tinba | ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019

General

Target

ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe
Size

148KB
MD5

1dbeee8212ba715ab6c63937976c9404
SHA1

b0c8f9326f575363275be2c7a1bab7b884e4e028
SHA256

ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019
SHA512

93dac0afac2b95bbad99368811c2aea1ca6ef50a34f7bb70a183c70643f56fdf1fbbf1c13d21a9dbfc2f393c8e1e150cb86161f0cd30e66969887e7b5891897d
SSDEEP

3072:utoxi/iMEn+t1u42T2P4JE15dydO5b6Q0lel2qX:umi/iMDtQRT2PvpWwMqX

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	EXPLORER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\A6F788C8 = "C:\\Users\\Admin\\AppData\\Roaming\\A6F788C8\\bin.exe"	EXPLORER.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 600 set thread context of 752	600	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	28

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
600	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe
656	EXPLORER.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
600	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe
600	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 600 wrote to memory of 752	600	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	28
PID 600 wrote to memory of 752	600	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	28
PID 600 wrote to memory of 752	600	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	28
PID 600 wrote to memory of 752	600	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	28
PID 600 wrote to memory of 752	600	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	28
PID 600 wrote to memory of 752	600	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	28
PID 600 wrote to memory of 752	600	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	28
PID 600 wrote to memory of 752	600	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	28
PID 752 wrote to memory of 656	752	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	29
PID 752 wrote to memory of 656	752	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	29
PID 752 wrote to memory of 656	752	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	29
PID 752 wrote to memory of 656	752	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	29
PID 752 wrote to memory of 656	752	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	29
PID 656 wrote to memory of 1104	656	EXPLORER.exe	9
PID 656 wrote to memory of 1180	656	EXPLORER.exe	17
PID 656 wrote to memory of 1212	656	EXPLORER.exe	16

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1212
- C:\Users\Admin\AppData\Local\Temp\ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe
  "C:\Users\Admin\AppData\Local\Temp\ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Users\Admin\AppData\Local\Temp\ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe
    "C:\Users\Admin\AppData\Local\Temp\ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\EXPLORER.exe
      EXPLORER
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:656

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/600-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/600-62-0x00000000005C0000-0x00000000005C4000-memory.dmp

Filesize
16KB

Download
memory/656-81-0x0000000076FB0000-0x0000000077130000-memory.dmp

Filesize
1.5MB

Download
memory/656-80-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/656-70-0x0000000076FB0000-0x0000000077130000-memory.dmp

Filesize
1.5MB

Download
memory/656-69-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/656-67-0x0000000074641000-0x0000000074643000-memory.dmp

Filesize
8KB

Download
memory/752-60-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/752-64-0x00000000015A0000-0x0000000001FA0000-memory.dmp

Filesize
10.0MB

Download
memory/752-63-0x0000000000400000-0x0000000000404600-memory.dmp

Filesize
17KB

Download
memory/752-68-0x00000000015A0000-0x0000000001FA0000-memory.dmp

Filesize
10.0MB

Download
memory/752-58-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/752-57-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/752-55-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/1104-71-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1104-77-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1180-78-0x0000000001CB0000-0x0000000001CB6000-memory.dmp

Filesize
24KB

Download
memory/1212-79-0x0000000002A10000-0x0000000002A16000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing