KINS (Malware Family)

win.kins (Back to overview)
KINS

aka: Kasper Internet Non-Security, Maple
URLhaus
There is no description at this point.
References

2015-02-25 ⋅ Github (nyx0) ⋅ unknown
KINS Banking Trojan Source Code
KINS
2014-06-09 ⋅ SecurityIntelligence ⋅ Dana Tamir
ZeuS.Maple Variant Targets Canadian Online Banking Customers
KINS
2014-02-17 ⋅ Malwarebytes ⋅ Jérôme Segura
Hiding in plain sight: a story about a sneaky banking Trojan
KINS VM Zeus
Yara Rules

[TLP:WHITE] win_kins_auto (20221125 | Detects win.kins.)
rule win_kins_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.kins."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8944241c 8b4508 8bd3 e8???????? 84c0 7427 }
            // n = 7, score = 5000
            //   e8????????           |                     
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8bd3                 | mov                 edx, ebx
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7427                 | je                  0x29

        $sequence_1 = { ff7514 ff7510 53 e8???????? 8945fc 85c0 }
            // n = 6, score = 5000
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   85c0                 | test                eax, eax

        $sequence_2 = { 8955fc 8d9c3322619d6d c1c310 03da 315dfc 8b75fc 33f0 }
            // n = 7, score = 5000
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8d9c3322619d6d       | lea                 ebx, [ebx + esi + 0x6d9d6122]
            //   c1c310               | rol                 ebx, 0x10
            //   03da                 | add                 ebx, edx
            //   315dfc               | xor                 dword ptr [ebp - 4], ebx
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   33f0                 | xor                 esi, eax

        $sequence_3 = { 52 57 56 ff15???????? c6443eff00 83f8ff 7508 }
            // n = 7, score = 5000
            //   52                   | push                edx
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff15????????         |                     
            //   c6443eff00           | mov                 byte ptr [esi + edi - 1], 0
            //   83f8ff               | cmp                 eax, -1
            //   7508                 | jne                 0xa

        $sequence_4 = { 33c9 41 8bf2 3bc1 7e15 6bc01c 8d4430e3 }
            // n = 7, score = 5000
            //   33c9                 | xor                 ecx, ecx
            //   41                   | inc                 ecx
            //   8bf2                 | mov                 esi, edx
            //   3bc1                 | cmp                 eax, ecx
            //   7e15                 | jle                 0x17
            //   6bc01c               | imul                eax, eax, 0x1c
            //   8d4430e3             | lea                 eax, [eax + esi - 0x1d]

        $sequence_5 = { 8d9c3322619d6d c1c310 03da 315dfc 8b75fc 33f0 }
            // n = 6, score = 5000
            //   8d9c3322619d6d       | lea                 ebx, [ebx + esi + 0x6d9d6122]
            //   c1c310               | rol                 ebx, 0x10
            //   03da                 | add                 ebx, edx
            //   315dfc               | xor                 dword ptr [ebp - 4], ebx
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   33f0                 | xor                 esi, eax

        $sequence_6 = { 53 ff36 ffd7 85c0 7435 8b45f4 }
            // n = 6, score = 5000
            //   53                   | push                ebx
            //   ff36                 | push                dword ptr [esi]
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   7435                 | je                  0x37
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_7 = { 8bdf c1eb10 885e09 8bdf c1eb08 885e0a }
            // n = 6, score = 5000
            //   8bdf                 | mov                 ebx, edi
            //   c1eb10               | shr                 ebx, 0x10
            //   885e09               | mov                 byte ptr [esi + 9], bl
            //   8bdf                 | mov                 ebx, edi
            //   c1eb08               | shr                 ebx, 8
            //   885e0a               | mov                 byte ptr [esi + 0xa], bl

        $sequence_8 = { 8d442428 8bf8 e8???????? 8bf8 85ff 740e }
            // n = 6, score = 5000
            //   8d442428             | lea                 eax, [esp + 0x28]
            //   8bf8                 | mov                 edi, eax
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   740e                 | je                  0x10

        $sequence_9 = { 763f 395c2434 7539 50 89442410 e8???????? 8bf8 }
            // n = 7, score = 5000
            //   763f                 | jbe                 0x41
            //   395c2434             | cmp                 dword ptr [esp + 0x34], ebx
            //   7539                 | jne                 0x3b
            //   50                   | push                eax
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

    condition:
        7 of them and filesize < 548864
}
Download all Yara Rules
KINS Propose Change

References

Yara Rules

KINS
