tinba | 154ebc6e51d30fc88bd92b19485cbabfaab3526b71ad36d78c40e4612943c03f

General

Target

154ebc6e51d30fc88bd92b19485cbabfaab3526b71ad36d78c40e4612943c03fN.exe
Size

237KB
MD5

e8aad678d9b78b481a69676f5a7fb660
SHA1

077b4ada1bdb042ca367d616e30259fde90f3a71
SHA256

154ebc6e51d30fc88bd92b19485cbabfaab3526b71ad36d78c40e4612943c03f
SHA512

c64bab8575fe59e5b66f373b2e2a74e756547c0ccdfd1f3b5a77167e49581b93195f0821c0ef7836350e37f43c869fe087e477c37397910138cbfb32d04daf87
SSDEEP

6144:zA2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:zATuTAnKGwUAWVycQqgj

Score

10^/10

tinba banker discovery persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDB5C13C = "C:\\Users\\Admin\\AppData\\Roaming\\CDB5C13C\\bin.exe"	winver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	154ebc6e51d30fc88bd92b19485cbabfaab3526b71ad36d78c40e4612943c03fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe
2868	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2868	winver.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 2868	632	154ebc6e51d30fc88bd92b19485cbabfaab3526b71ad36d78c40e4612943c03fN.exe	31
PID 632 wrote to memory of 2868	632	154ebc6e51d30fc88bd92b19485cbabfaab3526b71ad36d78c40e4612943c03fN.exe	31
PID 632 wrote to memory of 2868	632	154ebc6e51d30fc88bd92b19485cbabfaab3526b71ad36d78c40e4612943c03fN.exe	31
PID 632 wrote to memory of 2868	632	154ebc6e51d30fc88bd92b19485cbabfaab3526b71ad36d78c40e4612943c03fN.exe	31
PID 632 wrote to memory of 2868	632	154ebc6e51d30fc88bd92b19485cbabfaab3526b71ad36d78c40e4612943c03fN.exe	31
PID 2868 wrote to memory of 1236	2868	winver.exe	21
PID 2868 wrote to memory of 1120	2868	winver.exe	19
PID 2868 wrote to memory of 1184	2868	winver.exe	20
PID 2868 wrote to memory of 1236	2868	winver.exe	21
PID 2868 wrote to memory of 1288	2868	winver.exe	23

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\154ebc6e51d30fc88bd92b19485cbabfaab3526b71ad36d78c40e4612943c03fN.exe
  "C:\Users\Admin\AppData\Local\Temp\154ebc6e51d30fc88bd92b19485cbabfaab3526b71ad36d78c40e4612943c03fN.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2868

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1120-24-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1120-11-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1184-26-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1184-14-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1236-6-0x0000000002E10000-0x0000000002E16000-memory.dmp

Filesize
24KB

Download
memory/1236-17-0x0000000002E20000-0x0000000002E26000-memory.dmp

Filesize
24KB

Download
memory/1236-3-0x0000000002E10000-0x0000000002E16000-memory.dmp

Filesize
24KB

Download
memory/1236-1-0x0000000002E10000-0x0000000002E16000-memory.dmp

Filesize
24KB

Download
memory/1236-25-0x0000000002E20000-0x0000000002E26000-memory.dmp

Filesize
24KB

Download
memory/1288-20-0x0000000001E70000-0x0000000001E76000-memory.dmp

Filesize
24KB

Download
memory/1288-27-0x0000000001E70000-0x0000000001E76000-memory.dmp

Filesize
24KB

Download
memory/2868-4-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/2868-5-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/2868-23-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/2868-29-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads