tinba | ceb02ba49173458a28ab79b0689214496540f7cb126fb27444a1498ab5fb5d51

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ceb02ba49173458a28ab79b0689214496540f7cb126fb27444a1498ab5fb5d51N.exe
Size

59KB
MD5

a7b271e92e88b1cbdb7c78301b52ec90
SHA1

43329afe49ed21b0ad91f64c0c88b5df3cf007b5
SHA256

ceb02ba49173458a28ab79b0689214496540f7cb126fb27444a1498ab5fb5d51
SHA512

2da642f78fe4218530c2ab63557ece7ce15fc5c42c70a6dabb9b0a58fe5dcd681d54e7dd42e7ba80f28452baa15d7429e64ccfdb726bcde1f12dcc22b2f3a9bb
SSDEEP

768:w+6p+OMlgGMCWhfDzU7f7JDgiFP7xI57+sByZ+XsfXpwtGc9J1:w+mFM2HXKZgiFP7xIksu+XM5O9J1

Score

10^/10

tinba banker discovery persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\AFD83225 = "C:\\Users\\Admin\\AppData\\Roaming\\AFD83225\\bin.exe"	winver.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ceb02ba49173458a28ab79b0689214496540f7cb126fb27444a1498ab5fb5d51N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe
2356	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2356	winver.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2356	2416	ceb02ba49173458a28ab79b0689214496540f7cb126fb27444a1498ab5fb5d51N.exe	31
PID 2416 wrote to memory of 2356	2416	ceb02ba49173458a28ab79b0689214496540f7cb126fb27444a1498ab5fb5d51N.exe	31
PID 2416 wrote to memory of 2356	2416	ceb02ba49173458a28ab79b0689214496540f7cb126fb27444a1498ab5fb5d51N.exe	31
PID 2416 wrote to memory of 2356	2416	ceb02ba49173458a28ab79b0689214496540f7cb126fb27444a1498ab5fb5d51N.exe	31
PID 2416 wrote to memory of 2356	2416	ceb02ba49173458a28ab79b0689214496540f7cb126fb27444a1498ab5fb5d51N.exe	31
PID 2356 wrote to memory of 1208	2356	winver.exe	21
PID 2356 wrote to memory of 1112	2356	winver.exe	19
PID 2356 wrote to memory of 1184	2356	winver.exe	20
PID 2356 wrote to memory of 1208	2356	winver.exe	21
PID 2356 wrote to memory of 1532	2356	winver.exe	23

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\ceb02ba49173458a28ab79b0689214496540f7cb126fb27444a1498ab5fb5d51N.exe
  "C:\Users\Admin\AppData\Local\Temp\ceb02ba49173458a28ab79b0689214496540f7cb126fb27444a1498ab5fb5d51N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-24-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1112-26-0x0000000077801000-0x0000000077802000-memory.dmp

Filesize
4KB

Download
memory/1184-19-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1184-25-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1208-1-0x0000000002A70000-0x0000000002A76000-memory.dmp

Filesize
24KB

Download
memory/1208-21-0x0000000002180000-0x0000000002186000-memory.dmp

Filesize
24KB

Download
memory/1208-9-0x0000000077801000-0x0000000077802000-memory.dmp

Filesize
4KB

Download
memory/1208-2-0x0000000002A70000-0x0000000002A76000-memory.dmp

Filesize
24KB

Download
memory/1208-3-0x0000000002A70000-0x0000000002A76000-memory.dmp

Filesize
24KB

Download
memory/1208-28-0x0000000002180000-0x0000000002186000-memory.dmp

Filesize
24KB

Download
memory/1532-23-0x00000000022F0000-0x00000000022F6000-memory.dmp

Filesize
24KB

Download
memory/1532-27-0x0000000077801000-0x0000000077802000-memory.dmp

Filesize
4KB

Download
memory/1532-29-0x00000000022F0000-0x00000000022F6000-memory.dmp

Filesize
24KB

Download
memory/2356-10-0x00000000777B0000-0x0000000077959000-memory.dmp

Filesize
1.7MB

Download
memory/2356-5-0x0000000000100000-0x0000000000106000-memory.dmp

Filesize
24KB

Download
memory/2356-7-0x00000000779AF000-0x00000000779B0000-memory.dmp

Filesize
4KB

Download
memory/2356-6-0x00000000779B0000-0x00000000779B1000-memory.dmp

Filesize
4KB

Download
memory/2356-8-0x00000000779AF000-0x00000000779B1000-memory.dmp

Filesize
8KB

Download
memory/2356-30-0x0000000000100000-0x0000000000106000-memory.dmp

Filesize
24KB

Download
memory/2416-12-0x0000000001D30000-0x0000000002730000-memory.dmp

Filesize
10.0MB

Download
memory/2416-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2416-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2416-4-0x0000000001D30000-0x0000000002730000-memory.dmp

Filesize
10.0MB

Download