8bab13995983e8072027da514a3f8aaea38a4c26400fb63e1f4b855ff9a82971 | Triage

Sharing

General

Target

kins_2.0.9.13.vir
Size

249KB
Sample

200719-3sxatvx5dx
MD5

1d36badcc048ba21a142788f03c2e440
SHA1

22f9faf9d9514dc452610d31019c376eebfd3fb0
SHA256

8bab13995983e8072027da514a3f8aaea38a4c26400fb63e1f4b855ff9a82971
SHA512

b3d517b6c999fb53af2dc5aa29233107c1938a54c918108cfc0372ffa58b2e3865e351b0e196ca54ca8804690c05f9a0f4c6e0637cd7c75f7f3c7ad0e5fc0090

Score

8^/10

evasion persistence

Malware Config

Targets

- Target
  
  kins_2.0.9.13.vir
- Size
  
  249KB
- MD5
  
  1d36badcc048ba21a142788f03c2e440
- SHA1
  
  22f9faf9d9514dc452610d31019c376eebfd3fb0
- SHA256
  
  8bab13995983e8072027da514a3f8aaea38a4c26400fb63e1f4b855ff9a82971
- SHA512
  
  b3d517b6c999fb53af2dc5aa29233107c1938a54c918108cfc0372ffa58b2e3865e351b0e196ca54ca8804690c05f9a0f4c6e0637cd7c75f7f3c7ad0e5fc0090
Score

8^/10

evasion persistence
- Executes dropped EXE
- Deletes itself
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2