MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7308b321667d579fbab79329977c8396721f9211be62b99b3abb3ae8e49dbcb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 7308b321667d579fbab79329977c8396721f9211be62b99b3abb3ae8e49dbcb4
SHA3-384 hash: a98a24f6801fb74684172a20517e620d5f497c07d42f0add119ec07a077a1dcaf5a03469cc1b11e5d7de4c48be920754
SHA1 hash: 0c15be8ef65503bae8bc82fcd198cec9caa1ed5b
MD5 hash: c64d791a024ed8a11ae0b4cd042204cb
humanhash: edward-floor-bacon-carpet
File name:kins_2.0.12.0.vir
Download: download sample
Signature KINS
File size:427'706 bytes
First seen:2020-07-19 19:26:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 943b709cb2ec662ae54a42eda7be5403
ssdeep 6144:o2b3duHlayqjvjbDqKKKFgCPSMOPbDFz4fOdKKS5vt5zhBrV5hQ89KePvQhuLp:o2b3d6EyqjvjHqecPlUOdKKQPVIQ1d
TLSH 2194E02272E0C473D2D301314EE5DFBAB3BAFE204F22994763D45B4E5D329D2572A266
Reporter @tildedennis
Tags:kins


Twitter
@tildedennis
kins version 2.0.12.0

Intelligence


File Origin
# of uploads :
1
# of downloads :
19
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247296 Sample: kins_2.0.12.0.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 PE file contains section with special chars 2->55 9 kins_2.0.12.0.exe 2->9         started        process3 dnsIp4 39 2.0.12.0 FranceTelecom-OrangeFR France 9->39 65 Detected unpacking (changes PE section rights) 9->65 67 Detected unpacking (overwrites its own PE header) 9->67 69 Drops batch files with force delete cmd (self deletion) 9->69 71 4 other signatures 9->71 13 kins_2.0.12.0.exe 4 9->13         started        signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\Adobe\...\.exe, PE32 13->35 dropped 37 C:\Users\user\AppData\...\tmp4e03636e.bat, DOS 13->37 dropped 73 Creates executable files without a name 13->73 75 Tries to harvest and steal browser information (history, passwords, etc) 13->75 77 Drops executable to a common third party application directory 13->77 17 .exe 13->17         started        20 cmd.exe 1 13->20         started        signatures8 process9 signatures10 41 Antivirus detection for dropped file 17->41 43 Multi AV Scanner detection for dropped file 17->43 45 Detected unpacking (changes PE section rights) 17->45 47 4 other signatures 17->47 22 .exe 17->22         started        25 conhost.exe 20->25         started        process11 signatures12 57 Injects code into the Windows Explorer (explorer.exe) 22->57 59 Writes to foreign memory regions 22->59 61 Allocates memory in foreign processes 22->61 63 2 other signatures 22->63 27 explorer.exe 22->27         started        29 RWNRpmaXuZcluqRZPSZHeRI.exe 22->29 injected 31 RWNRpmaXuZcluqRZPSZHeRI.exe 22->31 injected 33 10 other processes 22->33 process13
Threat name:
Win32.Trojan.Injector
Status:
Malicious
First seen:
2015-07-02 23:10:17 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  2/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx spyware
Behaviour
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Executes dropped EXE
UPX packed file
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments