SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kins (Back to overview)

KINS

aka: Kasper Internet Non-Security, Maple
URLhaus    

There is no description at this point.

References
2015-02-25Github (nyx0)unknown
@online{unknown:20150225:kins:534edd1, author = {unknown}, title = {{KINS Banking Trojan Source Code}}, date = {2015-02-25}, organization = {Github (nyx0)}, url = {https://github.com/nyx0/KINS}, language = {English}, urldate = {2019-11-29} } KINS Banking Trojan Source Code
KINS
2014-06-09SecurityIntelligenceDana Tamir
@online{tamir:20140609:zeusmaple:cb4d799, author = {Dana Tamir}, title = {{ZeuS.Maple Variant Targets Canadian Online Banking Customers}}, date = {2014-06-09}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/}, language = {English}, urldate = {2020-01-13} } ZeuS.Maple Variant Targets Canadian Online Banking Customers
KINS
2014-02-17MalwarebytesJérôme Segura
@online{segura:20140217:hiding:e231528, author = {Jérôme Segura}, title = {{Hiding in plain sight: a story about a sneaky banking Trojan}}, date = {2014-02-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/}, language = {English}, urldate = {2019-12-20} } Hiding in plain sight: a story about a sneaky banking Trojan
KINS VM Zeus
Yara Rules
[TLP:WHITE] win_kins_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_kins_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bc3 c1e806 2401 56 57 c645ff00 8845fd }
            // n = 7, score = 5000
            //   8bc3                 | mov                 eax, ebx
            //   c1e806               | shr                 eax, 6
            //   2401                 | and                 al, 1
            //   56                   | push                esi
            //   57                   | push                edi
            //   c645ff00             | mov                 byte ptr [ebp - 1], 0
            //   8845fd               | mov                 byte ptr [ebp - 3], al

        $sequence_1 = { c1e008 0bc2 0fb6510f c1e008 0bc2 89460c }
            // n = 6, score = 5000
            //   c1e008               | shl                 eax, 8
            //   0bc2                 | or                  eax, edx
            //   0fb6510f             | movzx               edx, byte ptr [ecx + 0xf]
            //   c1e008               | shl                 eax, 8
            //   0bc2                 | or                  eax, edx
            //   89460c               | mov                 dword ptr [esi + 0xc], eax

        $sequence_2 = { e8???????? 50 e8???????? 33c9 833e01 0f94c1 890e }
            // n = 7, score = 5000
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   833e01               | cmp                 dword ptr [esi], 1
            //   0f94c1               | sete                cl
            //   890e                 | mov                 dword ptr [esi], ecx

        $sequence_3 = { 99 8bcf f7f9 8bd8 8d442438 e8???????? 8b442424 }
            // n = 7, score = 5000
            //   99                   | cdq                 
            //   8bcf                 | mov                 ecx, edi
            //   f7f9                 | idiv                ecx
            //   8bd8                 | mov                 ebx, eax
            //   8d442438             | lea                 eax, [esp + 0x38]
            //   e8????????           |                     
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]

        $sequence_4 = { 6a74 ff7508 33c0 6a05 40 5a e8???????? }
            // n = 7, score = 5000
            //   6a74                 | push                0x74
            //   ff7508               | push                dword ptr [ebp + 8]
            //   33c0                 | xor                 eax, eax
            //   6a05                 | push                5
            //   40                   | inc                 eax
            //   5a                   | pop                 edx
            //   e8????????           |                     

        $sequence_5 = { 8bc8 e8???????? 8bd8 3bde 0f85a8030000 eb04 89742424 }
            // n = 7, score = 5000
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   3bde                 | cmp                 ebx, esi
            //   0f85a8030000         | jne                 0x3ae
            //   eb04                 | jmp                 6
            //   89742424             | mov                 dword ptr [esp + 0x24], esi

        $sequence_6 = { 8d45fc 50 8bce e8???????? 85c0 0f8566ffffff 8b45f4 }
            // n = 7, score = 5000
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8566ffffff         | jne                 0xffffff6c
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_7 = { c1c611 03f2 8bfa 33f8 23fe 33f8 037de8 }
            // n = 7, score = 5000
            //   c1c611               | rol                 esi, 0x11
            //   03f2                 | add                 esi, edx
            //   8bfa                 | mov                 edi, edx
            //   33f8                 | xor                 edi, eax
            //   23fe                 | and                 edi, esi
            //   33f8                 | xor                 edi, eax
            //   037de8               | add                 edi, dword ptr [ebp - 0x18]

        $sequence_8 = { 8bf8 83ffff 750b ff742408 e8???????? 8bf8 }
            // n = 6, score = 5000
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1
            //   750b                 | jne                 0xd
            //   ff742408             | push                dword ptr [esp + 8]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_9 = { 33c0 6a05 40 5a e8???????? 0fb64514 83e800 }
            // n = 7, score = 5000
            //   33c0                 | xor                 eax, eax
            //   6a05                 | push                5
            //   40                   | inc                 eax
            //   5a                   | pop                 edx
            //   e8????????           |                     
            //   0fb64514             | movzx               eax, byte ptr [ebp + 0x14]
            //   83e800               | sub                 eax, 0

    condition:
        7 of them and filesize < 548864
}
Download all Yara Rules