Overview

overview

10

Static

static

dca0743551...a5.exe

windows7_x64

10

dca0743551...a5.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    09-05-2021 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dca0743551b1abb91d52a621f914d1f8fffdc75e265322d52c491fcd2e6849a5.exe

  • Size

    98KB

  • MD5

    c94c47b62d0b6dd0da48475613e40c9f

  • SHA1

    2bbe856ed8f59e54f7090b36b16f5ed45fd54050

  • SHA256

    dca0743551b1abb91d52a621f914d1f8fffdc75e265322d52c491fcd2e6849a5

  • SHA512

    252b9b2a4a7c0c9c61917492f9a111e9928dcc8c2cd2ec64c0013173cf27f1cadbda1ca222bc439ea2119c2610d526325196e9fae0327fcb235847c216f4d436

Score
10/10
tinbabankerpersistencetrojan

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1116
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\dca0743551b1abb91d52a621f914d1f8fffdc75e265322d52c491fcd2e6849a5.exe
        "C:\Users\Admin\AppData\Local\Temp\dca0743551b1abb91d52a621f914d1f8fffdc75e265322d52c491fcd2e6849a5.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:296
        • C:\Users\Admin\AppData\Local\Temp\dca0743551b1abb91d52a621f914d1f8fffdc75e265322d52c491fcd2e6849a5.exe
          C:\Users\Admin\AppData\Local\Temp\dca0743551b1abb91d52a621f914d1f8fffdc75e265322d52c491fcd2e6849a5.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1924
          • C:\Windows\SysWOW64\winver.exe
            winver
            4⤵
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2036
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1168

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/296-65-0x0000000000370000-0x0000000000374000-memory.dmp
        Filesize

        16KB

        Download
      • memory/296-60-0x00000000757E1000-0x00000000757E3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1116-72-0x0000000001C20000-0x0000000001C26000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1168-74-0x00000000001A0000-0x00000000001A6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1196-73-0x0000000003BA0000-0x0000000003BA6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1196-77-0x00000000770A0000-0x00000000770A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1196-75-0x00000000770C0000-0x00000000770C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1196-76-0x00000000770B0000-0x00000000770B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1196-71-0x0000000003B90000-0x0000000003B96000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1924-61-0x0000000000400000-0x000000000149A000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/1924-66-0x0000000000400000-0x0000000000404400-memory.dmp
        Filesize

        17KB

        Download
      • memory/1924-67-0x0000000001830000-0x0000000002230000-memory.dmp
        Filesize

        10.0MB

        Download
      • memory/1924-62-0x0000000000401000-mapping.dmp
        Download
      • memory/2036-68-0x00000000006F0000-0x0000000000706000-memory.dmp
        Filesize

        88KB

        Download
      • memory/2036-69-0x0000000000100000-0x0000000000106000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2036-70-0x0000000000140000-0x0000000000141000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2036-63-0x0000000000000000-mapping.dmp
        Download