MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Kovter

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b
SHA3-384 hash:	7bd9a8014a1288bcc703ffde63c1642561e4b9facb78e942b4479c7e33ad13f681f637655e75524d6cf1589681db7155
SHA1 hash:	a6087e6335893bf1d96f40480bbf5d2ec9e2fd72
MD5 hash:	346093ef738b5894864ad691ad6c559e
humanhash:	double-fish-romeo-pluto
File name:	7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b
Download:	download sample
Signature	Kovter Create hunting rule
File size:	260'919 bytes
First seen:	2020-11-11 10:57:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	369f3d28138a96673521f3ed260e22c6 (2 x Kovter, 1 x Heodo)
ssdeep	6144:Nya5VWKmoCKdd0F5HkW6EIFrouU7hlFYdn/HpyXwIT:NyawjKnS5bMor9bYFHpyXwM
Threatray	2 similar samples on MalwareBazaar
TLSH	A8441232749EF6A5D6D22FB65AF44762E0AEB0089675377E9741F2C2643300C9C26DE2
Reporter	seifreed
Tags:	Kovter

Intelligence

File Origin

# of uploads :

# of downloads :

1'715

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Launching a process

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b/

Threat name:

Win32.Trojan.Kovter

Status:

Malicious

First seen:

2020-11-11 10:58:25 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=privtzhtulzanv7kzgsnn7wb74lobpefwhjipf2xha3qtquxvynq._file

Verdict:

malicious

Kovter

f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e

Kovter

Result

Malware family:

n/a

Score:

10/10

Tags:

upx

Link:

https://tria.ge/reports/201111-fl2f5w368n/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Suspicious use of SetThreadContext

Process spawned unexpected child process

Unpacked files

SH256 hash:

7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b

MD5 hash:

346093ef738b5894864ad691ad6c559e

SHA1 hash:

a6087e6335893bf1d96f40480bbf5d2ec9e2fd72

Link:

https://www.unpac.me/results/aadb649d-a957-44bc-8ac1-9fd7204f9e6a/

SH256 hash:

50980538f2ed4d3b7b2dd4881993f038e29c1f15adc7d32331cecbb4aa4c574a

MD5 hash:

03414b43e516909c4ca8fd964b2ca5f2

SHA1 hash:

f66be3cbee68e7244d38544a5288c8faf5df85eb

Link:

https://www.unpac.me/results/aadb649d-a957-44bc-8ac1-9fd7204f9e6a/

SH256 hash:

2bc73f602f57fdc7844f94a37327df2bfa73eb3482f2216e00e9d989c04bdeb5

MD5 hash:

fc246fde18697c64f58473c031fc362b

SHA1 hash:

acbd862746351912872921327f6d7e0f51906f7f

Detections:

win_kovter_auto

Link:

https://www.unpac.me/results/aadb649d-a957-44bc-8ac1-9fd7204f9e6a/

Parent samples :

7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b
2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e
d585331cf73902613cb67f42a4abbed947272dbbdcaa12586b12a0b421160fdb
0f57fcea577dd96f1974a14c2156f3f17ab8facf2587b018969072dffdcccee8
b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_kovter_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample