SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kins (Back to overview)

KINS

aka: Kasper Internet Non-Security, Maple
URLhaus    

There is no description at this point.

References
2015-02-25Github (nyx0)unknown
@online{unknown:20150225:kins:534edd1, author = {unknown}, title = {{KINS Banking Trojan Source Code}}, date = {2015-02-25}, organization = {Github (nyx0)}, url = {https://github.com/nyx0/KINS}, language = {English}, urldate = {2019-11-29} } KINS Banking Trojan Source Code
KINS
2014-06-09SecurityIntelligenceDana Tamir
@online{tamir:20140609:zeusmaple:cb4d799, author = {Dana Tamir}, title = {{ZeuS.Maple Variant Targets Canadian Online Banking Customers}}, date = {2014-06-09}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/}, language = {English}, urldate = {2020-01-13} } ZeuS.Maple Variant Targets Canadian Online Banking Customers
KINS
2014-02-17MalwarebytesJérôme Segura
@online{segura:20140217:hiding:e231528, author = {Jérôme Segura}, title = {{Hiding in plain sight: a story about a sneaky banking Trojan}}, date = {2014-02-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/}, language = {English}, urldate = {2019-12-20} } Hiding in plain sight: a story about a sneaky banking Trojan
KINS VM Zeus
Yara Rules
[TLP:WHITE] win_kins_auto (20230715 | Detects win.kins.)
rule win_kins_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.kins."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 0f858b000000 8d45b4 50 8d45e4 8d4dd4 e8???????? }
            // n = 7, score = 5000
            //   85c0                 | test                eax, eax
            //   0f858b000000         | jne                 0x91
            //   8d45b4               | lea                 eax, [ebp - 0x4c]
            //   50                   | push                eax
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     

        $sequence_1 = { d3e7 894de0 8b4df8 8945f0 d365f0 897dec 3b7df0 }
            // n = 7, score = 5000
            //   d3e7                 | shl                 edi, cl
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   d365f0               | shl                 dword ptr [ebp - 0x10], cl
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi
            //   3b7df0               | cmp                 edi, dword ptr [ebp - 0x10]

        $sequence_2 = { e8???????? 85c0 7522 8b4c2408 8b460c c164240804 c1e91c }
            // n = 7, score = 5000
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7522                 | jne                 0x24
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   c164240804           | shl                 dword ptr [esp + 8], 4
            //   c1e91c               | shr                 ecx, 0x1c

        $sequence_3 = { ff75ec 8b45f0 8d5df0 8d7df4 e8???????? 8bd8 33ff }
            // n = 7, score = 5000
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8d5df0               | lea                 ebx, [ebp - 0x10]
            //   8d7df4               | lea                 edi, [ebp - 0xc]
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   33ff                 | xor                 edi, edi

        $sequence_4 = { 7557 47 83c610 3b7df0 7ceb 8d75c0 }
            // n = 6, score = 5000
            //   7557                 | jne                 0x59
            //   47                   | inc                 edi
            //   83c610               | add                 esi, 0x10
            //   3b7df0               | cmp                 edi, dword ptr [ebp - 0x10]
            //   7ceb                 | jl                  0xffffffed
            //   8d75c0               | lea                 esi, [ebp - 0x40]

        $sequence_5 = { e8???????? 8d742448 e8???????? 33ff 85ff 0f8510020000 8b44241c }
            // n = 7, score = 5000
            //   e8????????           |                     
            //   8d742448             | lea                 esi, [esp + 0x48]
            //   e8????????           |                     
            //   33ff                 | xor                 edi, edi
            //   85ff                 | test                edi, edi
            //   0f8510020000         | jne                 0x216
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]

        $sequence_6 = { 8bc6 50 e8???????? 8bd8 85db 0f8532010000 }
            // n = 6, score = 5000
            //   8bc6                 | mov                 eax, esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   0f8532010000         | jne                 0x138

        $sequence_7 = { 33df 035dd4 8d941340b340c0 c1c209 }
            // n = 4, score = 5000
            //   33df                 | xor                 ebx, edi
            //   035dd4               | add                 ebx, dword ptr [ebp - 0x2c]
            //   8d941340b340c0       | lea                 edx, [ebx + edx - 0x3fbf4cc0]
            //   c1c209               | rol                 edx, 9

        $sequence_8 = { 8b5dfc 8d9417aff7448b 8b7dfc 33f8 c1c20c 03d0 }
            // n = 6, score = 5000
            //   8b5dfc               | mov                 ebx, dword ptr [ebp - 4]
            //   8d9417aff7448b       | lea                 edx, [edi + edx - 0x74bb0851]
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   33f8                 | xor                 edi, eax
            //   c1c20c               | rol                 edx, 0xc
            //   03d0                 | add                 edx, eax

        $sequence_9 = { 837d0802 0f829d000000 8b01 83f803 0f8792000000 83f802 730a }
            // n = 7, score = 5000
            //   837d0802             | cmp                 dword ptr [ebp + 8], 2
            //   0f829d000000         | jb                  0xa3
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   83f803               | cmp                 eax, 3
            //   0f8792000000         | ja                  0x98
            //   83f802               | cmp                 eax, 2
            //   730a                 | jae                 0xc

    condition:
        7 of them and filesize < 548864
}
Download all Yara Rules