SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kronos (Back to overview)

Kronos

aka: Osiris
URLhaus    

There is no description at this point.

References
2022-10-31paloalto Netoworks: Unit42Or Chechik
@online{chechik:20221031:banking:c421ac8, author = {Or Chechik}, title = {{Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure}}, date = {2022-10-31}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/banking-trojan-techniques/}, language = {English}, urldate = {2022-10-31} } Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
Dridex Kronos TrickBot Zeus
2022-07-27Trend MicroBuddy Tancio, Jed Valderama
@online{tancio:20220727:gootkit:f1c63fa, author = {Buddy Tancio and Jed Valderama}, title = {{Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike}}, date = {2022-07-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html}, language = {English}, urldate = {2022-07-29} } Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2021-05-11The RecordCatalin Cimpanu
@online{cimpanu:20210511:osiris:c21f10f, author = {Catalin Cimpanu}, title = {{Osiris banking trojan shuts down as new Ares variant emerges}}, date = {2021-05-11}, organization = {The Record}, url = {https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/}, language = {English}, urldate = {2021-05-13} } Osiris banking trojan shuts down as new Ares variant emerges
Kronos
2021-03-30ZscalerBrett Stone-Gross
@online{stonegross:20210330:ares:6bae793, author = {Brett Stone-Gross}, title = {{Ares Malware: The Grandson of the Kronos Banking Trojan}}, date = {2021-03-30}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan}, language = {English}, urldate = {2021-03-31} } Ares Malware: The Grandson of the Kronos Banking Trojan
Ares Kronos
2021-02-08MorphisecMichael Dereviashkin
@online{dereviashkin:20210208:long:d1419a2, author = {Michael Dereviashkin}, title = {{Long Live, Osiris; Banking Trojan Targets German IP Addresses}}, date = {2021-02-08}, organization = {Morphisec}, url = {https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses}, language = {English}, urldate = {2021-02-09} } Long Live, Osiris; Banking Trojan Targets German IP Addresses
Kronos
2020-08-14Twitter (@3xp0rtblog)3xp0rt
@online{3xp0rt:20200814:osiris:5de6596, author = {3xp0rt}, title = {{Tweet on Osiris}}, date = {2020-08-14}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1294157781415743488}, language = {English}, urldate = {2020-08-18} } Tweet on Osiris
Kronos
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2019-10-29Dissecting MalwareMarius Genheimer
@online{genheimer:20191029:osiris:55e249f, author = {Marius Genheimer}, title = {{Osiris, the god of afterlife...and banking malware?!}}, date = {2019-10-29}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html}, language = {English}, urldate = {2020-03-27} } Osiris, the god of afterlife...and banking malware?!
Kronos
2019-04-19ZDNetCatalin Cimpanu
@online{cimpanu:20190419:security:683479e, author = {Catalin Cimpanu}, title = {{Security researcher MalwareTech pleads guilty}}, date = {2019-04-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/}, language = {English}, urldate = {2020-01-13} } Security researcher MalwareTech pleads guilty
Kronos
2018-07-24ProofpointProofpoint Staff
@online{staff:20180724:kronos:ad537ce, author = {Proofpoint Staff}, title = {{Kronos Reborn}}, date = {2018-07-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/kronos-reborn}, language = {English}, urldate = {2019-12-20} } Kronos Reborn
Kronos
2017-12-11Group-IBGroup-IB
@techreport{groupib:20171211:moneytaker:49776be, author = {Group-IB}, title = {{MoneyTaker 1.5 YEARS OF SILENT OPERATIONS}}, date = {2017-12-11}, institution = {Group-IB}, url = {https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf}, language = {English}, urldate = {2021-02-09} } MoneyTaker 1.5 YEARS OF SILENT OPERATIONS
Citadel Kronos Meterpreter
2017-08-29MalwarebytesMalwarebytes Labs
@online{labs:20170829:inside:a4e7a99, author = {Malwarebytes Labs}, title = {{Inside the Kronos malware – part 2}}, date = {2017-08-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/}, language = {English}, urldate = {2019-12-20} } Inside the Kronos malware – part 2
Kronos
2017-08-18MalwarebytesMalwarebytes Labs
@online{labs:20170818:inside:f145bae, author = {Malwarebytes Labs}, title = {{Inside the Kronos malware – part 1}}, date = {2017-08-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/}, language = {English}, urldate = {2019-12-20} } Inside the Kronos malware – part 1
Kronos
2016-11-15ProofpointProofpoint Staff
@online{staff:20161115:kronos:6580667, author = {Proofpoint Staff}, title = {{Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware}}, date = {2016-11-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware}, language = {English}, urldate = {2019-12-20} } Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware
Kronos ScanPOS
2016-10-17MalwarebytesJérôme Segura
@online{segura:20161017:newlooking:3e62740, author = {Jérôme Segura}, title = {{New-looking Sundown EK drops Smoke Loader, Kronos banker}}, date = {2016-10-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/}, language = {English}, urldate = {2019-12-20} } New-looking Sundown EK drops Smoke Loader, Kronos banker
Kronos SmokeLoader
2015-12-01Trend MicroJay Yaneza, Erika Mendoza
@online{yaneza:20151201:operation:718c901, author = {Jay Yaneza and Erika Mendoza}, title = {{Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools}}, date = {2015-12-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/}, language = {English}, urldate = {2020-03-19} } Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools
Alina POS BlackPOS Kronos NewPosThings
Yara Rules
[TLP:WHITE] win_kronos_auto (20230125 | Detects win.kronos.)
rule win_kronos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.kronos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85f6 742f 8d45fc 50 ff75fc 56 6a1b }
            // n = 7, score = 2800
            //   85f6                 | test                esi, esi
            //   742f                 | je                  0x31
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   56                   | push                esi
            //   6a1b                 | push                0x1b

