SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kins (Back to overview)

KINS

aka: Kasper Internet Non-Security, Maple
URLhaus    

There is no description at this point.

References
2015-02-25Github (nyx0)unknown
@online{unknown:20150225:kins:534edd1, author = {unknown}, title = {{KINS Banking Trojan Source Code}}, date = {2015-02-25}, organization = {Github (nyx0)}, url = {https://github.com/nyx0/KINS}, language = {English}, urldate = {2019-11-29} } KINS Banking Trojan Source Code
KINS
2014-06-09SecurityIntelligenceDana Tamir
@online{tamir:20140609:zeusmaple:cb4d799, author = {Dana Tamir}, title = {{ZeuS.Maple Variant Targets Canadian Online Banking Customers}}, date = {2014-06-09}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/}, language = {English}, urldate = {2020-01-13} } ZeuS.Maple Variant Targets Canadian Online Banking Customers
KINS
2014-02-17MalwarebytesJérôme Segura
@online{segura:20140217:hiding:e231528, author = {Jérôme Segura}, title = {{Hiding in plain sight: a story about a sneaky banking Trojan}}, date = {2014-02-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/}, language = {English}, urldate = {2019-12-20} } Hiding in plain sight: a story about a sneaky banking Trojan
KINS VM Zeus
Yara Rules
[TLP:WHITE] win_kins_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_kins_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { c1e203 0111 83510400 c644081c80 ff4118 }
            // n = 5, score = 2600
            //   c1e203               | shl                 edx, 3
            //   0111                 | add                 dword ptr [ecx], edx
            //   83510400             | adc                 dword ptr [ecx + 4], 0
            //   c644081c80           | mov                 byte ptr [eax + ecx + 0x1c], 0x80
            //   ff4118               | inc                 dword ptr [ecx + 0x18]

        $sequence_1 = { 8bf0 395d08 764d 83c108 894dfc 33c0 }
            // n = 6, score = 2600
            //   8bf0                 | mov                 esi, eax
            //   395d08               | cmp                 dword ptr [ebp + 8], ebx
            //   764d                 | jbe                 0x4f
            //   83c108               | add                 ecx, 8
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   33c0                 | xor                 eax, eax

        $sequence_2 = { eb4e 83f824 7f09 c745ec03000000 eb40 }
            // n = 5, score = 2600
            //   eb4e                 | jmp                 0x50
            //   83f824               | cmp                 eax, 0x24
            //   7f09                 | jg                  0xb
            //   c745ec03000000       | mov                 dword ptr [ebp - 0x14], 3
            //   eb40                 | jmp                 0x42

        $sequence_3 = { 8d4c243c e8???????? 8bf8 85ff 7503 214608 }
            // n = 6, score = 2600
            //   8d4c243c             | lea                 ecx, [esp + 0x3c]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   7503                 | jne                 5
            //   214608               | and                 dword ptr [esi + 8], eax

        $sequence_4 = { ff4508 8bca 2b4d08 6a02 d3e0 }
            // n = 5, score = 2600
            //   ff4508               | inc                 dword ptr [ebp + 8]
            //   8bca                 | mov                 ecx, edx
            //   2b4d08               | sub                 ecx, dword ptr [ebp + 8]
            //   6a02                 | push                2
            //   d3e0                 | shl                 eax, cl

        $sequence_5 = { 894c2420 3bd0 7e09 2bda 4b 895c2414 eb07 }
            // n = 7, score = 2600
            //   894c2420             | mov                 dword ptr [esp + 0x20], ecx
            //   3bd0                 | cmp                 edx, eax
            //   7e09                 | jle                 0xb
            //   2bda                 | sub                 ebx, edx
            //   4b                   | dec                 ebx
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   eb07                 | jmp                 9

        $sequence_6 = { 8d5dac e8???????? 8bf0 85f6 0f859b000000 8d45ec 50 }
            // n = 7, score = 2600
            //   8d5dac               | lea                 ebx, [ebp - 0x54]
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   0f859b000000         | jne                 0xa1
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax

        $sequence_7 = { e8???????? 8bf8 85ff 740e 8d742448 e8???????? e9???????? }
            // n = 7, score = 2600
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   740e                 | je                  0x10
            //   8d742448             | lea                 esi, [esp + 0x48]
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_8 = { 8d7dfc 8bd6 e8???????? 85c0 75b4 8b45f4 8b4d10 }
            // n = 7, score = 2600
            //   8d7dfc               | lea                 edi, [ebp - 4]
            //   8bd6                 | mov                 edx, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75b4                 | jne                 0xffffffb6
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]

        $sequence_9 = { 83eb04 ff4df8 75df 8b7de4 8b5d08 }
            // n = 5, score = 2600
            //   83eb04               | sub                 ebx, 4
            //   ff4df8               | dec                 dword ptr [ebp - 8]
            //   75df                 | jne                 0xffffffe1
            //   8b7de4               | mov                 edi, dword ptr [ebp - 0x1c]
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]

    condition:
        7 of them
}
Download all Yara Rules