MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 055dca003a76ab4d3701f2351d9298949f8f2df0e4aba4a68bc76f90a2e1225b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kovter


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 055dca003a76ab4d3701f2351d9298949f8f2df0e4aba4a68bc76f90a2e1225b
SHA3-384 hash: d35424752606c7e6b954da4c30b39f9b40ab390fe69f817f5e65f36fd4bf4e565fb0ab493af0dc21f48f8a71fefa3298
SHA1 hash: 9eda95ab88e51e339f7bdce1512235be7cf57414
MD5 hash: 008769c620b804d401393fc5721bf34f
humanhash: east-king-magnesium-michigan
File name:fraps.exe
Download: download sample
Signature Kovter
Create hunting rule
File size:532'008 bytes
First seen:2021-05-30 23:01:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7a2d3cddeed50701b7d740db428842da (1 x Kovter)
ssdeep 12288:5LkhHMC4Ia442DicPS3W7XOjvAyZ/Q4BxW/LTrC:5Lkda4Dic6g+jICQP/LC
Threatray 80 similar samples on MalwareBazaar
TLSH 8EB4BE0562F3F4F1D1D27073983596B0D269FD648A25887BAB70BAD9FB793B0563030A
Reporter adm1n_usa32
Tags:exe Kovter

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fraps.exe
Verdict:
Malicious activity
Analysis date:
2021-05-30 22:54:12 UTC
Tags:
trojan kovter
Link:
https://app.any.run/tasks/05f0523f-8088-465f-a9f1-65fbefb5599d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Kovter
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163281/
Detection(s):
SecuriteInfo.com.Pakes.RIJ.3513.14409.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
Creating a process with a hidden window
Searching for the window
Possible injection to a system process
Changing settings of the browser security zones
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun
Deleting of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.phis
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794401
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates processes via WMI
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Process Start Without DLL
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Powershell dedcode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 426797 Sample: fraps.exe Startdate: 31/05/2021 Architecture: WINDOWS Score: 100 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Powershell dedcode and execute 2->36 38 4 other signatures 2->38 8 fraps.exe 3 2->8         started        11 mshta.exe 1 2->11         started        process3 signatures4 48 Detected unpacking (changes PE section rights) 8->48 50 Maps a DLL or memory area into another process 8->50 52 Sample uses process hollowing technique 8->52 56 3 other signatures 8->56 13 regsvr32.exe 8->13         started        54 Suspicious powershell command line found 11->54 16 powershell.exe 18 11->16         started        process5 signatures6 58 Maps a DLL or memory area into another process 13->58 60 Delayed program exit found 13->60 62 Contains functionality to detect sleep reduction / modifications 13->62 18 regsvr32.exe 16 13->18         started        64 Found suspicious powershell code related to unpacking or dynamic code loading 16->64 22 conhost.exe 16->22         started        process7 dnsIp8 26 172.113.29.106, 80 TWC-20001-PACWESTUS United States 18->26 28 170.96.179.241, 80 PEACEHEALTHUS United States 18->28 30 6 other IPs or domains 18->30 40 System process connects to network (likely due to code injection or exploit) 18->40 42 Creates an undocumented autostart registry key 18->42 44 Creates autostart registry keys with suspicious values (likely registry only malware) 18->44 46 3 other signatures 18->46 24 regsvr32.exe 18->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/055dca003a76ab4d3701f2351d9298949f8f2df0e4aba4a68bc76f90a2e1225b/
Threat name:
Win32.Trojan.Kovter
Create hunting rule
Status:
Malicious
First seen:
2015-09-10 16:17:00 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
06801bb55190871266ca5846aaf7932d1f41813536403f7367c10dbbe3218632
Kovter
21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f
Kovter
2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e
Kovter
36cbc77a5caaf8f805bc7347ee4cd27657fca600ea5e202e633aca7a09d73297
Kovter
384a8272bad1e926177a0791a932a4ad7f60a9cd8f05c0ae3c9ac31932ef2528
Kovter
618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824
Kovter
64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84
Kovter
7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b
Kovter
d81e62102d9b748aaabf4f06bf0c09a66dfaaac7836374016a5f076b6f7ed418
Kovter
f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e
Kovter
+ 70 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210530-ync14t17ya/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/055dca003a76ab4d3701f2351d9298949f8f2df0e4aba4a68bc76f90a2e1225b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_kovter_a0
Create hunting rule
Author:pnx
Rule name:win_kovter_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_kovter_g0
Create hunting rule
Author:mak

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/05f0523f-8088-465f-a9f1-65fbefb5599d
Cape
Cape
https://www.capesandbox.com/analysis/163281/

Comments