tinba | c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1

General

Target

c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
Size

128KB
MD5

bcaf9b6c070ec54cea97c5bf6033b2d6
SHA1

a3ff666fd3f884c34a93dbb53e39cf02c3eab61d
SHA256

c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1
SHA512

c3c9ac31c28d3d783255aa7c6f0ed4159c694b5c9bcd7a5461d00cfb80bee085bf466daef757179abb50c93be08293e7d627621021c902fcf85433655b92b1c9

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	winver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\A1879704 = "C:\\Users\\Admin\\AppData\\Roaming\\A1879704\\bin.exe"	winver.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe

description	pid	process	target process
PID 3924 set thread context of 2504	3924	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3564 3832 WerFault.exe DllHost.exe

pid	pid_target	process	target process
3564	3832	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exewinver.exeWerFault.exe

pid	process
3924	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
3924	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
3924	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
3924	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
3564	WerFault.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe
2540	winver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3064 Explorer.EXE

pid	process
3064	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

WerFault.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3564	WerFault.exe
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

2540 winver.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe

pid process

3924 c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3064 Explorer.EXE

pid	process
2540	winver.exe

pid	process
3064	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exec0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exewinver.exe

description	pid	process	target process
PID 3924 wrote to memory of 2504	3924	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
PID 3924 wrote to memory of 2504	3924	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
PID 3924 wrote to memory of 2504	3924	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
PID 3924 wrote to memory of 2504	3924	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
PID 3924 wrote to memory of 2504	3924	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
PID 3924 wrote to memory of 2504	3924	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
PID 3924 wrote to memory of 2504	3924	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
PID 2504 wrote to memory of 2540	2504	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe	winver.exe
PID 2504 wrote to memory of 2540	2504	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe	winver.exe
PID 2504 wrote to memory of 2540	2504	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe	winver.exe
PID 2504 wrote to memory of 2540	2504	c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe	winver.exe
PID 2540 wrote to memory of 3064	2540	winver.exe	Explorer.EXE
PID 2540 wrote to memory of 2360	2540	winver.exe	sihost.exe
PID 2540 wrote to memory of 2372	2540	winver.exe	svchost.exe
PID 2540 wrote to memory of 2508	2540	winver.exe	taskhostw.exe
PID 2540 wrote to memory of 3064	2540	winver.exe	Explorer.EXE
PID 2540 wrote to memory of 3280	2540	winver.exe	ShellExperienceHost.exe
PID 2540 wrote to memory of 3288	2540	winver.exe	SearchUI.exe
PID 2540 wrote to memory of 3500	2540	winver.exe	RuntimeBroker.exe
PID 2540 wrote to memory of 3832	2540	winver.exe	DllHost.exe
PID 2540 wrote to memory of 1976	2540	winver.exe	DllHost.exe
PID 2540 wrote to memory of 2576	2540	winver.exe
PID 2540 wrote to memory of 3564	2540	winver.exe	WerFault.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3064

C:\Users\Admin\AppData\Local\Temp\c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
"C:\Users\Admin\AppData\Local\Temp\c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
C:\Users\Admin\AppData\Local\Temp\c0b717edabb4e5ef8f7b648bea21bf39f6a33966f596d432c6f2c40684aef0d1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\winver.exe
winver
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3832 -s 852
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3500

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3288

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2372

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1976-128-0x0000000000EE0000-0x0000000000EE6000-memory.dmp

Filesize
24KB

Download
memory/2360-124-0x0000000000840000-0x0000000000846000-memory.dmp

Filesize
24KB

Download
memory/2372-125-0x0000000000A40000-0x0000000000A46000-memory.dmp

Filesize
24KB

Download
memory/2504-119-0x0000000001790000-0x0000000002190000-memory.dmp

Filesize
10.0MB

Download
memory/2504-116-0x0000000000401000-mapping.dmp

Download
memory/2504-114-0x0000000000400000-0x000000000149A000-memory.dmp

Filesize
16.6MB

Download
memory/2504-118-0x0000000000400000-0x0000000000404400-memory.dmp

Filesize
17KB

Download
memory/2508-126-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/2540-129-0x0000000004940000-0x0000000004946000-memory.dmp

Filesize
24KB

Download
memory/2540-120-0x0000000002E00000-0x0000000002F4A000-memory.dmp

Filesize
1.3MB

Download
memory/2540-117-0x0000000000000000-mapping.dmp

Download
memory/3064-123-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download
memory/3064-122-0x00007FFFDB540000-0x00007FFFDB541000-memory.dmp

Filesize
4KB

Download
memory/3064-121-0x00000000007F0000-0x00000000007F6000-memory.dmp

Filesize
24KB

Download
memory/3064-133-0x00007FFFDB550000-0x00007FFFDB551000-memory.dmp

Filesize
4KB

Download
memory/3500-127-0x0000000000EE0000-0x0000000000EE6000-memory.dmp

Filesize
24KB

Download
memory/3564-131-0x00007FFFDB540000-0x00007FFFDB541000-memory.dmp

Filesize
4KB

Download
memory/3564-130-0x0000000000F10000-0x0000000000F16000-memory.dmp

Filesize
24KB

Download
memory/3564-132-0x00007FFFDB530000-0x00007FFFDB531000-memory.dmp

Filesize
4KB

Download
memory/3924-115-0x0000000000A90000-0x0000000000A94000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads