kinsing | 73fe0327b943f9b6df757077c1ce09132dafc7a3b7a8b42f9ed4331cff6e8cf1

General

Target

file.exe
Size

4.8MB
MD5

bb1b77d4280450ce1e7b4217aad3c769
SHA1

36ac15b55b045694468434ebde0d748b65f3af01
SHA256

73fe0327b943f9b6df757077c1ce09132dafc7a3b7a8b42f9ed4331cff6e8cf1
SHA512

01bbe1f1f7a876f4e7f42351892f30155b88847a79863122b5909b16a8e116f203867c05b6d5ca224056f362a84757f32d00fb7b15c9be3f7dfddd895499f15b
SSDEEP

98304:cgeNLXGxp/CRfrF8Jyd3D2v1o+/8/pG/1:cpl3D29o+/8xQ

Score

10^/10

kinsing lumma zgrat loader rat stealer

Malware Config

Extracted

Family

lumma

C2

https://vesselspeedcrosswakew.site/api

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3304-1-0x00000000002A0000-0x000000000077A000-memory.dmp	family_zgrat_v1

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/3304-1-0x00000000002A0000-0x000000000077A000-memory.dmp	net_reactor

Loads dropped DLL 1 IoCs

Processes:

file.exe

pid process

3304 file.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 3304 set thread context of 4652 3304 file.exe MsBuild.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3648 4652 WerFault.exe MsBuild.exe
2512 4652 WerFault.exe MsBuild.exe

pid	process
3304	file.exe

description	pid	process	target process
PID 3304 set thread context of 4652	3304	file.exe	MsBuild.exe

pid	pid_target	process	target process
3648	4652	WerFault.exe	MsBuild.exe
2512	4652	WerFault.exe	MsBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

file.exe

description	pid	process	target process
PID 3304 wrote to memory of 4652	3304	file.exe	MsBuild.exe
PID 3304 wrote to memory of 4652	3304	file.exe	MsBuild.exe
PID 3304 wrote to memory of 4652	3304	file.exe	MsBuild.exe
PID 3304 wrote to memory of 4652	3304	file.exe	MsBuild.exe
PID 3304 wrote to memory of 4652	3304	file.exe	MsBuild.exe
PID 3304 wrote to memory of 4652	3304	file.exe	MsBuild.exe
PID 3304 wrote to memory of 4652	3304	file.exe	MsBuild.exe
PID 3304 wrote to memory of 4652	3304	file.exe	MsBuild.exe
PID 3304 wrote to memory of 4652	3304	file.exe	MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 600
3⤵
- Program crash
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1040
3⤵
- Program crash
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4652 -ip 4652
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4652 -ip 4652
1⤵
PID:828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/3304-16-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/3304-5-0x00000000055C0000-0x00000000057F6000-memory.dmp

Filesize
2.2MB

Download
memory/3304-17-0x0000000006EB0000-0x0000000006FB0000-memory.dmp

Filesize
1024KB

Download
memory/3304-4-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/3304-18-0x0000000006EB0000-0x0000000006FB0000-memory.dmp

Filesize
1024KB

Download
memory/3304-6-0x0000000006930000-0x0000000006AC2000-memory.dmp

Filesize
1.6MB

Download
memory/3304-1-0x00000000002A0000-0x000000000077A000-memory.dmp

Filesize
4.9MB

Download
memory/3304-19-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/3304-13-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/3304-14-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3304-15-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/3304-0-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3304-3-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3304-2-0x00000000051E0000-0x000000000527C000-memory.dmp

Filesize
624KB

Download
memory/3304-12-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/3304-20-0x0000000006EB0000-0x0000000006FB0000-memory.dmp

Filesize
1024KB

Download
memory/3304-28-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4652-24-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4652-25-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4652-26-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4652-27-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4652-21-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4652-30-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4652-29-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4652-31-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads