{
	"id": "74a7b16d-3def-41b7-b0a5-0e7a6f7bc0e5",
	"created_at": "2026-04-06T00:14:31.898404Z",
	"updated_at": "2026-04-10T13:11:39.968269Z",
	"deleted_at": null,
	"sha1_hash": "3daae476441656a30384caa45154581a073c69c7",
	"title": "Unpacking KOVTER Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5015443,
	"plain_text": "Unpacking KOVTER Malware\r\nBy Motawkkel Abdulrhman\r\nPublished: 2022-05-19 · Archived: 2026-04-05 21:08:19 UTC\r\nSample:\r\n40050153DCEEC2C8FBB1912F8EEABE449D1E265F0C8198008BE8B34E5403E731\r\nBehaviour analysisPermalink\r\nthis malware uses a highly sophisticated way of unpacking, I’ll be demonstrating how to fully unpack it and\r\nextract the second stage of it.\r\nlet’s start by dynamically analysing this sample, fire up ProcMon and execute the sample.\r\nafter capturing events with ProcMon, save it to a CSV file and load it to ProcDot, it will look like this.\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 1 of 14\n\nthis is a lot of output!, what we need to focus on are the red colored event.\r\nwe see that it dropped a file to disk.\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 2 of 14\n\nand also some weird registry keys created.\r\nlet’s first start by navigating to that dropped file’s directory.\r\nwe see two files one of them is a .bat file and the other has a random extension .2ed62.\r\nnote: batch files are scripts that contains multiple commands to be executed by the command line in\r\nWindows.\r\nlet’s view the batch file’s contents.\r\nRegistry ActivitiesPermalink\r\nthe start command will open this file d031.2ed62 but what is the file actually is?. this file is not even an\r\nexecutable, after some time I realised that this is just a dummy file and the actual purpose is not to execute it.\r\nWindows by default when it tries to open any file, it looks for the software that can run the file in the registry,\r\nwhat we can do now is to open the registry and look for the software or command that executes .2ed62 extensions.\r\nyou can find a list of extensions under HKEY_CURRENT_USER\\Software\\Classes\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 3 of 14\n\nwe found the extension but what is the value 0346?, it is supposed to hold the name of the software that will open\r\nit.\r\nthis 0346 is just there for obfuscation purpose and it acts like a pointer (means that you can find it in the list of\r\nextensions).\r\ngoing down the list of extensions we can see our pointer and it points to mshta.exe followed by a JavaScript code\r\nto execute.\r\ndouble click on the name and extract the whole command.\r\nWhat pops up into our eyes immediately is the registry key HKCU\\\\software\\\\gxyhwinsg\\\\zbrqoytjz. it reads the\r\ncontents and store it in V0ZOG variable, then calls eval function which will execute the script (it needs to be a JS\r\nscript). So let’s examine what’s in that key.\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 4 of 14\n\nThis time if we tried to just double-click it, it won’t work because of the length.\r\nWe can use reg_export command line tool instead.\r\ncommand:\r\nreg_export HKEY_CURRENT_USER\\Software\\gxyhwinsg zbrqoytjz dumped_scp.js\r\nthe script we extracted looks very hard to analyse, a good thing to start with is to try searching for any evals.\r\nand indeed near the end of the code we can see an eval, why is this important?\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 5 of 14\n\nas we can see this code has alot of numeric data stored which can be another form of JS scripts that is being\r\ndecoded and executed.\r\neval is a the function that will execute any JS script, so rather than spending time analysing the code (which will\r\nbe a big pain), we can simply reach the point that it calls eval (obviously after decoding the payload) and just\r\nexamine what is passed to eval.\r\nhow can we do that?\r\npatching JavaScript codePermalink\r\nOne of the quick ways is to patch eval and make it print the code to us.\r\nappend this code to the top of the script:\r\noe = eval\r\neval = function(i){\r\nWScript.Echo(i);\r\noe(i);\r\n}\r\nrun the script with wscript.exe.\r\nwe got what it seems to be some base64 encoded data, let’s copy and decode it.\r\nnote: you can’t copy directly from windows script host, so a good way to get this string is to open:\r\nProcess Hacker\r\nwscript.exe Process [go to strings].\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 6 of 14\n\nfind the encoded string and extract it.