tinba | 3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a

General

Target

3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
Size

98KB
MD5

ceabbec628e38d10806bbaa24ac4db69
SHA1

fddd22b3aee1cfa4ed60d58da6f15a551a06d8f0
SHA256

3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a
SHA512

c53dc11f527abfa37fc160fa3be74e3b03859407ff1cfd290adc99096672942fd3cac1dbcec2b5dd83e3e60c1eea71dda2754312f78d970270e293caaa725667

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	winver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\8C8D26D4 = "C:\\Users\\Admin\\AppData\\Roaming\\8C8D26D4\\bin.exe"	winver.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe

description	pid	process	target process
PID 3876 set thread context of 2156	3876	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2564 3740 WerFault.exe DllHost.exe

pid	pid_target	process	target process
2564	3740	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exewinver.exeWerFault.exe

pid	process
3876	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
3876	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
2428	winver.exe
2428	winver.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe
2428	winver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE

pid	process
3016	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Explorer.EXEWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeDebugPrivilege	2564	WerFault.exe
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

2428 winver.exe

pid	process
2428	winver.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe

pid	process
3876	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
3876	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE

pid	process
3016	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exewinver.exe

description	pid	process	target process
PID 3876 wrote to memory of 2156	3876	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
PID 3876 wrote to memory of 2156	3876	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
PID 3876 wrote to memory of 2156	3876	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
PID 3876 wrote to memory of 2156	3876	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
PID 3876 wrote to memory of 2156	3876	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
PID 3876 wrote to memory of 2156	3876	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
PID 3876 wrote to memory of 2156	3876	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
PID 2156 wrote to memory of 2428	2156	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe	winver.exe
PID 2156 wrote to memory of 2428	2156	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe	winver.exe
PID 2156 wrote to memory of 2428	2156	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe	winver.exe
PID 2156 wrote to memory of 2428	2156	3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe	winver.exe
PID 2428 wrote to memory of 3016	2428	winver.exe	Explorer.EXE
PID 2428 wrote to memory of 2332	2428	winver.exe	sihost.exe
PID 2428 wrote to memory of 2356	2428	winver.exe	svchost.exe
PID 2428 wrote to memory of 2724	2428	winver.exe	taskhostw.exe
PID 2428 wrote to memory of 3016	2428	winver.exe	Explorer.EXE
PID 2428 wrote to memory of 3220	2428	winver.exe	ShellExperienceHost.exe
PID 2428 wrote to memory of 3240	2428	winver.exe	SearchUI.exe
PID 2428 wrote to memory of 3444	2428	winver.exe	RuntimeBroker.exe
PID 2428 wrote to memory of 3740	2428	winver.exe	DllHost.exe
PID 2428 wrote to memory of 1840	2428	winver.exe	DllHost.exe
PID 2428 wrote to memory of 2796	2428	winver.exe
PID 2428 wrote to memory of 2564	2428	winver.exe	WerFault.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3016

C:\Users\Admin\AppData\Local\Temp\3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
"C:\Users\Admin\AppData\Local\Temp\3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\Temp\3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
C:\Users\Admin\AppData\Local\Temp\3b742a755437e97dbb2aeb0cae54556719c0ab49541774aaadc22f8292fa931a.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\winver.exe
winver
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2428

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2356

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2332

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3220

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3240

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3740 -s 848
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1840-129-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2156-115-0x0000000000400000-0x000000000149A000-memory.dmp

Filesize
16.6MB

Download
memory/2156-116-0x0000000000401000-mapping.dmp

Download
memory/2156-118-0x0000000000400000-0x0000000000404400-memory.dmp

Filesize
17KB

Download
memory/2156-119-0x00000000018E0000-0x00000000022E0000-memory.dmp

Filesize
10.0MB

Download
memory/2332-125-0x00000000007A0000-0x00000000007A6000-memory.dmp

Filesize
24KB

Download
memory/2356-126-0x0000000000EA0000-0x0000000000EA6000-memory.dmp

Filesize
24KB

Download
memory/2428-120-0x00000000006D0000-0x000000000077E000-memory.dmp

Filesize
696KB

Download
memory/2428-117-0x0000000000000000-mapping.dmp

Download
memory/2564-130-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/2564-131-0x00007FFE1C2D0000-0x00007FFE1C2D1000-memory.dmp

Filesize
4KB

Download
memory/2724-127-0x0000000000900000-0x0000000000906000-memory.dmp

Filesize
24KB

Download
memory/3016-122-0x00007FFE1C2D0000-0x00007FFE1C2D1000-memory.dmp

Filesize
4KB

Download
memory/3016-121-0x0000000000C00000-0x0000000000C06000-memory.dmp

Filesize
24KB

Download
memory/3016-123-0x00007FFE1C2E0000-0x00007FFE1C2E1000-memory.dmp

Filesize
4KB

Download
memory/3016-124-0x0000000000890000-0x0000000000896000-memory.dmp

Filesize
24KB

Download
memory/3444-128-0x0000000000A20000-0x0000000000A26000-memory.dmp

Filesize
24KB

Download
memory/3876-114-0x0000000000610000-0x0000000000614000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads