SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kins (Back to overview)

KINS

aka: Kasper Internet Non-Security, Maple
URLhaus    

There is no description at this point.

References
2015-02-25Github (nyx0)unknown
@online{unknown:20150225:kins:534edd1, author = {unknown}, title = {{KINS Banking Trojan Source Code}}, date = {2015-02-25}, organization = {Github (nyx0)}, url = {https://github.com/nyx0/KINS}, language = {English}, urldate = {2019-11-29} } KINS Banking Trojan Source Code
KINS
2014-06-09SecurityIntelligenceDana Tamir
@online{tamir:20140609:zeusmaple:cb4d799, author = {Dana Tamir}, title = {{ZeuS.Maple Variant Targets Canadian Online Banking Customers}}, date = {2014-06-09}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/}, language = {English}, urldate = {2020-01-13} } ZeuS.Maple Variant Targets Canadian Online Banking Customers
KINS
2014-02-17MalwarebytesJérôme Segura
@online{segura:20140217:hiding:e231528, author = {Jérôme Segura}, title = {{Hiding in plain sight: a story about a sneaky banking Trojan}}, date = {2014-02-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/}, language = {English}, urldate = {2019-12-20} } Hiding in plain sight: a story about a sneaky banking Trojan
KINS VM Zeus
Yara Rules
[TLP:WHITE] win_kins_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_kins_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c104 83c004 4a 75f3 8b4dc0 8bd7 3b3b }
            // n = 7, score = 5000
            //   83c104               | add                 ecx, 4
            //   83c004               | add                 eax, 4
            //   4a                   | dec                 edx
            //   75f3                 | jne                 0xfffffff5
            //   8b4dc0               | mov                 ecx, dword ptr [ebp - 0x40]
            //   8bd7                 | mov                 edx, edi
            //   3b3b                 | cmp                 edi, dword ptr [ebx]

        $sequence_1 = { 0fb64118 0fb65119 c1e008 0bc2 0fb6511a c1e008 0bc2 }
            // n = 7, score = 5000
            //   0fb64118             | movzx               eax, byte ptr [ecx + 0x18]
            //   0fb65119             | movzx               edx, byte ptr [ecx + 0x19]
            //   c1e008               | shl                 eax, 8
            //   0bc2                 | or                  eax, edx
            //   0fb6511a             | movzx               edx, byte ptr [ecx + 0x1a]
            //   c1e008               | shl                 eax, 8
            //   0bc2                 | or                  eax, edx

        $sequence_2 = { ff37 e8???????? 8b45fc 5f 5b c9 }
            // n = 6, score = 5000
            //   ff37                 | push                dword ptr [edi]
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   c9                   | leave               

        $sequence_3 = { 8bc6 e9???????? 8b45ec 33db 43 }
            // n = 5, score = 5000
            //   8bc6                 | mov                 eax, esi
            //   e9????????           |                     
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   33db                 | xor                 ebx, ebx
            //   43                   | inc                 ebx

        $sequence_4 = { 0f85bd000000 8d459c 8bf0 8d5ddc eb38 8d45bc 50 }
            // n = 7, score = 5000
            //   0f85bd000000         | jne                 0xc3
            //   8d459c               | lea                 eax, [ebp - 0x64]
            //   8bf0                 | mov                 esi, eax
            //   8d5ddc               | lea                 ebx, [ebp - 0x24]
            //   eb38                 | jmp                 0x3a
            //   8d45bc               | lea                 eax, [ebp - 0x44]
            //   50                   | push                eax

        $sequence_5 = { d3e3 0bc3 8b5c2420 8907 83ef04 ff4c2414 }
            // n = 6, score = 5000
            //   d3e3                 | shl                 ebx, cl
            //   0bc3                 | or                  eax, ebx
            //   8b5c2420             | mov                 ebx, dword ptr [esp + 0x20]
            //   8907                 | mov                 dword ptr [edi], eax
            //   83ef04               | sub                 edi, 4
            //   ff4c2414             | dec                 dword ptr [esp + 0x14]

        $sequence_6 = { 33c0 50 ff75ec e8???????? 33db 0306 13d3 }
            // n = 7, score = 5000
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   e8????????           |                     
            //   33db                 | xor                 ebx, ebx
            //   0306                 | add                 eax, dword ptr [esi]
            //   13d3                 | adc                 edx, ebx

        $sequence_7 = { eb03 6a10 58 5f 5b 5e }
            // n = 6, score = 5000
            //   eb03                 | jmp                 5
            //   6a10                 | push                0x10
            //   58                   | pop                 eax
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi

        $sequence_8 = { 50 8b450c e8???????? 8bf8 8d742408 }
            // n = 5, score = 5000
            //   50                   | push                eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   8d742408             | lea                 esi, [esp + 8]

        $sequence_9 = { 8d442428 50 8d4c243c e8???????? 8bf8 85ff }
            // n = 6, score = 5000
            //   8d442428             | lea                 eax, [esp + 0x28]
            //   50                   | push                eax
            //   8d4c243c             | lea                 ecx, [esp + 0x3c]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi

    condition:
        7 of them and filesize < 548864
}
Download all Yara Rules