Overview

overview

10

Static

static

b70098f14c...1d.exe

windows7_x64

10

b70098f14c...1d.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13-05-2021 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b70098f14c366d6088c8075f2967e682ad10ded177be38cc1f3ab91881886f1d.exe

  • Size

    98KB

  • MD5

    ba9a863ee56789ab796c5a83008596ee

  • SHA1

    6e320537ec2dd84f763b76751c06f55ef5cd9233

  • SHA256

    b70098f14c366d6088c8075f2967e682ad10ded177be38cc1f3ab91881886f1d

  • SHA512

    f1e4ccef60b4b8bfbb62814dd28eadc1684444ebf6c1ac6482ff0cad9431333b182994e344af4f5c2a7c4b1b845ed6fa73c4ec2806ffbf8f8bc287c122c6a528

Score
10/10
tinbabankerpersistencetrojan

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

    trojanbankertinba
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1224
    • C:\Users\Admin\AppData\Local\Temp\b70098f14c366d6088c8075f2967e682ad10ded177be38cc1f3ab91881886f1d.exe
      "C:\Users\Admin\AppData\Local\Temp\b70098f14c366d6088c8075f2967e682ad10ded177be38cc1f3ab91881886f1d.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Users\Admin\AppData\Local\Temp\b70098f14c366d6088c8075f2967e682ad10ded177be38cc1f3ab91881886f1d.exe
        C:\Users\Admin\AppData\Local\Temp\b70098f14c366d6088c8075f2967e682ad10ded177be38cc1f3ab91881886f1d.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Windows\SysWOW64\winver.exe
          winver
          4⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2004
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1180
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1128

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1128-71-0x0000000001BC0000-0x0000000001BC6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1180-72-0x0000000000130000-0x0000000000136000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1224-76-0x0000000077DC0000-0x0000000077DC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1224-74-0x0000000077DE0000-0x0000000077DE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1224-75-0x0000000077DD0000-0x0000000077DD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1224-66-0x0000000003920000-0x0000000003926000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1224-73-0x0000000003930000-0x0000000003936000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1540-61-0x0000000000401000-mapping.dmp
        Download
      • memory/1540-60-0x0000000000400000-0x000000000149A000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/1540-67-0x0000000000400000-0x0000000000404400-memory.dmp
        Filesize

        17KB

        Download
      • memory/1540-68-0x00000000018D0000-0x00000000022D0000-memory.dmp
        Filesize

        10.0MB

        Download
      • memory/1864-64-0x00000000001D0000-0x00000000001D4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1864-59-0x0000000076A81000-0x0000000076A83000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2004-70-0x0000000000180000-0x0000000000181000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2004-69-0x0000000000100000-0x0000000000106000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2004-65-0x0000000000CC0000-0x0000000000CD6000-memory.dmp
        Filesize

        88KB

        Download
      • memory/2004-62-0x0000000000000000-mapping.dmp
        Download