\r\nPowerShell AnalysisPermalink\r\nafter extracting the script, we open and see a reference to powershell.exe at the end of the script.\r\nthat means after decoding the base64 data we’ll find a powershell script.\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 7 of 14\n\nand yes, it is a powershell script, let’s move on to our windows machine and analyse it.\r\nthere is a great tool called powershell_ise to debug powershell scripts, let’s use it to open our script.\r\nopening the script in powershell_ise we can see a variable called sc32 at line 26 that holds a set of hex values.\r\nand at line 28 we see a VirtualAlloc invoked to allocate the length of sc32 with 0x40\r\n(READ_WRITE_EXECUTE).\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 8 of 14\n\nand if we take a look at line 32 and 34 we see that it copies the bytes from sc32 to some memory pointer then calls\r\nCreateThread to execute that region of memory.\r\nSo, what we can conclude from this basic analysis?\r\n1. this powershell script is just another loading stage to load and execute the shellcode in sc32 (the name also\r\ntells us that this is a shellcode [shellcode32]).\r\nlet’s dump this shellcode and analyse it, don’t go too far, we can also use powershell_ise to extract this shellcode.\r\nfirst we need to put a breakpoint in the line after sc32 variable (rigth-click and toggle breakpoint).\r\nrun the script (it will break after 15 seconds because at the beginning of the script it sleeps). after you hit the\r\nbreakpoint type this in the bottom console.\r\n[io.file]::WriteAllBytes('shellcode.bin',$sc32)\r\nShellcode AnalysisPermalink\r\nand now we have our shellcode set and ready for analysis. let’s start analysing from SCDbg tool.\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 9 of 14\n\nclick launch and observe the output.\r\nnothing intersting, we can see that it only open some registry keys (which are not presented because this shellcode\r\nis not loaded in memory so it can determine strings based on his address) and thats it, we have to dynamically\r\nanalyse it in order to know what it is essentially doing.\r\nlet’s use runsc tool.\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 10 of 14\n\nas we see in the console, we need to open XDBG and attach runsc process then put a breakpoint on the\r\nshellcode’s address.\r\nafter you put the breakpoint, go back to the runsc window and click any key once or twice untill you hit the\r\nbreakpoint in XDBG.\r\nwe are now in the shellcode code!.\r\nfrom our previous analysis we see that this sample calls RegOpenKeyExA but take a note that if you do a bp\r\nRegOpenKeyExA the breakpoint wont trigger because this function is actually loaded from advapi32.dll\r\nso type the following in the XDBG console:\r\nbp advapi32.RegOpenKeyExA\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 11 of 14\n\nrun.\r\nand YES! we hit it, and as we see from the stdcall window, we know the key it opens.\r\nlet’s get back to user code, if we scrolled down a little we can see a call to RegQueryValueExA (makes sense\r\nbecause we called RegOpenKeyExA) and VirtualAlloc.\r\nlet’s put a breakpoint on VirtualAlloc and watch the memory that it allocates (the return memory address is in\r\nEAX).\r\nrun again and observe how this memory region changes.\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 12 of 14\n\nwe hit another VirtualAlloc and our memory was filled with some random data. follow the second VirtualAlloc’s\r\nreturn address in dump and run.\r\nWE GOT THE UNPACKED EXECUTABLE!\r\nWHAT A LONG JOURNEY!!\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 13 of 14\n\nSource: https://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nhttps://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/\r\nPage 14 of 14\n\n  https://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/  \nthis is a lot of output!, what we need to focus on are the red colored event.\nwe see that it dropped a file to disk.  \n   Page 2 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/"
	],
	"report_names": [
		"unpacking-kovter-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434471,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3daae476441656a30384caa45154581a073c69c7.pdf",
		"text": "https://archive.orkl.eu/3daae476441656a30384caa45154581a073c69c7.txt",
		"img": "https://archive.orkl.eu/3daae476441656a30384caa45154581a073c69c7.jpg"
	}
}