tinba | ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019

General

Target

ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe
Size

148KB
MD5

1dbeee8212ba715ab6c63937976c9404
SHA1

b0c8f9326f575363275be2c7a1bab7b884e4e028
SHA256

ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019
SHA512

93dac0afac2b95bbad99368811c2aea1ca6ef50a34f7bb70a183c70643f56fdf1fbbf1c13d21a9dbfc2f393c8e1e150cb86161f0cd30e66969887e7b5891897d
SSDEEP

3072:utoxi/iMEn+t1u42T2P4JE15dydO5b6Q0lel2qX:umi/iMDtQRT2PvpWwMqX

Score

10^/10

tinba banker persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	EXPLORER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2ECCC85B = "C:\\Users\\Admin\\AppData\\Roaming\\2ECCC85B\\bin.exe"	EXPLORER.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 4148	1668	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	84

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1668	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe
1668	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe
2832	EXPLORER.exe
2832	EXPLORER.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1668	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe
1668	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 4148	1668	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	84
PID 1668 wrote to memory of 4148	1668	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	84
PID 1668 wrote to memory of 4148	1668	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	84
PID 1668 wrote to memory of 4148	1668	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	84
PID 1668 wrote to memory of 4148	1668	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	84
PID 1668 wrote to memory of 4148	1668	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	84
PID 1668 wrote to memory of 4148	1668	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	84
PID 4148 wrote to memory of 2832	4148	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	85
PID 4148 wrote to memory of 2832	4148	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	85
PID 4148 wrote to memory of 2832	4148	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	85
PID 4148 wrote to memory of 2832	4148	ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe	85
PID 2832 wrote to memory of 2708	2832	EXPLORER.exe	26
PID 2832 wrote to memory of 2816	2832	EXPLORER.exe	57
PID 2832 wrote to memory of 2864	2832	EXPLORER.exe	56
PID 2832 wrote to memory of 764	2832	EXPLORER.exe	54
PID 2832 wrote to memory of 2892	2832	EXPLORER.exe	27
PID 2832 wrote to memory of 3256	2832	EXPLORER.exe	53

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:764
- C:\Users\Admin\AppData\Local\Temp\ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe
  "C:\Users\Admin\AppData\Local\Temp\ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe
    "C:\Users\Admin\AppData\Local\Temp\ccd68df63f0b4cd030fc9d1617ba4c0af36926b626996565503bfef2e9488019.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\SysWOW64\EXPLORER.exe
      EXPLORER
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2832

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/764-140-0x0000000000E30000-0x0000000000E36000-memory.dmp

Filesize
24KB

Download
memory/1668-134-0x0000000000AA0000-0x0000000000AA4000-memory.dmp

Filesize
16KB

Download
memory/2708-139-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2816-141-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2832-138-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

Filesize
24KB

Download
memory/2864-142-0x00000000000B0000-0x00000000000B6000-memory.dmp

Filesize
24KB

Download
memory/4148-133-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/4148-136-0x0000000000400000-0x0000000000404600-memory.dmp

Filesize
17KB

Download
memory/4148-137-0x00000000017F0000-0x00000000021F0000-memory.dmp

Filesize
10.0MB

Download

Analysis

Sharing