SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kins (Back to overview)

KINS

aka: Kasper Internet Non-Security, Maple
URLhaus    

There is no description at this point.

References
2015-02-25Github (nyx0)unknown
@online{unknown:20150225:kins:534edd1, author = {unknown}, title = {{KINS Banking Trojan Source Code}}, date = {2015-02-25}, organization = {Github (nyx0)}, url = {https://github.com/nyx0/KINS}, language = {English}, urldate = {2019-11-29} } KINS Banking Trojan Source Code
KINS
2014-06-09SecurityIntelligenceDana Tamir
@online{tamir:20140609:zeusmaple:cb4d799, author = {Dana Tamir}, title = {{ZeuS.Maple Variant Targets Canadian Online Banking Customers}}, date = {2014-06-09}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/}, language = {English}, urldate = {2020-01-13} } ZeuS.Maple Variant Targets Canadian Online Banking Customers
KINS
2014-02-17MalwarebytesJérôme Segura
@online{segura:20140217:hiding:e231528, author = {Jérôme Segura}, title = {{Hiding in plain sight: a story about a sneaky banking Trojan}}, date = {2014-02-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/}, language = {English}, urldate = {2019-12-20} } Hiding in plain sight: a story about a sneaky banking Trojan
KINS VM Zeus
Yara Rules
[TLP:WHITE] win_kins_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_kins_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48 8945f8 7821 8b07 8bc8 23ce }
            // n = 6, score = 5000
            //   48                   | dec                 eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   7821                 | js                  0x23
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8bc8                 | mov                 ecx, eax
            //   23ce                 | and                 ecx, esi

        $sequence_1 = { 77ec 720f 83fb03 73e5 eb08 8365e800 }
            // n = 6, score = 5000
            //   77ec                 | ja                  0xffffffee
            //   720f                 | jb                  0x11
            //   83fb03               | cmp                 ebx, 3
            //   73e5                 | jae                 0xffffffe7
            //   eb08                 | jmp                 0xa
            //   8365e800             | and                 dword ptr [ebp - 0x18], 0

        $sequence_2 = { ff37 e8???????? 8b45fc 5f 5b c9 }
            // n = 6, score = 5000
            //   ff37                 | push                dword ptr [edi]
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   c9                   | leave               

        $sequence_3 = { 68200000f0 6a01 bf???????? 57 53 8d45fc 50 }
            // n = 7, score = 5000
            //   68200000f0           | push                0xf0000020
            //   6a01                 | push                1
            //   bf????????           |                     
            //   57                   | push                edi
            //   53                   | push                ebx
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax

        $sequence_4 = { 8b4510 6a01 53 03c7 50 e8???????? ff7510 }
            // n = 7, score = 5000
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   6a01                 | push                1
            //   53                   | push                ebx
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   ff7510               | push                dword ptr [ebp + 0x10]

        $sequence_5 = { 85f6 75f8 8b4c2408 40 8901 33c0 }
            // n = 6, score = 5000
            //   85f6                 | test                esi, esi
            //   75f8                 | jne                 0xfffffffa
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   40                   | inc                 eax
            //   8901                 | mov                 dword ptr [ecx], eax
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { 8b3f 8b4e0c 3500000001 33f8 894618 }
            // n = 5, score = 5000
            //   8b3f                 | mov                 edi, dword ptr [edi]
            //   8b4e0c               | mov                 ecx, dword ptr [esi + 0xc]
            //   3500000001           | xor                 eax, 0x1000000
            //   33f8                 | xor                 edi, eax
            //   894618               | mov                 dword ptr [esi + 0x18], eax

        $sequence_7 = { f7f9 8bca 894c2444 85c9 7444 8b442410 }
            // n = 6, score = 5000
            //   f7f9                 | idiv                ecx
            //   8bca                 | mov                 ecx, edx
            //   894c2444             | mov                 dword ptr [esp + 0x44], ecx
            //   85c9                 | test                ecx, ecx
            //   7444                 | je                  0x46
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]

        $sequence_8 = { 8d7dfc 8bd6 e8???????? 85c0 75b4 8b45f4 8b4d10 }
            // n = 7, score = 5000
            //   8d7dfc               | lea                 edi, [ebp - 4]
            //   8bd6                 | mov                 edx, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75b4                 | jne                 0xffffffb6
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]

        $sequence_9 = { 8bd0 c1ea10 88510d 8bd0 c1ea08 5f 88410f }
            // n = 7, score = 5000
            //   8bd0                 | mov                 edx, eax
            //   c1ea10               | shr                 edx, 0x10
            //   88510d               | mov                 byte ptr [ecx + 0xd], dl
            //   8bd0                 | mov                 edx, eax
            //   c1ea08               | shr                 edx, 8
            //   5f                   | pop                 edi
            //   88410f               | mov                 byte ptr [ecx + 0xf], al

    condition:
        7 of them and filesize < 548864
}
Download all Yara Rules