MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Kovter

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e
SHA3-384 hash:	54545677a6edead4113b5dc280465709d25fdbf52375e1a86b0cac3a2b819ce21c19e7262d39c487096f7866ce1e7370
SHA1 hash:	616bf155c48912de14a5441ff25266af7ecb2ea1
MD5 hash:	90bc751cc4c394d571c5345c670d3a50
humanhash:	blue-lima-fish-mango
File name:	2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e
Download:	download sample
Signature	Kovter Create hunting rule
File size:	260'919 bytes
First seen:	2020-11-12 14:38:26 UTC
Last seen:	2024-07-24 12:34:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	369f3d28138a96673521f3ed260e22c6 (2 x Kovter, 1 x Heodo)
ssdeep	6144:Nya5VWKmoCKdd0F5HkW6EIFrouU7hlFYdn/HpyXwIT:NyawjKnS5bMor9bYFHpyXwM
Threatray	5 similar samples on MalwareBazaar
TLSH	AD441232749EF5A5D6D22FB65AF44762E0AEB0089665377E9741F2C2643300C9C26DE2
Reporter	seifreed
Tags:	Kovter

Intelligence

File Origin

# of uploads :

# of downloads :

1'756

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Launching a process

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/533419

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Creates processes via WMI

Delayed program exit found

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: MSHTA Spawning Windows Shell

Suspicious powershell command line found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e/

Threat name:

Win32.Trojan.Kovter

Status:

Malicious

First seen:

2020-11-12 14:41:41 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fmben4o6f5hdsq6pcwh6vqmkzznenqq45dwtpnxpzqjbcssegkpa._file

Verdict:

malicious

Kovter

384a8272bad1e926177a0791a932a4ad7f60a9cd8f05c0ae3c9ac31932ef2528

Kovter

64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84

Kovter

7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b

Kovter

f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e

Kovter

Result

Malware family:

n/a

Score:

10/10

Tags:

upx

Link:

https://tria.ge/reports/201112-1csyj5jjss/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Suspicious use of SetThreadContext

Process spawned unexpected child process

Unpacked files

SH256 hash:

2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e

MD5 hash:

90bc751cc4c394d571c5345c670d3a50

SHA1 hash:

616bf155c48912de14a5441ff25266af7ecb2ea1

Link:

https://www.unpac.me/results/de3b0079-8eec-45d2-9833-2bb667cbc459/

SH256 hash:

50980538f2ed4d3b7b2dd4881993f038e29c1f15adc7d32331cecbb4aa4c574a

MD5 hash:

03414b43e516909c4ca8fd964b2ca5f2

SHA1 hash:

f66be3cbee68e7244d38544a5288c8faf5df85eb

Link:

https://www.unpac.me/results/de3b0079-8eec-45d2-9833-2bb667cbc459/

SH256 hash:

2bc73f602f57fdc7844f94a37327df2bfa73eb3482f2216e00e9d989c04bdeb5

MD5 hash:

fc246fde18697c64f58473c031fc362b

SHA1 hash:

acbd862746351912872921327f6d7e0f51906f7f

Detections:

win_kovter_auto

Link:

https://www.unpac.me/results/de3b0079-8eec-45d2-9833-2bb667cbc459/

Parent samples :

7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b
2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e
d585331cf73902613cb67f42a4abbed947272dbbdcaa12586b12a0b421160fdb
0f57fcea577dd96f1974a14c2156f3f17ab8facf2587b018969072dffdcccee8
b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_kovter_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample