kinsing

General

Target

75129aa64ee308f0e0755c9a7fdb30c5
Size

556KB
Sample

240125-vvfysacdbl
MD5

75129aa64ee308f0e0755c9a7fdb30c5
SHA1

61032ff1e1186fe131bcc098513d980b6c04df0a
SHA256

13dd6a998bbcb295ebfbb6e82b14adfdca5a89d48448384acb26657f749f1058
SHA512

0a1085e251988806ecd3a8b56c48def1be56d1a2429bbe3895bc07fa7ca33c3209b472f9d46e9b368d7183215ab73d319bc874478ad1ea3d14e9fd1ffe63abb9
SSDEEP

12288:67Lo8Rs90X41cnOOWB2KpyYK4BVqZDx2mpmHPW9GROsI8w:67L1yMgcnOds44Fp2PWUDI8

Score

10^/10

Malware Config

Targets

- Target
  
  75129aa64ee308f0e0755c9a7fdb30c5
- Size
  
  556KB
- MD5
  
  75129aa64ee308f0e0755c9a7fdb30c5
- SHA1
  
  61032ff1e1186fe131bcc098513d980b6c04df0a
- SHA256
  
  13dd6a998bbcb295ebfbb6e82b14adfdca5a89d48448384acb26657f749f1058
- SHA512
  
  0a1085e251988806ecd3a8b56c48def1be56d1a2429bbe3895bc07fa7ca33c3209b472f9d46e9b368d7183215ab73d319bc874478ad1ea3d14e9fd1ffe63abb9
- SSDEEP
  
  12288:67Lo8Rs90X41cnOOWB2KpyYK4BVqZDx2mpmHPW9GROsI8w:67L1yMgcnOds44Fp2PWUDI8
Score

10^/10

evasion persistence spyware stealer upx kinsing loader
- Kinsing
  Kinsing is a loader written in Golang.
  loader kinsing
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2