kinsing

General

Target

58464df91d5b6c4e2e92a526b8b1c18a8e60eb925073ebccff6d59853c5715b8.sh
Size

35KB
Sample

250224-dcb4faykgw
MD5

f6c0eca5fd90b53e717a05bfa9cd11b7
SHA1

0d88648ee98e9471a04d61b665d8a0c5980b7339
SHA256

58464df91d5b6c4e2e92a526b8b1c18a8e60eb925073ebccff6d59853c5715b8
SHA512

1d7cf4d0d09e41200ec292875aabfef48170bdaa5967ab4be4fd1b733c335bf78bf795ba1cb0c695454868a72bc850e2fd53907aceb12c5829a7e411bff08774
SSDEEP

768:b87mzQ5VFNcDAFLcIwgnoYq0xFBvgmuNytIuz:bOVF+D6cIwgosTz

Score

10^/10

Malware Config

Targets

- Target
  
  58464df91d5b6c4e2e92a526b8b1c18a8e60eb925073ebccff6d59853c5715b8.sh
- Size
  
  35KB
- MD5
  
  f6c0eca5fd90b53e717a05bfa9cd11b7
- SHA1
  
  0d88648ee98e9471a04d61b665d8a0c5980b7339
- SHA256
  
  58464df91d5b6c4e2e92a526b8b1c18a8e60eb925073ebccff6d59853c5715b8
- SHA512
  
  1d7cf4d0d09e41200ec292875aabfef48170bdaa5967ab4be4fd1b733c335bf78bf795ba1cb0c695454868a72bc850e2fd53907aceb12c5829a7e411bff08774
- SSDEEP
  
  768:b87mzQ5VFNcDAFLcIwgnoYq0xFBvgmuNytIuz:bOVF+D6cIwgosTz
Score

10^/10

kinsing xmrig xmrig_linux antivm defense_evasion discovery execution loader miner persistence privilege_escalation rootkit upx
- Kinsing
  Kinsing is a loader written in Golang.
  loader kinsing
- Kinsing family
  kinsing
- Kinsing payload
- Xmrig family
  xmrig
- Xmrig_linux family
  xmrig_linux
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Deletes system logs
  Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
  defense_evasion
- Executes dropped EXE
- Flushes firewall rules
  Flushes/ disables firewall rules inside the Linux kernel.
  defense_evasion
- Loads a kernel module
  Loads a Linux kernel module, potentially to achieve persistence
  rootkit
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  Abuse sudo or cached sudo credentials to execute code.
  privilege_escalation defense_evasion
- Attempts to change immutable files
  Modifies inode attributes on the filesystem to allow changing of immutable files.
- Checks hardware identifiers (DMI)
  Checks DMI information which indicate if the system is a virtual machine.
  antivm
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalation
- Disables AppArmor
  Disables AppArmor security module.
- Disables SELinux
  Disables SELinux security module.
  defense_evasion
- Enumerates running processes
  Discovers information about currently running processes on the system
- Reads hardware information
  Accesses system info like serial numbers, manufacturer names etc.
  discovery
- Reads list of loaded kernel modules
  Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2 behavioral3 behavioral4