tinba | eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe
Size

54KB
MD5

c322006370baef36ea57f647e97d6832
SHA1

7aacb99e2ef3fc61c0565190f80a696cfae8239e
SHA256

eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d
SHA512

1845136b77e0ee1c3353e152337b47be3996bf046ab48cd0a2aabd39a073d4147ac985135b796702106f1a331676547a53caba574500350d241cfe47651238c8
SSDEEP

768:j3CCRtWM5usSRJDTlLTOpJiqRZNoCRtxihG1gfFNsHWP4jBG:b5tPusSRJDTlLTOpJiaDjts4gfFi2+Q

Score

10^/10

tinba banker discovery persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\0965194F = "C:\\Users\\Admin\\AppData\\Roaming\\0965194F\\bin.exe"	winver.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 1412	2108	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe
2480	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2480	winver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2108	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1412	2108	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	31
PID 2108 wrote to memory of 1412	2108	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	31
PID 2108 wrote to memory of 1412	2108	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	31
PID 2108 wrote to memory of 1412	2108	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	31
PID 2108 wrote to memory of 1412	2108	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	31
PID 2108 wrote to memory of 1412	2108	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	31
PID 2108 wrote to memory of 1412	2108	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	31
PID 1412 wrote to memory of 2480	1412	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	32
PID 1412 wrote to memory of 2480	1412	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	32
PID 1412 wrote to memory of 2480	1412	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	32
PID 1412 wrote to memory of 2480	1412	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	32
PID 1412 wrote to memory of 2480	1412	eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe	32
PID 2480 wrote to memory of 1212	2480	winver.exe	21
PID 2480 wrote to memory of 1104	2480	winver.exe	19
PID 2480 wrote to memory of 1192	2480	winver.exe	20
PID 2480 wrote to memory of 1212	2480	winver.exe	21
PID 2480 wrote to memory of 1620	2480	winver.exe	25

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe
  "C:\Users\Admin\AppData\Local\Temp\eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe
    "C:\Users\Admin\AppData\Local\Temp\eba0ab52182f7497c6b9ae21a67058733081a717f6ecc43a55b2fa4b2557ed9d.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\winver.exe
      winver
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2480

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1104-17-0x0000000002000000-0x0000000002006000-memory.dmp

Filesize
24KB

Download
memory/1104-30-0x0000000002000000-0x0000000002006000-memory.dmp

Filesize
24KB

Download
memory/1104-31-0x0000000077A71000-0x0000000077A72000-memory.dmp

Filesize
4KB

Download
memory/1192-20-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1192-32-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1212-33-0x0000000002E10000-0x0000000002E16000-memory.dmp

Filesize
24KB

Download
memory/1212-11-0x0000000077A71000-0x0000000077A72000-memory.dmp

Filesize
4KB

Download
memory/1212-10-0x0000000002E00000-0x0000000002E06000-memory.dmp

Filesize
24KB

Download
memory/1212-5-0x0000000002E00000-0x0000000002E06000-memory.dmp

Filesize
24KB

Download
memory/1212-4-0x0000000002E00000-0x0000000002E06000-memory.dmp

Filesize
24KB

Download
memory/1212-23-0x0000000002E10000-0x0000000002E16000-memory.dmp

Filesize
24KB

Download
memory/1412-2-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1620-35-0x0000000077A71000-0x0000000077A72000-memory.dmp

Filesize
4KB

Download
memory/1620-34-0x0000000002140000-0x0000000002146000-memory.dmp

Filesize
24KB

Download
memory/1620-26-0x0000000002140000-0x0000000002146000-memory.dmp

Filesize
24KB

Download
memory/2480-29-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2480-12-0x0000000077A20000-0x0000000077BC9000-memory.dmp

Filesize
1.7MB

Download
memory/2480-3-0x00000000001C1000-0x00000000001C2000-memory.dmp

Filesize
4KB

Download
memory/2480-6-0x00000000000B0000-0x00000000000B6000-memory.dmp

Filesize
24KB

Download
memory/2480-9-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/2480-41-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download