{
	"id": "aa5a3b96-a23c-4534-a9aa-1355c5ef2543",
	"created_at": "2026-04-06T00:13:28.154561Z",
	"updated_at": "2026-04-10T03:21:04.347628Z",
	"deleted_at": null,
	"sha1_hash": "4a29dfac942b2d8c33d39517eeacbb488cc8b18c",
	"title": "Untangling Kovter's persistence methods | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 766455,
	"plain_text": "Untangling Kovter's persistence methods | Malwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2016-07-13 · Archived: 2026-04-05 17:50:43 UTC\r\nKovter is a click-fraud malware famous from the unconventional tricks used for persistence. It hides malicious\r\nmodules in PowerShell scripts as well as in registry keys to make detection and analysis difficult. In this post we\r\nwill take a deep dive into the techniques used by it’s latest samples to see all the elements and how they cooperate\r\ntogether.\r\nAnalyzed samples\r\n#1:\r\n49a748e9f2d98ba92b5af8f680bef7f2 – original executable\r\n4160d0e5938b2ff29347476788f3810e – intermediate payload (loader)\r\n7d40b09885f8b967b1127032e54adad4 – unpacked payload (raw dump)\r\n2#:\r\n78c622b295114aa0004b2a8cba8df371 – original executable\r\n3a453e3a77fe7e1534b578f79ad3e987 – intermediate payload (loader)\r\n05956dd290271a6bc810d17893cee826 – unpacked payload (raw dump)\r\n// special thanks to\r\n@F_kZ_\r\n  and @JAMESWT_MHT for sharing the samples\r\nBehavioral analysis\r\nAuthors of Kovter put a lot of effort in making their malware stealth and hard to detect. During the initial\r\nassessment of some of the Kovter samples we could notice that it is signed by valid Comodo certificate (it got\r\nrevoked later):\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 1 of 13\n\nAfter the sample gets deployed, Kovter runs PowerShell and install itself in the system\r\nObserving it via Process Explorer we can find the command passed to PowerShell. It’s purpose is to execute a\r\ncode stored in an environment variable (names are random, new on each run), i.e:\r\n$env:nvwisqng\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 2 of 13\n\nContent of the variable is a base64 encoded PowerShell script:\r\nAfter that initialization phase, we can see PowerShell deploying regsrv32.exe (via which Kovter runs  it’s\r\nmodules):\r\nExamining the network activity we can notice many new connections with the regsrv32.exe that are appearing and\r\ndisappearing:\r\nWe can expect that it is related with the click-fraud activity, performed by the malware.\r\nInside\r\nUnpacking\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 3 of 13\n\nKovter comes packed by a crypter/FUD. After unpacking it we get the loader that is another PE file. It comes with\r\na binary data in the resources:\r\nContent of the resource is a next PE file, encrypted and compressed with aPLib (we can easily recognize\r\nthe algorithm by the typical way in which it modified MZ header):\r\nDuring the execution, this unpacked PE file is loaded into an newly allocated, continuous area in the memory\r\n(without dividing content into sections). The original (host) sample loads all the necessary DLLs and applies\r\nrelocations on the new module. Then, the execution is redirected there (see below):\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 4 of 13\n\nPayload’s Entry Point:\r\nThis executable turns out to be a final stage, containing the core malicious functions. Looking at it’s strings (that\r\nare not obfuscated) we can find that this is the module responsible for further steps of infection – writing the\r\nregistry keys, dropping malicious scripts etc. The easiest way to proceed with the analysis would be to dump the\r\npayload and analyze it as a separate entity. However, authors of the malware added some tricks in order to prevent\r\nthis executable from running independently. When we dump the unpacked payload and try to run it, it will crash:\r\nAnalyzing the point of crashing, we can see the reason – trying to read unaccessible memory:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 5 of 13\n\nAs we can see in the above code, sample reads it’s own headers and find the end of the mapped module\r\n(ImageBase + VirtualSize). Then it tries to read from the address that is exactly after it. In case if the sample was\r\nloaded via the host application, this address is accessible and the content is filled with appropriate value – see the\r\nexample below:\r\nThe read value points to the address where some content has been written – including the path to the current\r\nsample:\r\nHowever, it doesn’t work if the sample was executed independently. That’s why we encounter the crash. Anyways,\r\nthe dump can be very useful for the static analysis.\r\nPersistence\r\nKovter achieves persistence by adding a Run key in the Windows Registry. Access to this key via regedit is\r\nrestricted:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 6 of 13\n\nBut using Sysinternals‘s tool – autoruns still we can see where it leads:\r\nIt refers to the link that leads to a batch script, running a dropped file of an unknown format:\r\nThis file with the extension .d7e6b has unreadable content and it doesn’t make much sense until we notice how it\r\nis opened. Kovter’s executable, during the installation process, registered in the Windows Registry a special way\r\nto run this type of files.\r\nAdded extension .d7e6b is handled by a newly defined command df01:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 7 of 13\n\nThat command is defined in another registry key (…df01shellopencommand):\r\nIt uses a system application mshta.exe in order to run the JavaScript that decrypts the content of the file in memory\r\nand loads it.\r\nContent of the script:\r\njATFuw4=\"wQfAd\"; ZF3=new ActiveXObject(\"WScript.Shell\"); XZs6HOl=\"uE6\"; gdV5K2=ZF3.RegRead(\"HKCU\\soft\r\nIt refers to other dropped registry keys, saved under a different path (names are different for different samples – in\r\nthe current sample it is: “HKCUsoftwarensem“):\r\nInside the variable tnxm another obfuscated script is embedded:\r\nhttps://gist.github.com/hasherezade/184b23a2a98831061fc4b18473078542#file-tnxm-js\r\nThe script contains simple obfuscation – variables have meaningless names and some unused strings are added in\r\nbetween to create a noise. After renaming variables and removing junk the same code looks much more readable:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 8 of 13\n\nhttps://gist.github.com/hasherezade/184b23a2a98831061fc4b18473078542#file-tnxm_deobfuscated-js\r\nThe hex_string contains hexadecimal representation of an encrypted code. It is processed by the following two\r\nloops. First loop converts it from the text representation into a binary. Second one – performs XOR decryption\r\n(the XOR key is random, generated newly on each run). Then, the result is executed by eval function.\r\nDecrypted content: https://gist.github.com/hasherezade/184b23a2a98831061fc4b18473078542#file-txnm_deobfuscated_decoded2-ps1 The base64 content is the same like the one we encountered during behavioral\r\nanalysis – (it was set in in the environment variable).\r\nhttps://gist.github.com/hasherezade/184b23a2a98831061fc4b18473078542#file-nvwisqng-txt\r\nAfter decoding it turns out to be a PowerShell Script:\r\nhttps://gist.github.com/hasherezade/184b23a2a98831061fc4b18473078542#file-nvwisqng_decoded-ps1\r\nIt’s role is to load and execute the code hidden in the variable $sc32. It contains position-independent 32bit code\r\n(it will be referred as a shellcode). Content is loaded to the newly allocated memory page and executed in a new\r\nthread. Pointer to the allocated memory is passed to the  thread as a parameter (it is very important, because this\r\naddress is further used for resolving pointers to variables).\r\nBelow you can see the beginning of this code, converted to binary:\r\nEvery shellcode must be self-sufficient in loading all the required imports. For this purpose, this one uses a trick\r\nknown from from ReflectiveLoader and shellcodes generated by Metasploit platform. At the beginning of the\r\nexecution it tries to get the handle of kernel32.dll. To achieve this goal, it enumerates all the loaded modules,\r\ncalculates checksums of their names and compares them with the hardcoded checksum (0x6A4ABC5B).\r\nSimilarly, it uses checksums to get handles to the functions inside the kernel32.dll.\r\nWith their help, it loads other necessary modules and functions, i.e advapi32.dll:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 9 of 13\n\nThen, uses them to open registry keys dropped during installation.\r\nIn the analyzed samples the read registry paths are appropriately:\r\nsample#1: HKCUsoftwarensem -\u003e zorsuhg\r\nsample #2: HKCUsoftwarewuuu -\u003e vfkhxfak\r\nNote, that if you try to export this key, it will appear very shot, because it’s preview will be cut on the first zero\r\nbyte – it’s not the full length! Example:\r\nThe value that was stored in the registry is read into the memory and decrypted (also in this case, the encryption\r\nkey is random, newly generated on each run of the installer):\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 10 of 13\n\nIt turns out to be a PE file (the same payload that was loaded before – by the loader executable):\r\nJust like at the first execution, all the dependencies of the payload are resolved by the external loader (this time it\r\nis inside the shellcode). Then, execution is redirected there:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 11 of 13\n\nThat’s how the original module has been redeployed. Now, Kovter can continue with it’s mission.\r\nConclusion\r\nThanks to the techniques employed by Kovter, no executable needs to be dropped on the disk – that’s why is\r\nknown as “fileless”. Even the file to which the initial link leaded does not contain any code to be executed.\r\nInstead, it is used just for the flow obfuscation. Running it, in reality leads to running the code stored in the\r\nregistry, that is sufficient to unpack and re-run the real payload.\r\nPersistence used by this malware is creatively designed and exceptional in comparison to most of the malware.\r\nNot only it is scattered into several layers, but also obfuscated at every stage and containing tricks that slow down\r\nthe analysis process.\r\nSummary of the elements used for the persistence\r\nKovter’s persistence is composed of various tiny elements that executes each other, sometimes in an indirect way,\r\nlike:\r\n1. Run key in the registry\r\n2. link\r\n3. batch script running the file with a new extension\r\n4. command in the registry handling the added extension (in fact it is a JavaScript reading other dropped\r\nregistry key and running it)\r\n5. JavaScript with xor\r\n6. PowerShell script with Base64\r\n7. PowerShell script decoding and running the shellcode\r\n8. shellcode reading the dropped registry key, unpacking the PE file from it and loading it in the memory\r\nAppendix\r\nhttp://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 12 of 13\n\nThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves going in details about malware and sharing threat information with the community. Check\r\nher out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/"
	],
	"report_names": [
		"untangling-kovter"
	],
	"threat_actors": [],
	"ts_created_at": 1775434408,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4a29dfac942b2d8c33d39517eeacbb488cc8b18c.pdf",
		"text": "https://archive.orkl.eu/4a29dfac942b2d8c33d39517eeacbb488cc8b18c.txt",
		"img": "https://archive.orkl.eu/4a29dfac942b2d8c33d39517eeacbb488cc8b18c.jpg"
	}
}