Overview

overview

10

Static

static

b1f9e56f5f...4d.exe

windows7_x64

10

b1f9e56f5f...4d.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-11-2020 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1f9e56f5f399655d7b00ed436c2514d.exe

  • Size

    152KB

  • MD5

    305ec15725b8982d7149c51c355e2040

  • SHA1

    4855474dd9fe83c3c26d215fe5d44b855b2602f5

  • SHA256

    11e8d690d96faf9092f3ce17ef36384660cab59bf2b1540f28c5671c26ecece2

  • SHA512

    e919936a6b0d2603785060df589be2253a2d1ebdbb444e1c3e2b173957f31d0982dba6dc88215f2ce4772a916bb28fbfae51f94fdc09e746dc24fe850bd0f404

Score
10/10
tinbabankerpersistencetrojan

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1116
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1176
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1236
        • C:\Users\Admin\AppData\Local\Temp\b1f9e56f5f399655d7b00ed436c2514d.exe
          "C:\Users\Admin\AppData\Local\Temp\b1f9e56f5f399655d7b00ed436c2514d.exe"
          2⤵
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1080
          • C:\Windows\SysWOW64\winver.exe
            winver
            3⤵
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2036

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1080-0-0x0000000000220000-0x0000000000225000-memory.dmp
        Filesize

        20KB

        Download
      • memory/1116-3-0x00000000003A0000-0x00000000003A7000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1176-4-0x00000000001A0000-0x00000000001A7000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1236-2-0x0000000002B20000-0x0000000002B27000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1236-5-0x0000000002B30000-0x0000000002B37000-memory.dmp
        Filesize

        28KB

        Download
      • memory/2036-1-0x0000000000000000-mapping.dmp
        Download