MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8a83b5d764c72a3c9c7ec2c5711ca045c3356a4c4d8de999efcacf291bd8b2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: e8a83b5d764c72a3c9c7ec2c5711ca045c3356a4c4d8de999efcacf291bd8b2b
SHA3-384 hash: 83ac15f0c99f3ddb9f5ab5d89f5d8a0ac42d52649606a3512376b95870ad5863cc119afe8cd272422fc09810d8c3442c
SHA1 hash: 2745398c853ecd6672cba4c51125a42f87e75cb1
MD5 hash: f5318580e676c21254bbd209edd55444
humanhash: sodium-fish-single-pizza
File name:kins_3.3.0.0.vir
Download: download sample
Signature KINS
File size:370'688 bytes
First seen:2020-07-19 17:19:47 UTC
Last seen:2020-07-19 19:15:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 21753440489bb96fb85af1a514400801
ssdeep 6144:QCp3RwSFWJRTNnqqQPpBpnkPnBKWzq4iO8OCGNs3TEn:QCp3RkXBqPhB5GndqgJCos6
TLSH E974CFB1F3D0C8B2C842A13C5973AE63161BB23975B4C95B139D38396E723C295AF647
Reporter @tildedennis
Tags:kins


Twitter
@tildedennis
kins version 3.3.0.0

Intelligence


File Origin
# of uploads :
2
# of downloads :
20
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.bank.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247212 Sample: kins_3.3.0.0.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Machine Learning detection for sample 2->43 7 kins_3.3.0.0.exe 1 4 2->7         started        12 SiteSecurityServiceState.exe 2->12         started        process3 dnsIp4 35 3.3.0.0 AMAZON-02US United States 7->35 27 C:\Users\...\SiteSecurityServiceState.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\...\tmp31b6c042.bat, DOS 7->29 dropped 55 Detected unpacking (changes PE section rights) 7->55 57 Detected unpacking (overwrites its own PE header) 7->57 59 Drops batch files with force delete cmd (self deletion) 7->59 61 2 other signatures 7->61 14 SiteSecurityServiceState.exe 7->14         started        17 cmd.exe 1 7->17         started        file5 signatures6 process7 signatures8 63 Antivirus detection for dropped file 14->63 65 Multi AV Scanner detection for dropped file 14->65 67 Detected unpacking (changes PE section rights) 14->67 69 7 other signatures 14->69 19 explorer.exe 14 13 14->19         started        23 explorer.exe 14->23         started        25 conhost.exe 17->25         started        process9 dnsIp10 31 yandex.ru 5.255.255.80, 443, 49741, 49742 YANDEXRU Russian Federation 19->31 33 theartofmanti.com 19->33 45 System process connects to network (likely due to code injection or exploit) 19->45 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->47 49 Overwrites code with function prologues 19->49 53 3 other signatures 19->53 51 Tries to harvest and steal browser information (history, passwords, etc) 23->51 signatures11
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2015-11-11 06:21:40 UTC
AV detection:
20 of 25 (80.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware persistence
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments