Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 23, 2021, 3:41 p.m.	Sept. 23, 2021, 3:41 p.m.

Size	14.0MB
Type	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
MD5	`648effa354b3cbaad87b45f48d59c616`
SHA256	`6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b`
CRC32	`BC518B68`
ssdeep	`98304:zpU9MTfASNlnewCIoxAlfVG9bnY+Zx+A:zG9GfASNlnewChxAxVWbY`
Yara	Malicious_Packer_Zero - Malicious Packer Generic_Malware_Zero - Generic Malware anti_vm_detect - Possibly employs anti-virtualization techniques IsELF - Executable and Linking Format executable file (Linux/Unix)

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\kinsing.js
2216

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 23, 2021, 3:41 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25 wscript+0x2fbd @ 0xca2fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x76713ef4 registers.esp: 2357188 registers.edi: 0 registers.eax: 11571136 registers.ebp: 2357216 registers.edx: 1 registers.ebx: 0 registers.esi: 5532064 registers.ecx: 1922250204	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 23, 2021, 3:41 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25
wscript+0x2fbd @ 0xca2fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x76713ef4
registers.esp: 2357188
registers.edi: 0
registers.eax: 11571136
registers.ebp: 2357216
registers.edx: 1
registers.ebx: 0
registers.esi: 5532064
registers.ecx: 1922250204

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.Linux.Agent.4!c
MicroWorld-eScan	Trojan.GenericKD.45832277
FireEye	Trojan.GenericKD.45832277
CAT-QuickHeal	Elf.Trojan.A1481096
Zillya	Downloader.Agent.Linux.1128
Arcabit	Trojan.Generic.D2BB5855
Cyren	E64/Trojan.STKN-0
Symantec	Trojan.Gen.NPE
ESET-NOD32	a variant of Linux/CoinMiner.QX
TrendMicro-HouseCall	Coinminer.Linux.MALXMR.PUWEMA
Avast	ELF:Agent-APQ [Trj]
ClamAV	Unix.Trojan.Generic-9840604-0
Kaspersky	HEUR:Trojan.Linux.Agent.hn
BitDefender	Trojan.GenericKD.45832277
NANO-Antivirus	Trojan.Elf64.BtcMine.ifrhhr
Tencent	Linux.Trojan.Coinminer.Wogk
Ad-Aware	Trojan.GenericKD.45832277
Sophos	Linux/Miner-ZS
Comodo	Malware@#24tyq1189df66
DrWeb	Linux.BtcMine.361
TrendMicro	Coinminer.Linux.MALXMR.PUWEMA
McAfee-GW-Edition	LINUX/Kinsing.a
Emsisoft	Trojan.GenericKD.45832277 (B)
SentinelOne	Static AI - Malicious ELF
Jiangmin	Trojan.Linux.aun
Avira	LINUX/Agent.hpdmz
Antiy-AVL	Trojan/Generic.ASELF.3D95F
Microsoft	Trojan:Linux/Kinsing.L
ViRobot	Linux.S.Agent.14643200
ZoneAlarm	HEUR:Trojan.Linux.Agent.hn
GData	Trojan.GenericKD.45832277
Cynet	Malicious (score: 99)
AhnLab-V3	CoinMiner/Linux.Agent.14643200
ALYac	Trojan.Linux.Agent
MAX	malware (ai score=100)
Ikarus	LINUX.CoinMiner
Fortinet	ELF/CoinMiner.CFA!tr
AVG	ELF:Agent-APQ [Trj]

kinsing

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All