MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Kovter

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f
SHA3-384 hash:	d98ddce634b99ccbbc74ac03b1952e5c6b4f776b7d54a9bf26eccdd1b78ffeb7aedcb2c70946449c8f225e56bb6bd19b
SHA1 hash:	88a3478577c3f8f86bb40c2bf3814452cba3a762
MD5 hash:	47873d92978c14ea0a0e6532a2a634f5
humanhash:	carbon-blue-colorado-mockingbird
File name:	21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f
Download:	download sample
Signature	Kovter Create hunting rule
File size:	337'848 bytes
First seen:	2020-11-12 14:29:39 UTC
Last seen:	2024-07-24 12:06:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	517341ae1ccc6afec85c307c3a906f58 (2 x Kovter, 1 x Heodo)
ssdeep	6144:xsEW8HwaltBJ/f11s+J7xmGm0O36kQ2XBKnouECmg/4FhC/4a3KQiK:6EWSph9f11s+dxm936k1C9wFhP6gK
Threatray	5 similar samples on MalwareBazaar
TLSH	7674F2CBD38581F1F59F71FA1C9AA13FCB529AC756568A8393E4CF967AB31018C4A130
Reporter	seifreed
Tags:	Kovter

Intelligence

File Origin

# of uploads :

# of downloads :

1'692

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Launching a process

Creating a window

Creating a process with a hidden window

Creating a file

Searching for the window

Sending a custom TCP request

Connection attempt

Possible injection to a system process

Changing settings of the browser security zones

Enabling autorun with the shell\open\command registry branches

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Deleting of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/533838

Signature

Antivirus / Scanner detection for submitted sample

Creates processes via WMI

Delayed program exit found

Detected unpacking (changes PE section rights)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sigma detected: MSHTA Spawning Windows Shell

Suspicious powershell command line found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f/

Threat name:

Win32.Dropper.Powerliks

Status:

Malicious

First seen:

2020-11-12 14:34:16 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=efrbvq4czrfybfitztdpqwpuyexqjhuky3m6p3oudtmvaj4piy7q._file

Verdict:

malicious

Kovter

384a8272bad1e926177a0791a932a4ad7f60a9cd8f05c0ae3c9ac31932ef2528

Kovter

64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84

Kovter

7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b

Kovter

f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e

Kovter

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201112-9wa7a3y1w6/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Process spawned unexpected child process

Unpacked files

SH256 hash:

21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f

MD5 hash:

47873d92978c14ea0a0e6532a2a634f5

SHA1 hash:

88a3478577c3f8f86bb40c2bf3814452cba3a762

Link:

https://www.unpac.me/results/05d7a275-9d20-49b1-bf6a-559f1c8c37e2/

SH256 hash:

f601afff4e309544f5d07be6ff49ddd00c98eeecdd79e358d54574e798c66350

MD5 hash:

fb767a6787015608a74d8c810f2e9a95

SHA1 hash:

3c6574a07b9911e11b1534a0058c24ac51a478ec

Link:

https://www.unpac.me/results/05d7a275-9d20-49b1-bf6a-559f1c8c37e2/

SH256 hash:

4d5846e07b1c8d189a7af6f6812dec18188ce335e35b571647faeec8ccbb606a

MD5 hash:

fb47db4ff8b8400ae9ead3a1ef58b175

SHA1 hash:

568c9f5326de8b33dcf343de2b45e9856bc5c534

Detections:

win_kovter_auto

Link:

https://www.unpac.me/results/05d7a275-9d20-49b1-bf6a-559f1c8c37e2/

Parent samples :

64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84
21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f
618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824
4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef
b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b
761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772
e93ea2c9e689a35ef77e597a4cf34409f9c02dd74790716eae060304995d6289
5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Win32_Ransomware_Kovter Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Kovter ransomware.

Rule name:	win_kovter_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample