MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 798c6be4ea73c2d7c936f0d86b804b636188f249fd813f62722565923c158e0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 798c6be4ea73c2d7c936f0d86b804b636188f249fd813f62722565923c158e0b
SHA3-384 hash: 84254969748c9f9e05f2dac1e2e68c5597442ed23caaab0c5f0c5b1c77577b092ce1dc69dc769de6f626406b9b4e8e11
SHA1 hash: 4790c8147c74f199481e792493c43ffd1f823e5f
MD5 hash: 23877e74b44452778b56855cdf83d9b9
humanhash: winner-berlin-kitten-aspen
File name:kins_3.1.0.0.vir
Download: download sample
Signature Downloader.Upatre
File size:218'112 bytes
First seen:2020-07-19 17:32:00 UTC
Last seen:2020-07-19 19:19:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 953832636d07eb1ebc34467721e4af8e
ssdeep 1536:ez6dQnW5JgyNoER8Vq34P4B7YaHwlHdlW1ZJDwY:euiWngyaEmV44WzedcZlw
TLSH 642402AB1DF15D21CEDE2AB1529B04B87D775E2473954F848602833F8D3278AF90BCA4
Reporter @tildedennis
Tags:Downloader.Upatre kins


Twitter
@tildedennis
kins version 3.1.0.0

Intelligence


File Origin
# of uploads :
2
# of downloads :
22
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Sending a TCP request to an infection source
Stealing user critical data
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2015-08-13 00:18:00 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  2/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments