MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Kovter

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84
SHA3-384 hash:	790fe9d9df814976580b758bbfd8b9e908cd9e6cf7304fa1169b33b0d6bd112054156726d6059fbc4f38e9f01d0bfbaf
SHA1 hash:	fdaea19e30073ebff1c11217edfa088966234a3a
MD5 hash:	ea54dcc2052880263e2ead168a2af2a3
humanhash:	lake-triple-edward-alaska
File name:	64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84
Download:	download sample
Signature	Kovter Create hunting rule
File size:	337'848 bytes
First seen:	2020-11-11 11:29:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	517341ae1ccc6afec85c307c3a906f58 (2 x Kovter, 1 x Heodo)
ssdeep	6144:8+0sDNvsWBJ/f11s+J7xmGm0O36kQ2XBKnouECmg/4FhC/4a3KQiK:Z0OJ79f11s+dxm936k1C9wFhP6gK
Threatray	2 similar samples on MalwareBazaar
TLSH	8074F2CBD38581F1F59F71FA1C9AA13FCB5299C756568A8383E4CF967AB31428C4A130
Reporter	seifreed
Tags:	Kovter

Intelligence

File Origin

# of uploads :

# of downloads :

1'686

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Launching a process

Creating a window

Creating a process with a hidden window

Sending a UDP request

Creating a file

Searching for the window

Connection attempt

Possible injection to a system process

Changing settings of the browser security zones

Enabling autorun with the shell\open\command registry branches

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Deleting of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/532635

Signature

Antivirus / Scanner detection for submitted sample

Creates processes via WMI

Found suspicious powershell code related to unpacking or dynamic code loading

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sigma detected: MSHTA Spawning Windows Shell

Suspicious powershell command line found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84/

Threat name:

Win32.Dropper.Powerliks

Status:

Malicious

First seen:

2020-11-11 11:32:36 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ms5kmbaadnshmtfxvlsadgv4oojj5jmzmx52om4hdzpbon33doca._file

Verdict:

malicious

Kovter

f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e

Kovter

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201111-ljppg8qswj/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Process spawned unexpected child process

Unpacked files

SH256 hash:

64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84

MD5 hash:

ea54dcc2052880263e2ead168a2af2a3

SHA1 hash:

fdaea19e30073ebff1c11217edfa088966234a3a

Link:

https://www.unpac.me/results/8febf703-ec4f-4c75-b605-5b94a989a758/

SH256 hash:

59fe8fc88de7a050187ce84d07df6a95179007886c9293d39ca28f40b42d2acf

MD5 hash:

8ea2a4d9b98feebc11848bf1a2ecf521

SHA1 hash:

7fdaaf027b755eb23bbed7b37a1d9017158c8dec

Link:

https://www.unpac.me/results/8febf703-ec4f-4c75-b605-5b94a989a758/

SH256 hash:

4d5846e07b1c8d189a7af6f6812dec18188ce335e35b571647faeec8ccbb606a

MD5 hash:

fb47db4ff8b8400ae9ead3a1ef58b175

SHA1 hash:

568c9f5326de8b33dcf343de2b45e9856bc5c534

Detections:

win_kovter_auto

Link:

https://www.unpac.me/results/8febf703-ec4f-4c75-b605-5b94a989a758/

Parent samples :

64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84
21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f
618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824
4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef
b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b
761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772
e93ea2c9e689a35ef77e597a4cf34409f9c02dd74790716eae060304995d6289
5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Win32_Ransomware_Kovter Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Kovter ransomware.

Rule name:	win_kovter_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample