Malware Analysis Report

2025-01-19 07:38

Sample ID 231127-clncdsdg26
Target db72dd16612d30a3e1a3126bbc946de1ea89a0fb597ef41a35c15748f4b73a9b
SHA256 db72dd16612d30a3e1a3126bbc946de1ea89a0fb597ef41a35c15748f4b73a9b
Tags
tinba banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db72dd16612d30a3e1a3126bbc946de1ea89a0fb597ef41a35c15748f4b73a9b

Threat Level: Known bad

The file db72dd16612d30a3e1a3126bbc946de1ea89a0fb597ef41a35c15748f4b73a9b was found to be: Known bad.

Malicious Activity Summary

tinba banker persistence trojan

Tinba / TinyBanker

Adds Run key to start application

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-27 02:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-27 02:09

Reported

2023-11-27 02:12

Platform

win7-20231025-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Tinba / TinyBanker

trojan banker tinba

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\4EEA8955 = "C:\\Users\\Admin\\AppData\\Roaming\\4EEA8955\\bin.exe" C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\db72dd16612d30a3e1a3126bbc946de1ea89a0fb597ef41a35c15748f4b73a9b.exe

"C:\Users\Admin\AppData\Local\Temp\db72dd16612d30a3e1a3126bbc946de1ea89a0fb597ef41a35c15748f4b73a9b.exe"

C:\Windows\SysWOW64\explorer.exe

explorer

Network

Country Destination Domain Proto
US 8.8.8.8:53 jw61gd6328hdy3tep.cc udp
US 216.218.185.162:80 jw61gd6328hdy3tep.cc tcp

Files

memory/2936-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2936-1-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2936-2-0x0000000002140000-0x0000000002B40000-memory.dmp

memory/2088-5-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2936-3-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2088-6-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1116-10-0x0000000001D20000-0x0000000001D27000-memory.dmp

memory/1172-13-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1116-16-0x0000000001D20000-0x0000000001D27000-memory.dmp

memory/1116-18-0x0000000077C51000-0x0000000077C52000-memory.dmp

memory/1172-20-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1208-22-0x0000000077C51000-0x0000000077C52000-memory.dmp

memory/1208-24-0x0000000002AA0000-0x0000000002AA7000-memory.dmp

memory/2936-26-0x0000000077E00000-0x0000000077E01000-memory.dmp

memory/2936-28-0x0000000077DFF000-0x0000000077E00000-memory.dmp

memory/2936-21-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1208-17-0x0000000002AA0000-0x0000000002AA7000-memory.dmp

memory/2936-29-0x0000000077DFF000-0x0000000077E01000-memory.dmp

memory/2088-30-0x0000000077E00000-0x0000000077E01000-memory.dmp

memory/2088-31-0x0000000077DFF000-0x0000000077E00000-memory.dmp

memory/2088-32-0x0000000077DFF000-0x0000000077E01000-memory.dmp

memory/2936-33-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2088-34-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/2088-35-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2936-42-0x0000000002140000-0x0000000002B40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-27 02:09

Reported

2023-11-27 02:12

Platform

win10v2004-20231023-en

Max time kernel

33s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db72dd16612d30a3e1a3126bbc946de1ea89a0fb597ef41a35c15748f4b73a9b.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\db72dd16612d30a3e1a3126bbc946de1ea89a0fb597ef41a35c15748f4b73a9b.exe

"C:\Users\Admin\AppData\Local\Temp\db72dd16612d30a3e1a3126bbc946de1ea89a0fb597ef41a35c15748f4b73a9b.exe"

C:\Windows\SysWOW64\explorer.exe

explorer

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 jw61gd6328hdy3tep.cc udp

Files

memory/3336-0-0x0000000000570000-0x0000000000571000-memory.dmp

memory/3336-1-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3336-2-0x0000000002570000-0x0000000002F70000-memory.dmp

memory/3336-3-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/2156-6-0x0000000000890000-0x0000000000897000-memory.dmp

memory/2156-7-0x0000000000890000-0x0000000000897000-memory.dmp

memory/2156-8-0x0000000000890000-0x0000000000897000-memory.dmp

memory/2340-12-0x0000000000EE0000-0x0000000000EE7000-memory.dmp

memory/2440-13-0x0000000000E60000-0x0000000000E67000-memory.dmp

memory/2300-15-0x0000000000580000-0x0000000000587000-memory.dmp

memory/2300-17-0x00007FFC8E5AD000-0x00007FFC8E5AE000-memory.dmp