tinba | befd56c57cb06be02cf0a890cf5d25c4db57896a7efcce8b58e8c7dfe9051629

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24b74b3e9a1a8df34637cac2f7d29c0b.exe
Size

160KB
MD5

24b74b3e9a1a8df34637cac2f7d29c0b
SHA1

3b32c1ed7c5ed26d708f65317027f7fe12c1845d
SHA256

befd56c57cb06be02cf0a890cf5d25c4db57896a7efcce8b58e8c7dfe9051629
SHA512

841ea38ecf1d1bd060426fc062e3dd51b0a7f1be1547b327205498623e6dd4bd2773e2dc0241a31d5c7f7b57d1b1e1521447ac387ae5cc1dd6da4c25c1c8c95b
SSDEEP

1536:pEY+mFM2HXKZgi0Iksu+XM5/HtAQ9J6xph:iY+4MiIkLZJNAQ9J6v

Score

10^/10

tinba banker persistence trojan upx

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-0-0x0000000000400000-0x0000000000428000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\359449D8 = "C:\\Users\\Admin\\AppData\\Roaming\\359449D8\\bin.exe"	winver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe
1872	winver.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1872	winver.exe
1352	Explorer.EXE
1352	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1352	Explorer.EXE
1352	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1872	2396	24b74b3e9a1a8df34637cac2f7d29c0b.exe	29
PID 2396 wrote to memory of 1872	2396	24b74b3e9a1a8df34637cac2f7d29c0b.exe	29
PID 2396 wrote to memory of 1872	2396	24b74b3e9a1a8df34637cac2f7d29c0b.exe	29
PID 2396 wrote to memory of 1872	2396	24b74b3e9a1a8df34637cac2f7d29c0b.exe	29
PID 2396 wrote to memory of 1872	2396	24b74b3e9a1a8df34637cac2f7d29c0b.exe	29
PID 1872 wrote to memory of 1352	1872	winver.exe	7
PID 1872 wrote to memory of 1248	1872	winver.exe	9
PID 1872 wrote to memory of 1320	1872	winver.exe	8
PID 1872 wrote to memory of 1352	1872	winver.exe	7

C:\Users\Admin\AppData\Local\Temp\24b74b3e9a1a8df34637cac2f7d29c0b.exe
"C:\Users\Admin\AppData\Local\Temp\24b74b3e9a1a8df34637cac2f7d29c0b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\winver.exe
  winver
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1872

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1352

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1248-24-0x00000000020F0000-0x00000000020F6000-memory.dmp

Filesize
24KB

Download
memory/1248-25-0x0000000077921000-0x0000000077922000-memory.dmp

Filesize
4KB

Download
memory/1320-21-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1320-26-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1352-11-0x0000000077921000-0x0000000077922000-memory.dmp

Filesize
4KB

Download
memory/1352-6-0x0000000002D80000-0x0000000002D86000-memory.dmp

Filesize
24KB

Download
memory/1352-27-0x0000000002D30000-0x0000000002D36000-memory.dmp

Filesize
24KB

Download
memory/1352-2-0x0000000002D80000-0x0000000002D86000-memory.dmp

Filesize
24KB

Download
memory/1352-23-0x0000000002D30000-0x0000000002D36000-memory.dmp

Filesize
24KB

Download
memory/1872-15-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1872-9-0x0000000077ACF000-0x0000000077AD1000-memory.dmp

Filesize
8KB

Download
memory/1872-32-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1872-31-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1872-7-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/1872-16-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1872-4-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1872-8-0x0000000077ACF000-0x0000000077AD0000-memory.dmp

Filesize
4KB

Download
memory/1872-10-0x0000000077AD0000-0x0000000077AD1000-memory.dmp

Filesize
4KB

Download
memory/2396-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2396-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2396-3-0x0000000001D80000-0x0000000002780000-memory.dmp

Filesize
10.0MB

Download
memory/2396-13-0x0000000001D80000-0x0000000002780000-memory.dmp

Filesize
10.0MB

Download
memory/2396-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download