SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kins (Back to overview)

KINS

aka: Kasper Internet Non-Security, Maple
URLhaus    

There is no description at this point.

References
2015-02-25Github (nyx0)unknown
@online{unknown:20150225:kins:534edd1, author = {unknown}, title = {{KINS Banking Trojan Source Code}}, date = {2015-02-25}, organization = {Github (nyx0)}, url = {https://github.com/nyx0/KINS}, language = {English}, urldate = {2019-11-29} } KINS Banking Trojan Source Code
KINS
2014-06-09SecurityIntelligenceDana Tamir
@online{tamir:20140609:zeusmaple:cb4d799, author = {Dana Tamir}, title = {{ZeuS.Maple Variant Targets Canadian Online Banking Customers}}, date = {2014-06-09}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/}, language = {English}, urldate = {2020-01-13} } ZeuS.Maple Variant Targets Canadian Online Banking Customers
KINS
2014-02-17MalwarebytesJérôme Segura
@online{segura:20140217:hiding:e231528, author = {Jérôme Segura}, title = {{Hiding in plain sight: a story about a sneaky banking Trojan}}, date = {2014-02-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/}, language = {English}, urldate = {2019-12-20} } Hiding in plain sight: a story about a sneaky banking Trojan
KINS VM Zeus
Yara Rules
[TLP:WHITE] win_kins_auto (20220808 | Detects win.kins.)
rule win_kins_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.kins."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1c310 03da 315dfc 8b75fc 33f0 0375f4 8db43e0c38e5fd }
            // n = 7, score = 5000
            //   c1c310               | rol                 ebx, 0x10
            //   03da                 | add                 ebx, edx
            //   315dfc               | xor                 dword ptr [ebp - 4], ebx
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   33f0                 | xor                 esi, eax
            //   0375f4               | add                 esi, dword ptr [ebp - 0xc]
            //   8db43e0c38e5fd       | lea                 esi, [esi + edi - 0x21ac7f4]

        $sequence_1 = { eb21 3c81 727d 3c82 7779 0fb6c0 }
            // n = 6, score = 5000
            //   eb21                 | jmp                 0x23
            //   3c81                 | cmp                 al, 0x81
            //   727d                 | jb                  0x7f
            //   3c82                 | cmp                 al, 0x82
            //   7779                 | ja                  0x7b
            //   0fb6c0               | movzx               eax, al

        $sequence_2 = { 035df0 8d840305e9e3a9 c1c005 03c7 8bdf 33d8 23de }
            // n = 7, score = 5000
            //   035df0               | add                 ebx, dword ptr [ebp - 0x10]
            //   8d840305e9e3a9       | lea                 eax, [ebx + eax - 0x561c16fb]
            //   c1c005               | rol                 eax, 5
            //   03c7                 | add                 eax, edi
            //   8bdf                 | mov                 ebx, edi
            //   33d8                 | xor                 ebx, eax
            //   23de                 | and                 ebx, esi

        $sequence_3 = { e8???????? ff7510 50 e8???????? 8bf0 e8???????? 33c0 }
            // n = 7, score = 5000
            //   e8????????           |                     
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { 5f 5b c9 c20c00 8b442404 68???????? }
            // n = 6, score = 5000
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20c00               | ret                 0xc
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   68????????           |                     

        $sequence_5 = { a5 8d742428 8d7c2438 a5 a5 a5 }
            // n = 6, score = 5000
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   8d742428             | lea                 esi, [esp + 0x28]
            //   8d7c2438             | lea                 edi, [esp + 0x38]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]

        $sequence_6 = { 7427 8b542418 8b450c e8???????? 84c0 7417 8b54241c }
            // n = 7, score = 5000
            //   7427                 | je                  0x29
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7417                 | je                  0x19
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]

        $sequence_7 = { 894510 e8???????? 83c610 ff4d10 75f3 53 e8???????? }
            // n = 7, score = 5000
            //   894510               | mov                 dword ptr [ebp + 0x10], eax
            //   e8????????           |                     
            //   83c610               | add                 esi, 0x10
            //   ff4d10               | dec                 dword ptr [ebp + 0x10]
            //   75f3                 | jne                 0xfffffff5
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_8 = { a3???????? 3bc3 7510 ff35???????? }
            // n = 4, score = 5000
            //   a3????????           |                     
            //   3bc3                 | cmp                 eax, ebx
            //   7510                 | jne                 0x12
            //   ff35????????         |                     

        $sequence_9 = { 8d9d7cffffff e8???????? 8bf0 85f6 0f85cc010000 8d45cc }
            // n = 6, score = 5000
            //   8d9d7cffffff         | lea                 ebx, [ebp - 0x84]
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   0f85cc010000         | jne                 0x1d2
            //   8d45cc               | lea                 eax, [ebp - 0x34]

    condition:
        7 of them and filesize < 548864
}
Download all Yara Rules