tinba | a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654

General

Target

a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654.exe
Size

160KB
MD5

8f4fb0827a88cb504206e5e531bb9e43
SHA1

0c1c55c624d970fab4cb57acb4ccd04c5cf0b7be
SHA256

a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654
SHA512

306403a13d55dfe69299b2fb4e08087b66a5eaaace2afcb272665c47c70b01fdf94f5262cc15ad23766c80621bb2aa455322912354f1c0251bba4e691ba54f7b
SSDEEP

1536:SEY+mFM2HXKZgi0Iksu+XM5/HtAQ9J6xphM:ZY+4MiIkLZJNAQ9J6ve

Score

10^/10

tinba banker discovery persistence trojan upx

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DD37A6E5 = "C:\\Users\\Admin\\AppData\\Roaming\\DD37A6E5\\bin.exe"	winver.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1292-0-0x0000000000400000-0x0000000000428000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654.exewinver.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

winver.exe

pid	process
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe
2712	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

2712 winver.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654.exewinver.exe

description	pid	process	target process
PID 1292 wrote to memory of 2712	1292	a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654.exe	winver.exe
PID 1292 wrote to memory of 2712	1292	a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654.exe	winver.exe
PID 1292 wrote to memory of 2712	1292	a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654.exe	winver.exe
PID 1292 wrote to memory of 2712	1292	a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654.exe	winver.exe
PID 1292 wrote to memory of 2712	1292	a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654.exe	winver.exe
PID 2712 wrote to memory of 1208	2712	winver.exe	Explorer.EXE
PID 2712 wrote to memory of 1120	2712	winver.exe	taskhost.exe
PID 2712 wrote to memory of 1176	2712	winver.exe	Dwm.exe
PID 2712 wrote to memory of 1208	2712	winver.exe	Explorer.EXE
PID 2712 wrote to memory of 1288	2712	winver.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654.exe
  "C:\Users\Admin\AppData\Local\Temp\a937fa77d341969272de40c1c9162d68138a18bd1336f2f23ba49f3d99c34654.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2712

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-26-0x0000000077121000-0x0000000077122000-memory.dmp

Filesize
4KB

Download
memory/1120-25-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/1176-19-0x0000000001F90000-0x0000000001F96000-memory.dmp

Filesize
24KB

Download
memory/1176-27-0x0000000001F90000-0x0000000001F96000-memory.dmp

Filesize
24KB

Download
memory/1208-2-0x00000000029B0000-0x00000000029B6000-memory.dmp

Filesize
24KB

Download
memory/1208-4-0x00000000029B0000-0x00000000029B6000-memory.dmp

Filesize
24KB

Download
memory/1208-10-0x0000000077121000-0x0000000077122000-memory.dmp

Filesize
4KB

Download
memory/1208-24-0x0000000002960000-0x0000000002966000-memory.dmp

Filesize
24KB

Download
memory/1208-3-0x00000000029B0000-0x00000000029B6000-memory.dmp

Filesize
24KB

Download
memory/1208-21-0x0000000002960000-0x0000000002966000-memory.dmp

Filesize
24KB

Download
memory/1288-28-0x0000000001DE0000-0x0000000001DE6000-memory.dmp

Filesize
24KB

Download
memory/1288-29-0x0000000077121000-0x0000000077122000-memory.dmp

Filesize
4KB

Download
memory/1288-23-0x0000000001DE0000-0x0000000001DE6000-memory.dmp

Filesize
24KB

Download
memory/1292-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1292-13-0x0000000001B50000-0x0000000002550000-memory.dmp

Filesize
10.0MB

Download
memory/1292-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1292-5-0x0000000001B50000-0x0000000002550000-memory.dmp

Filesize
10.0MB

Download
memory/1292-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2712-6-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/2712-7-0x00000000772D0000-0x00000000772D1000-memory.dmp

Filesize
4KB

Download
memory/2712-8-0x00000000772CF000-0x00000000772D0000-memory.dmp

Filesize
4KB

Download
memory/2712-9-0x00000000772CF000-0x00000000772D1000-memory.dmp

Filesize
8KB

Download
memory/2712-11-0x00000000770D0000-0x0000000077279000-memory.dmp

Filesize
1.7MB

Download
memory/2712-30-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads