tinba | fe04ec7f1ffa0f12a5099a98fc5e5dfabf16004c821bac754c8d2302ce82fd73

General

Target

fe04ec7f1ffa0f12a5099a98fc5e5dfabf16004c821bac754c8d2302ce82fd73.exe
Size

237KB
MD5

e8c752adad92304abf76ebf9ed708bb0
SHA1

ac5dd1a5a7083c042c84aeedca86f44eedb1e355
SHA256

fe04ec7f1ffa0f12a5099a98fc5e5dfabf16004c821bac754c8d2302ce82fd73
SHA512

2acfa2e4f37984cf759c34704896992e51b8a2e650d0724f8f0e00796776e767c64590524aaed868a7cad5b2076f7b743b6e8ab5a360f7b0e9641a245e6ef03c
SSDEEP

6144:NA2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYA:NATuTAnKGwUAWVycQqgB

Score

10^/10

tinba banker discovery persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DE08D181 = "C:\\Users\\Admin\\AppData\\Roaming\\DE08D181\\bin.exe"	winver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe04ec7f1ffa0f12a5099a98fc5e5dfabf16004c821bac754c8d2302ce82fd73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe
2248	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2248	winver.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2248	2568	fe04ec7f1ffa0f12a5099a98fc5e5dfabf16004c821bac754c8d2302ce82fd73.exe	31
PID 2568 wrote to memory of 2248	2568	fe04ec7f1ffa0f12a5099a98fc5e5dfabf16004c821bac754c8d2302ce82fd73.exe	31
PID 2568 wrote to memory of 2248	2568	fe04ec7f1ffa0f12a5099a98fc5e5dfabf16004c821bac754c8d2302ce82fd73.exe	31
PID 2568 wrote to memory of 2248	2568	fe04ec7f1ffa0f12a5099a98fc5e5dfabf16004c821bac754c8d2302ce82fd73.exe	31
PID 2568 wrote to memory of 2248	2568	fe04ec7f1ffa0f12a5099a98fc5e5dfabf16004c821bac754c8d2302ce82fd73.exe	31
PID 2248 wrote to memory of 1200	2248	winver.exe	21
PID 2248 wrote to memory of 1088	2248	winver.exe	19
PID 2248 wrote to memory of 1172	2248	winver.exe	20
PID 2248 wrote to memory of 1200	2248	winver.exe	21
PID 2248 wrote to memory of 1416	2248	winver.exe	23
PID 2248 wrote to memory of 2568	2248	winver.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1088

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\fe04ec7f1ffa0f12a5099a98fc5e5dfabf16004c821bac754c8d2302ce82fd73.exe
  "C:\Users\Admin\AppData\Local\Temp\fe04ec7f1ffa0f12a5099a98fc5e5dfabf16004c821bac754c8d2302ce82fd73.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-29-0x0000000001BC0000-0x0000000001BC6000-memory.dmp

Filesize
24KB

Download
memory/1088-11-0x0000000001BC0000-0x0000000001BC6000-memory.dmp

Filesize
24KB

Download
memory/1172-14-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1172-26-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1200-17-0x0000000002B60000-0x0000000002B66000-memory.dmp

Filesize
24KB

Download
memory/1200-1-0x0000000002B50000-0x0000000002B56000-memory.dmp

Filesize
24KB

Download
memory/1200-27-0x0000000002B60000-0x0000000002B66000-memory.dmp

Filesize
24KB

Download
memory/1200-6-0x0000000002B50000-0x0000000002B56000-memory.dmp

Filesize
24KB

Download
memory/1200-3-0x0000000002B50000-0x0000000002B56000-memory.dmp

Filesize
24KB

Download
memory/1416-20-0x0000000001EC0000-0x0000000001EC6000-memory.dmp

Filesize
24KB

Download
memory/1416-28-0x0000000001EC0000-0x0000000001EC6000-memory.dmp

Filesize
24KB

Download
memory/2248-4-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2248-25-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2248-31-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2568-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads