MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kovter


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef
SHA3-384 hash: b59c1ef7f2f3ad7836244289e8f87415edf360177234025b158a0729cee82cb8f7002f08bd7ad768e813856367e38def
SHA1 hash: 449db2b11501f8f3c136bd01521e7575c8230318
MD5 hash: 936e1e0d0b9e9371f8b2b0638b057e28
humanhash: sad-lion-north-golf
File name:936e1e0d0b9e9371f8b2b0638b057e28.exe
Download: download sample
Signature Kovter
Create hunting rule
File size:396'125 bytes
First seen:2021-08-27 07:45:46 UTC
Last seen:2021-08-27 09:26:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d398fe3ed3bc9d8bca9035c09fefe333 (1 x Kovter)
ssdeep 12288:JFepq9KXcyrAvdZCTNweaxGjkxtte8c8tnE:J0qcXcyKGyLAg3c8m
Threatray 947 similar samples on MalwareBazaar
TLSH T16284E069F3D181F0F2E758F88D96A37EC621BC8A4611C5836794FE073AFA217D8471A1
dhash icon 0180c0a4b698e400 (5 x GuLoader, 3 x LummaStealer, 1 x Kovter)
Reporter abuse_ch
Tags:exe Kovter

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'015
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
936e1e0d0b9e9371f8b2b0638b057e28.exe
Verdict:
Malicious activity
Analysis date:
2021-08-27 07:48:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1209532b-b162-4583-8382-1ff2552b44d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Kovter
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182824/
Detection(s):
SecuriteInfo.com.Trojan.Kovter.297.29046.31444.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
Creating a process with a hidden window
Sending a UDP request
Creating a file
Searching for the window
Connection attempt
Possible injection to a system process
Changing settings of the browser security zones
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Deleting of the original file
Malware family:
Kovter
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20f4e3e6-0c53-4241-a10a-1b9042f1f272
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840238
Signature
Antivirus / Scanner detection for submitted sample
Creates processes via WMI
Delayed program exit found
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
PE file contains section with special chars
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef/
Threat name:
Win32.Dropper.Powerliks
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 07:46:07 UTC
AV detection:
33 of 41 (80.49%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxx5t5yak7qileqscwzuucyxbj27atktmxagbqhlae7iwgkiwtxq._file
Verdict:
malicious
Similar samples:
055dca003a76ab4d3701f2351d9298949f8f2df0e4aba4a68bc76f90a2e1225b
Kovter
06801bb55190871266ca5846aaf7932d1f41813536403f7367c10dbbe3218632
Kovter
21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f
Kovter
2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e
Kovter
384a8272bad1e926177a0791a932a4ad7f60a9cd8f05c0ae3c9ac31932ef2528
Kovter
493c4a7f6cdc0c6b3388b268aa38975c1bb52ea67f6415723a06a14213ee5d14
Kovter
618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824
Kovter
64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84
Kovter
7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b
Kovter
f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e
Kovter
+ 937 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210827-zhk6kbjxza/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Process spawned unexpected child process
Unpacked files
SH256 hash:
4d5846e07b1c8d189a7af6f6812dec18188ce335e35b571647faeec8ccbb606a
MD5 hash:
fb47db4ff8b8400ae9ead3a1ef58b175
SHA1 hash:
568c9f5326de8b33dcf343de2b45e9856bc5c534
Detections:
win_kovter_auto
Create hunting rule
Link:
https://www.unpac.me/results/4081e517-51b5-4a14-aa94-465ba9102549/
Parent samples :
64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84
21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f
618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824
4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef
b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b
761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772
e93ea2c9e689a35ef77e597a4cf34409f9c02dd74790716eae060304995d6289
5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268
SH256 hash:
d891e7bb4c7b11b2019c4871fa4cdc053bd23984716cd3cc1437c13be2089446
MD5 hash:
19108beb3340e27a996dca1ec1f73ce7
SHA1 hash:
601fd7313056a382d652c665e5b9a5dcda5b4e00
Link:
https://www.unpac.me/results/4081e517-51b5-4a14-aa94-465ba9102549/
SH256 hash:
4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef
MD5 hash:
936e1e0d0b9e9371f8b2b0638b057e28
SHA1 hash:
449db2b11501f8f3c136bd01521e7575c8230318
Link:
https://www.unpac.me/results/4081e517-51b5-4a14-aa94-465ba9102549/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4defd9f70057/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182824/

Comments