KINS (Malware Family)

win.kins (Back to overview)
KINS

aka: Kasper Internet Non-Security, Maple
URLhaus
There is no description at this point.
References

2015-02-25 ⋅ Github (nyx0) ⋅ unknown
KINS Banking Trojan Source Code
KINS
2014-06-09 ⋅ SecurityIntelligence ⋅ Dana Tamir
ZeuS.Maple Variant Targets Canadian Online Banking Customers
KINS
2014-02-17 ⋅ Malwarebytes ⋅ Jérôme Segura
Hiding in plain sight: a story about a sneaky banking Trojan
KINS VM Zeus
Yara Rules

[TLP:WHITE] win_kins_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_kins_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33d8 035de8 8955fc 8d9c3322619d6d c1c310 03da 315dfc }
            // n = 7, score = 5000
            //   33d8                 | xor                 ebx, eax
            //   035de8               | add                 ebx, dword ptr [ebp - 0x18]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8d9c3322619d6d       | lea                 ebx, [ebx + esi + 0x6d9d6122]
            //   c1c310               | rol                 ebx, 0x10
            //   03da                 | add                 ebx, edx
            //   315dfc               | xor                 dword ptr [ebp - 4], ebx

        $sequence_1 = { e9???????? 8bc3 99 83e207 03c2 c1f803 8d440006 }
            // n = 7, score = 5000
            //   e9????????           |                     
            //   8bc3                 | mov                 eax, ebx
            //   99                   | cdq                 
            //   83e207               | and                 edx, 7
            //   03c2                 | add                 eax, edx
            //   c1f803               | sar                 eax, 3
            //   8d440006             | lea                 eax, [eax + eax + 6]

        $sequence_2 = { 0f95c0 c1e903 8d4408fd 50 8945f4 e8???????? 89450c }
            // n = 7, score = 5000
            //   0f95c0               | setne               al
            //   c1e903               | shr                 ecx, 3
            //   8d4408fd             | lea                 eax, [eax + ecx - 3]
            //   50                   | push                eax
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   e8????????           |                     
            //   89450c               | mov                 dword ptr [ebp + 0xc], eax

        $sequence_3 = { 2bc8 03f9 8bc7 c1e002 50 e8???????? 33c9 }
            // n = 7, score = 5000
            //   2bc8                 | sub                 ecx, eax
            //   03f9                 | add                 edi, ecx
            //   8bc7                 | mov                 eax, edi
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx

        $sequence_4 = { 834db620 830d????????10 8d4588 50 e8???????? eb3f a808 }
            // n = 7, score = 5000
            //   834db620             | or                  dword ptr [ebp - 0x4a], 0x20
            //   830d????????10       |                     
            //   8d4588               | lea                 eax, [ebp - 0x78]
            //   50                   | push                eax
            //   e8????????           |                     
            //   eb3f                 | jmp                 0x41
            //   a808                 | test                al, 8

        $sequence_5 = { 50 33c0 50 51 e8???????? 03f0 1155e4 }
            // n = 7, score = 5000
            //   50                   | push                eax
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   03f0                 | add                 esi, eax
            //   1155e4               | adc                 dword ptr [ebp - 0x1c], edx

        $sequence_6 = { 83f8ff 741f 8bc6 50 8d5ddc e8???????? 8bf0 }
            // n = 7, score = 5000
            //   83f8ff               | cmp                 eax, -1
            //   741f                 | je                  0x21
            //   8bc6                 | mov                 eax, esi
            //   50                   | push                eax
            //   8d5ddc               | lea                 ebx, [ebp - 0x24]
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_7 = { 03c6 89411c 83f818 7396 8a45ed e8???????? 8bf0 }
            // n = 7, score = 5000
            //   03c6                 | add                 eax, esi
            //   89411c               | mov                 dword ptr [ecx + 0x1c], eax
            //   83f818               | cmp                 eax, 0x18
            //   7396                 | jae                 0xffffff98
            //   8a45ed               | mov                 al, byte ptr [ebp - 0x13]
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_8 = { 8d7dfc 8bd6 e8???????? 85c0 75b4 8b45f4 8b4d10 }
            // n = 7, score = 5000
            //   8d7dfc               | lea                 edi, [ebp - 4]
            //   8bd6                 | mov                 edx, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75b4                 | jne                 0xffffffb6
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]

        $sequence_9 = { 760e 8b4d14 8d420c 8918 83c020 }
            // n = 5, score = 5000
            //   760e                 | jbe                 0x10
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   8d420c               | lea                 eax, [edx + 0xc]
            //   8918                 | mov                 dword ptr [eax], ebx
            //   83c020               | add                 eax, 0x20

    condition:
        7 of them and filesize < 548864
}
Download all Yara Rules
KINS Propose Change

References

Yara Rules

KINS
