Overview

overview

10

Static

static

de81c2c568...c8.exe

windows7_x64

10

de81c2c568...c8.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13-05-2021 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de81c2c568fd7912bcf194be4958fa0b2960a9f09f4efac247a5bacc0c5468c8.exe

  • Size

    152KB

  • MD5

    bdf959504b5f4c4200e834929244b77b

  • SHA1

    5e802ffa9f31ed6eb20d0ead8795394b3003ff8c

  • SHA256

    de81c2c568fd7912bcf194be4958fa0b2960a9f09f4efac247a5bacc0c5468c8

  • SHA512

    028ea7463870901f73cb012dfc8210e567395dc3845f1952dbe41fc975157e3d24e8cbbc621b04c00361245181f10fe409a12b8c9979808b34a3026cbccff552

Score
10/10
tinbabankerpersistencetrojan

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1264
    • C:\Users\Admin\AppData\Local\Temp\de81c2c568fd7912bcf194be4958fa0b2960a9f09f4efac247a5bacc0c5468c8.exe
      "C:\Users\Admin\AppData\Local\Temp\de81c2c568fd7912bcf194be4958fa0b2960a9f09f4efac247a5bacc0c5468c8.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Users\Admin\AppData\Local\Temp\de81c2c568fd7912bcf194be4958fa0b2960a9f09f4efac247a5bacc0c5468c8.exe
        "C:\Users\Admin\AppData\Local\Temp\de81c2c568fd7912bcf194be4958fa0b2960a9f09f4efac247a5bacc0c5468c8.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\SysWOW64\winver.exe
          winver
          4⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:828
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1212
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1128

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/336-62-0x0000000075551000-0x0000000075553000-memory.dmp
        Filesize

        8KB

        Download
      • memory/828-69-0x00000000009C0000-0x00000000009D6000-memory.dmp
        Filesize

        88KB

        Download
      • memory/828-70-0x0000000000140000-0x0000000000147000-memory.dmp
        Filesize

        28KB

        Download
      • memory/828-65-0x0000000000000000-mapping.dmp
        Download
      • memory/828-71-0x0000000000180000-0x0000000000181000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1128-73-0x0000000001D60000-0x0000000001D67000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1212-74-0x00000000001A0000-0x00000000001A7000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1264-72-0x0000000002F00000-0x0000000002F07000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1264-75-0x0000000002F10000-0x0000000002F17000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1264-77-0x0000000077440000-0x0000000077441000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1264-76-0x0000000077450000-0x0000000077451000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1264-78-0x0000000077420000-0x0000000077421000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1308-63-0x0000000000400000-0x0000000000405000-memory.dmp
        Filesize

        20KB

        Download
      • memory/1308-68-0x00000000004B0000-0x0000000000EB0000-memory.dmp
        Filesize

        10.0MB

        Download
      • memory/1308-64-0x0000000000401000-mapping.dmp
        Download