tinba | c0d361938370a4c318194b3140cc57984291f95b7f12e1d4577cbffe47c049e3

Analysis

max time kernel
44s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c113be262adac7b253efc2b4ce9e93e.exe
Size

160KB
MD5

4c113be262adac7b253efc2b4ce9e93e
SHA1

590e76f4df7f3a1ba155933e06198395610bfd99
SHA256

c0d361938370a4c318194b3140cc57984291f95b7f12e1d4577cbffe47c049e3
SHA512

ad81eabcbd570772d603270b2466d2f6e46f6964cdec2574f5c11fbcac63e9a28508708e4ac6d1bb992d3c90e5212bce295620bc21a9c4718f08e18e950fb005
SSDEEP

1536:mEY+mFM2HXKZgi0Iksu+XM5/HtAQ9J6xph:NY+4MiIkLZJNAQ9J6v

Score

10^/10

tinba banker persistence trojan upx

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3004-0-0x0000000000400000-0x0000000000428000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AAB62D9F = "C:\\Users\\Admin\\AppData\\Roaming\\AAB62D9F\\bin.exe"	winver.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5040	winver.exe
5040	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5040	winver.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 5040	3004	4c113be262adac7b253efc2b4ce9e93e.exe	93
PID 3004 wrote to memory of 5040	3004	4c113be262adac7b253efc2b4ce9e93e.exe	93
PID 3004 wrote to memory of 5040	3004	4c113be262adac7b253efc2b4ce9e93e.exe	93
PID 3004 wrote to memory of 5040	3004	4c113be262adac7b253efc2b4ce9e93e.exe	93
PID 5040 wrote to memory of 3432	5040	winver.exe	68
PID 5040 wrote to memory of 2568	5040	winver.exe	78
PID 5040 wrote to memory of 2608	5040	winver.exe	77
PID 5040 wrote to memory of 2804	5040	winver.exe	74

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\4c113be262adac7b253efc2b4ce9e93e.exe
  "C:\Users\Admin\AppData\Local\Temp\4c113be262adac7b253efc2b4ce9e93e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5040

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2608

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2568-13-0x0000000000900000-0x0000000000906000-memory.dmp

Filesize
24KB

Download
memory/2608-17-0x0000000000680000-0x0000000000686000-memory.dmp

Filesize
24KB

Download
memory/2608-14-0x0000000000680000-0x0000000000686000-memory.dmp

Filesize
24KB

Download
memory/2804-15-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/3004-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3004-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3004-4-0x00000000022B0000-0x0000000002CB0000-memory.dmp

Filesize
10.0MB

Download
memory/3004-1-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/3432-6-0x00007FF81F48D000-0x00007FF81F48E000-memory.dmp

Filesize
4KB

Download
memory/3432-9-0x00007FF81F620000-0x00007FF81F621000-memory.dmp

Filesize
4KB

Download
memory/3432-3-0x0000000001380000-0x0000000001386000-memory.dmp

Filesize
24KB

Download
memory/3432-2-0x0000000001380000-0x0000000001386000-memory.dmp

Filesize
24KB

Download
memory/3432-16-0x0000000001350000-0x0000000001356000-memory.dmp

Filesize
24KB

Download
memory/3632-18-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/5040-5-0x0000000077BC2000-0x0000000077BC3000-memory.dmp

Filesize
4KB

Download
memory/5040-7-0x00000000007B0000-0x00000000007B6000-memory.dmp

Filesize
24KB

Download