kinsing | 8c3515df37a219842450dd3fb91bbade7cf8d8ec7fe17427f37cb4b83a3a237a | Triage

Submit
Reports

Overview

overview

Static

static

7

74fa65bdc2...38.exe

windows7-x64

74fa65bdc2...38.exe

windows10-2004-x64

Sharing

General

Target

74fa65bdc2b30888cd6732f8ccf9c438
Size

397KB
Sample

240125-t2pzlaaga9
MD5

74fa65bdc2b30888cd6732f8ccf9c438
SHA1

a2aa0495113e0f9db4153fc087048b53fdb1e18d
SHA256

8c3515df37a219842450dd3fb91bbade7cf8d8ec7fe17427f37cb4b83a3a237a
SHA512

95048ef938c046348cf420cf9da70c30a21a1bb4bb56b507a856a224c552e4eb08acd463e574b79eeef3e9bcc374cc11fd6f7331cac239f16b84bc856ab8b4d3
SSDEEP

6144:mZFV6YJoVLIW91ILonX9buxDNae0rMAZZV8mS2vS+44kgQj1nKh/AY6PuqjDobEH:0T6eoVH91nnX84vS+4qQNUhqjDoIYof

Score

10^/10

kinsing netwire botnet loader persistence rat stealer upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

74fa65bdc2b30888cd6732f8ccf9c438.exe

Resource

win7-20231215-en

netwire botnet persistence rat stealer upx

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

74fa65bdc2b30888cd6732f8ccf9c438.exe

Resource

win10v2004-20231215-en

kinsing netwire botnet loader persistence rat stealer upx

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

155.94.198.169:9112

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Corona-Virus
install_path
%AppData%\Install\offiice365.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Pounds
registry_autorun
true
startup_name
officeii365
use_mutex
false

Targets

- Target
  
  74fa65bdc2b30888cd6732f8ccf9c438
- Size
  
  397KB
- MD5
  
  74fa65bdc2b30888cd6732f8ccf9c438
- SHA1
  
  a2aa0495113e0f9db4153fc087048b53fdb1e18d
- SHA256
  
  8c3515df37a219842450dd3fb91bbade7cf8d8ec7fe17427f37cb4b83a3a237a
- SHA512
  
  95048ef938c046348cf420cf9da70c30a21a1bb4bb56b507a856a224c552e4eb08acd463e574b79eeef3e9bcc374cc11fd6f7331cac239f16b84bc856ab8b4d3
- SSDEEP
  
  6144:mZFV6YJoVLIW91ILonX9buxDNae0rMAZZV8mS2vS+44kgQj1nKh/AY6PuqjDobEH:0T6eoVH91nnX84vS+4qQNUhqjDoIYof
Score

10^/10

netwire botnet persistence rat stealer upx kinsing loader
- Kinsing
  Kinsing is a loader written in Golang.
  loader kinsing
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealerupx

behavioral2

kinsingnetwirebotnetloaderpersistenceratstealerupx

© 2018-2024

Terms | Privacy