cinoshi | ec9ca9135a1052109a310cbf594ce26b2d52545c6f254d7d042ec61f09dfea90 | Triage

Resubmissions

29-09-2024 22:58

240929-2xvchsyclf 10

09-06-2024 00:45

240609-a33gjabf67 10

27-05-2024 17:20

240527-vwjfasbd51 10

26-05-2024 15:54

240526-tcc9hacf37 10

27-07-2023 00:48

230727-a53v3shd3w 7

25-07-2023 02:01

230725-cfzhgahh76 3

Sharing

General

Target

Nitro_Generator.rar
Size

2.2MB
Sample

240929-2xvchsyclf
MD5

5104afca697acdbbe257368d12a6d740
SHA1

f85669fa269c97ef7e1cf7ad738ca9108de970ab
SHA256

ec9ca9135a1052109a310cbf594ce26b2d52545c6f254d7d042ec61f09dfea90
SHA512

d5f54d16185d4cd100940abbf72795b08b5c41599f130cfd24a865672b8521acfa4242c70a709ec5770b24b9ae85eed24bb1f153bba374fa0cfbbf0f938cd351
SSDEEP

49152:Ta+uXZLXjFQQzRZaI7rYyPmIdPYd0McyZmSrNIObsMNWzJCJ1:di1jFQ+R0YrDmoYyVyZrrNnWzJ01

Score

10^/10

cinoshi redline bot discovery infostealer persistence spyware stealer

Malware Config

Targets

- Target
  
  nitro generator.exe
- Size
  
  2.7MB
- MD5
  
  3373253f2f609bd2c3fb917e7d5f753a
- SHA1
  
  00571dc9f73635d355d3123a42ad860eee21de07
- SHA256
  
  751736b637f142637a3efa5a4c8ba281c949e5054656554931514e6f03642bfa
- SHA512
  
  39024cb5fac8ba4524571f4e193409726fc0779ba1c2c67e9fa33b19bf5fa54297ee2470d0f9ad4a0cfe87f7a466a54b212e34c5c34e195f80a91dd4e788c341
- SSDEEP
  
  24576:W5FcdZnozS74/KabrCEmxE3pD1IQybpgwmFpo28x8aonpoNSHL9TIP6vV5tygavO:cFcjH7Qp5nVbpjR3iGnh2lRcKJq7Pw+
Score

10^/10

cinoshi redline bot discovery infostealer persistence spyware stealer
- Cinoshi
  Cinoshi stealer is part of Cinoshi project Malware-as-a-Service (MaaS) written in C#.
  bot stealer cinoshi
- Detect Cinoshi payload
- Modifies WinLogon for persistence
  persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cinoshiredlinebotdiscoveryinfostealerpersistencespywarestealer