        $sequence_1 = { 8911 8b08 85c9 7406 8b5004 895104 3b4604 }
            // n = 7, score = 2800
            //   8911                 | mov                 dword ptr [ecx], edx
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   85c9                 | test                ecx, ecx
            //   7406                 | je                  8
            //   8b5004               | mov                 edx, dword ptr [eax + 4]
            //   895104               | mov                 dword ptr [ecx + 4], edx
            //   3b4604               | cmp                 eax, dword ptr [esi + 4]

        $sequence_2 = { c6470501 85c0 750d 8906 5f 8bc6 5e }
            // n = 7, score = 2800
            //   c6470501             | mov                 byte ptr [edi + 5], 1
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   8906                 | mov                 dword ptr [esi], eax
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi

        $sequence_3 = { 8bf8 83ffff 7470 6a18 }
            // n = 4, score = 2800
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1
            //   7470                 | je                  0x72
            //   6a18                 | push                0x18

        $sequence_4 = { ffd2 8b08 8b5804 8b5008 8b4508 53 894df4 }
            // n = 7, score = 2800
            //   ffd2                 | call                edx
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5804               | mov                 ebx, dword ptr [eax + 4]
            //   8b5008               | mov                 edx, dword ptr [eax + 8]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx

        $sequence_5 = { 53 33c0 57 8d4df0 8945f4 8945f8 }
            // n = 6, score = 2800
            //   53                   | push                ebx
            //   33c0                 | xor                 eax, eax
            //   57                   | push                edi
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_6 = { 6800400000 6800200000 57 52 ffd6 8b4508 }
            // n = 6, score = 2800
            //   6800400000           | push                0x4000
            //   6800200000           | push                0x2000
            //   57                   | push                edi
            //   52                   | push                edx
            //   ffd6                 | call                esi
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_7 = { 8a08 84c9 742f 80f95c 740a 80f92f }
            // n = 6, score = 2800
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   84c9                 | test                cl, cl
            //   742f                 | je                  0x31
            //   80f95c               | cmp                 cl, 0x5c
            //   740a                 | je                  0xc
            //   80f92f               | cmp                 cl, 0x2f

        $sequence_8 = { 33c0 85d2 7e37 3b7b18 773b eb1a 8b4d08 }
            // n = 7, score = 2800
            //   33c0                 | xor                 eax, eax
            //   85d2                 | test                edx, edx
            //   7e37                 | jle                 0x39
            //   3b7b18               | cmp                 edi, dword ptr [ebx + 0x18]
            //   773b                 | ja                  0x3d
            //   eb1a                 | jmp                 0x1c
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_9 = { 83f801 74d1 56 ff15???????? 33c0 5f 5e }
            // n = 7, score = 2800
            //   83f801               | cmp                 eax, 1
            //   74d1                 | je                  0xffffffd3
            //   56                   | push                esi
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 1302528
}
Download all Yara Rules