tinba | 446019f8ec1112c63004a426d44a26816a3a1eeea94761e79dc16cc8c622f655

General

Target

446019f8ec1112c63004a426d44a26816a3a1eeea94761e79dc16cc8c622f655N.exe
Size

225KB
MD5

5d74b4d766fb3ae3a544929be2d93850
SHA1

6e02c7de81664c90b76a68ca3baaaaeaaed74a59
SHA256

446019f8ec1112c63004a426d44a26816a3a1eeea94761e79dc16cc8c622f655
SHA512

9815b19791e5beec65bc684568dcb7c661424c56dbd7ba8640d5ff09f0488f30580f3706456b43b7a871394d7ababb190828f79741daf119e6f3bb930c95880d
SSDEEP

6144:3A2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:3ATuTAnKGwUAW3ycQqgf

Score

10^/10

tinba banker discovery persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\A4C2A045 = "C:\\Users\\Admin\\AppData\\Roaming\\A4C2A045\\bin.exe"	winver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	446019f8ec1112c63004a426d44a26816a3a1eeea94761e79dc16cc8c622f655N.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe
2740	winver.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2740	winver.exe
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 2740	1296	446019f8ec1112c63004a426d44a26816a3a1eeea94761e79dc16cc8c622f655N.exe	31
PID 1296 wrote to memory of 2740	1296	446019f8ec1112c63004a426d44a26816a3a1eeea94761e79dc16cc8c622f655N.exe	31
PID 1296 wrote to memory of 2740	1296	446019f8ec1112c63004a426d44a26816a3a1eeea94761e79dc16cc8c622f655N.exe	31
PID 1296 wrote to memory of 2740	1296	446019f8ec1112c63004a426d44a26816a3a1eeea94761e79dc16cc8c622f655N.exe	31
PID 1296 wrote to memory of 2740	1296	446019f8ec1112c63004a426d44a26816a3a1eeea94761e79dc16cc8c622f655N.exe	31
PID 2740 wrote to memory of 1204	2740	winver.exe	21
PID 2740 wrote to memory of 1104	2740	winver.exe	19
PID 2740 wrote to memory of 1180	2740	winver.exe	20
PID 2740 wrote to memory of 1204	2740	winver.exe	21
PID 2740 wrote to memory of 836	2740	winver.exe	23
PID 2740 wrote to memory of 1296	2740	winver.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1204
- C:\Users\Admin\AppData\Local\Temp\446019f8ec1112c63004a426d44a26816a3a1eeea94761e79dc16cc8c622f655N.exe
  "C:\Users\Admin\AppData\Local\Temp\446019f8ec1112c63004a426d44a26816a3a1eeea94761e79dc16cc8c622f655N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2740

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-26-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download
memory/836-18-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download
memory/1104-29-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/1104-9-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/1180-12-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1180-28-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1204-15-0x0000000002E80000-0x0000000002E86000-memory.dmp

Filesize
24KB

Download
memory/1204-1-0x0000000002190000-0x0000000002196000-memory.dmp

Filesize
24KB

Download
memory/1204-3-0x0000000002190000-0x0000000002196000-memory.dmp

Filesize
24KB

Download
memory/1204-6-0x0000000002190000-0x0000000002196000-memory.dmp

Filesize
24KB

Download
memory/1204-27-0x0000000002E80000-0x0000000002E86000-memory.dmp

Filesize
24KB

Download
memory/1296-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-23-0x0000000000700000-0x0000000000706000-memory.dmp

Filesize
24KB

Download
memory/2740-4-0x00000000000B0000-0x00000000000B6000-memory.dmp

Filesize
24KB

Download
memory/2740-31-0x0000000000700000-0x0000000000706000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads