kinsing | 414d6d04818f03a3c45a8f4300fbae1ce5a5cee9beb8ce90417ea9d09314cc74

General

Target

file.exe
Size

2.5MB
MD5

fc774a4455b8929454e016518dfd234c
SHA1

4cb70043727b501919aad98a8e006b09ee37bba9
SHA256

414d6d04818f03a3c45a8f4300fbae1ce5a5cee9beb8ce90417ea9d09314cc74
SHA512

4e8e25638fd4848580077ed2f1d3cfe9e3acb88e97b6cc3bee4c3a997aa2cc04bc98a8784fe567ca0d7f30c51803f5d0b7bd056dc7173ee4afa847fa248b79e8
SSDEEP

49152:VkQTA0rFERkvK8YL17QGu4Etaaajq+UFn5LV/WFXFN17Zfd91:VaaEKcxQGYKjNuFwhFnH91

Score

10^/10

kinsing risepro loader stealer

Malware Config

Extracted

Family

risepro

C2

193.233.132.37:50500

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

.NET Reactor proctector 21 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/4912-2-0x0000000005440000-0x00000000056A4000-memory.dmp	net_reactor
behavioral2/memory/4912-6-0x00000000051D0000-0x0000000005432000-memory.dmp	net_reactor
behavioral2/memory/4912-8-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-14-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-20-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-26-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-30-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-34-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-38-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-40-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-42-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-36-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-32-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-28-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-24-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-22-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-18-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-16-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-12-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-10-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor
behavioral2/memory/4912-7-0x00000000051D0000-0x000000000542D000-memory.dmp	net_reactor

Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 4912 set thread context of 2468 4912 file.exe RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 4912 file.exe

description	pid	process	target process
PID 4912 set thread context of 2468	4912	file.exe	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4912	file.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

file.exe

description	pid	process	target process
PID 4912 wrote to memory of 1144	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 1144	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 1144	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 4320	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 4320	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 4320	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 5052	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 5052	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 5052	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 1076	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 1076	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 1076	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 1084	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 1084	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 1084	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2576	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2576	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2576	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2468	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2468	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2468	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2468	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2468	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2468	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2468	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2468	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2468	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2468	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2468	4912	file.exe	RegAsm.exe
PID 4912 wrote to memory of 2468	4912	file.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-46-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2468-57-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2468-54-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2468-51-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4912-14-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-32-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-1-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/4912-8-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-0-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4912-20-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-26-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-30-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-34-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-38-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-40-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-42-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-36-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-6-0x00000000051D0000-0x0000000005432000-memory.dmp

Filesize
2.4MB

Download
memory/4912-28-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-24-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-22-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-18-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-45-0x0000000002D90000-0x0000000004D90000-memory.dmp

Filesize
32.0MB

Download
memory/4912-2-0x0000000005440000-0x00000000056A4000-memory.dmp

Filesize
2.4MB

Download
memory/4912-5-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/4912-50-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4912-3-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/4912-16-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-12-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-10-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-7-0x00000000051D0000-0x000000000542D000-memory.dmp

Filesize
2.4MB

Download
memory/4912-4-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing