kinsing | f2e90fc1ea4cc1588d80ef1ba1bbda758b3937c1f07d4e889ef2612f0ba558f1

Analysis

max time kernel
91s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_aa356d7ab88e6871a916fbfdb4eb1ff3_floxif_magniber.exe
Size

4.3MB
MD5

aa356d7ab88e6871a916fbfdb4eb1ff3
SHA1

2d21457dd3e462129115c2b04e6c34c427c889cf
SHA256

f2e90fc1ea4cc1588d80ef1ba1bbda758b3937c1f07d4e889ef2612f0ba558f1
SHA512

6ac8c0a802637b67f817144254f1410e543434ff00150c8bfa1f287b05f7993d40a3ec3a52d1edabe4e8623bcc513a91b8497329ac1d754c7f9ba345e17d37dc
SSDEEP

98304:esbltXkUt5hD3oZerXSFSYGBDVfSXNiu0fEL8e:RJtpLdL2xlkueEL8e

Score

10^/10

kinsing sality backdoor loader upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4956-1-0x0000000002DA0000-0x0000000003E2E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4956-1-0x0000000002DA0000-0x0000000003E2E000-memory.dmp	UPX
behavioral2/memory/4956-2-0x0000000000790000-0x0000000000C55000-memory.dmp	UPX

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4956-1-0x0000000002DA0000-0x0000000003E2E000-memory.dmp	upx

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4364	4956	WerFault.exe	2024-01-25_aa356d7ab88e6871a916fbfdb4eb1ff3_floxif_magniber.exe
1336	4956	WerFault.exe	2024-01-25_aa356d7ab88e6871a916fbfdb4eb1ff3_floxif_magniber.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_aa356d7ab88e6871a916fbfdb4eb1ff3_floxif_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_aa356d7ab88e6871a916fbfdb4eb1ff3_floxif_magniber.exe"
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 468
2⤵
- Program crash
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 500
2⤵
- Program crash
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4956 -ip 4956
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4956 -ip 4956
1⤵
PID:972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4956-0-0x0000000000790000-0x0000000000C55000-memory.dmp

Filesize
4.8MB

Download
memory/4956-1-0x0000000002DA0000-0x0000000003E2E000-memory.dmp

Filesize
16.6MB

Download
memory/4956-2-0x0000000000790000-0x0000000000C55000-memory.dmp

Filesize
4.8MB

Download