP addresses belong to web hosting services in Eastern Europe. Besides this communication process, Khalesi also modifies the following registry keys:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable

This is done in an effort to lower security settings.


Anti-VM, Anti-Disassembly & Anti-Sandboxing Techniques

After initialization, the execution continues to the main module. At the beginning of the execution there is a call to suspicious looking address seen in Figure 12.

image 12 trojan blog
Figure 12: Main Module

When accessing this function, IDA cannot display this address range as a graph as shown in Figure 13.

image 13 trojan blog

Figure 13: Warning Message

The malware creator uses a well-known anti-disassembly technique. The function uses a jump instruction to a location + 1 byte that leads to an interpretation of completely different byte code by the system. Once that process is completed, Khalesi iterates the current loaded executable modules, in an attempt to find those related to debugging and analysis tools such as api-monitor, CAPE sandbox , etc.


Thereafter, Khalesi  will check for the following drivers in the system directory:


  • VBoxGuest.sys
  • VBoxMouse.sys
  • VBoxVideo.sys

If it discovers one of these drivers the execution will crash.


Before returning to the main module, the variant will perform the following steps:


  1. 1. Loop the loaded modules linked list once again, to acquire the ntdll.dll memory base address
  2. 2. Save the ExitProcess API function base address
  3. 3. Use VirtualProtect to change ntdll.dll permissions to Read, Write, Execute
  4. 4. Write into the DbgBreakPoint() ntdll function the ExitProcess call and a return instruction
  5. 5. Alter ntdll.dll permissions back to Read, Write

When a debugger attaches to a running process of this Khalesi variant, the Windows API function DbgBreakPoint() is called from ntdll. This function allows the debugger to gain control because an exception that the debugger can intercept is being raised. This requires that the function remains intact. Due to alteration of the function shown in Figures 14 and 15, the ExitProcess will force the malware process to exit if a debugger attaches to it.

image 14 trojan blog
Figure 14: ExitProcess Function

image 15 trojan blog
Figure 15: DbgBreakPoint


Stealing objectives

This particular Khalesi variant tries to steal the following information using the execution process of the main module:


Messaging & Voice Call

Virtual Coins



File Transfer Protocol Clients



Chromium based browsers



Harvest User Credentials

Credit Cards




Mozilla based browsers



General Machine Information




Internet Explorer
























Table 2: Information Stolen by Khalesi

Once the information was gathered, it will be written as described before to the %TEMP% directory as shown in the following figure:

image 16 trojan blog

Figure 16: sysinfo.txt

Once the information gathering process is completed, and the execution passes certain conditions (these will be described later in the blog) the data is sent via a POST request to the C2 URL [http]://seeyouonlineservice[.]com/regbot.php as shown in the following figure:

image 17 trojan blog

Figure 17: POST request

The file is then deleted, right after changing the system file attributes to normal.


C2 Communication

The malware communicates with the C&C server by sending the following GET and POST requests:

C&C Command





  Get configuration from the C&C server



  Get external IP



  Bot registration and delivery of stolen data

Table 3: C&C Server Commands

East-European Connection

Before sending the stolen information, this Khalesi variant uses the GetUserDefaultLangID() and GetKeyboardLayoutList() Windows API functions to check for an East-European keyboard layout and default language. The following figure shows this process:

image 18 trojan blog

Figure 18: Using the GetKeyboardLayoutList Function

If any East-European keyboard layout and default language is detected, this Khalesi variant won’t send the stolen data to the C2 domain. 


About the C2 Domain

Unfortunately, the C2 domain seeyouonlineservice[.]com was short lived. It was created and registered in August, 2018 as shown in Figure 19, around the same time the Khalesi variants were compiled. However, the domain went offline during the production of this blog.

image 19 trojan blog
Figure 19: Domain Registration

Additional Variants in the Wild


The following hashes belong to similar Khalesi infostealer variants found in the in wild:

File Name:soft.exe
  • File SHA1: 6ace6f3631ef8773f0af2233595ee5f8d662134c
  • File Size: 221696 bytes
  • Compile Time: 2018-08-29 22:58:44

File Name: soft.exe
  • File SHA1: 7dc34dc7936b257830477353f681bdcb6ba3313d
  • File Size: 87040 bytes
  • Compile Time: 2018-08-27 22:06:58

File Name: soft.exe
  • File SHA1: b349e41aa4303e2ec503c66da5e56791b123d11f
  • File Size: 86528 bytes
  • Compile Time: 2018-08-29 22:58:44

These variants are similar to the variant compiled with a regular PE compiler. These variants have the same amount of Windows API functions, sections and entropy and were compiled at around the same time. In addition, these variants also appear to be communicating with the seeyouonlineservice[.]com C2 domain.


Indicators of Compromise

File Name: soft.exe
  • File SHA1: FCF2918829132CD43890129B8255F1D1533E07AB
  • File Size: 87040 bytes
  • Compile Time: 2018-08-28 01:06:58

File Name: finalvr.exe
  • File SHA1: C37B9B9FEA73C95DE363E8746FF305F4B23F0C28
  • File Size: 786432 bytes
  • Compile Time: 2018-08-29 15:11:00

File Name: Kip1.exe
  • File SHA1: 70DF9DF1FFE20E7EAC54E424C2E76242696904D2
  • File Size: 786432 bytes
  • Compile Time: 2018-08-29 15:11:00

File Name: go.exe
  • File SHA1: C450634B90CCEAC6F7393D38FEA10453A6010DFE
  • File Size: 471120 bytes
  • Compile Time: 2007-10-06 14:45:00

File Name: crsoft.exe
  • File SHA1: 9DCADA7455205B44B5FE69F765CAECCA4F14403C
  • File Size: 146432 bytes
  • Compile Time: 2018-08-29 15:24:39

Regex for cabinets files full path:
  • %APPDATA%\CAB[0-9A-Z]{4}.tmp
  • %APPDATA%\[0-9]{10}

Network IOCs
  • seeyouonlineservice[.]com
  • botsphere[.]biz

The website botsphere[.]biz was still compromised and serving the malware during the time of analysis.

IP Addresses
  • 174[.]138[.]48[.]29
  • 46[.]101[.]70[.]183
  • 91[.]217[.]137[.]44
  • 80[.]233[.]248[.]109
  • 101[.]99[.]70[.]55
  • 77[.]222[.]40[.]43

All of these IP addresses belong to web hosting services that are located Eastern Europe.

Related Blog Posts