tinba | 1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24/02/2025, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe
Size

62KB
MD5

d0961ebbbb96c022100600a224d216fc
SHA1

949495ea7e34f9e5859603a6a4887741ce8833cd
SHA256

1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538
SHA512

5d4e1875dd53f0a58a01f5aff15e9f6395904d9c422f9c84061a6ec99b428cc34bea1591669d064b050e5ed0c456d1a3a643e6c73f03cb1ade3867f17107cac1
SSDEEP

768:fQiFq/HBQ/FuktI39dPOsB9kjI41E14grGe76g80MD7q/HBQQQOtZaO7X/RAaabu:4gquFSk3iMD7qVtzDR5aKiBlGKFCB

Score

10^/10

tinba banker discovery persistence trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\5F0F193B = "C:\\Users\\Admin\\AppData\\Roaming\\5F0F193B\\bin.exe"	winver.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1176 set thread context of 2524	1176	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2116	winver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1176	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2524	1176	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	29
PID 1176 wrote to memory of 2524	1176	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	29
PID 1176 wrote to memory of 2524	1176	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	29
PID 1176 wrote to memory of 2524	1176	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	29
PID 1176 wrote to memory of 2524	1176	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	29
PID 1176 wrote to memory of 2524	1176	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	29
PID 1176 wrote to memory of 2524	1176	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	29
PID 2524 wrote to memory of 2116	2524	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	30
PID 2524 wrote to memory of 2116	2524	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	30
PID 2524 wrote to memory of 2116	2524	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	30
PID 2524 wrote to memory of 2116	2524	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	30
PID 2524 wrote to memory of 2116	2524	1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe	30
PID 2116 wrote to memory of 1364	2116	winver.exe	20
PID 2116 wrote to memory of 1212	2116	winver.exe	18
PID 2116 wrote to memory of 1300	2116	winver.exe	19
PID 2116 wrote to memory of 1364	2116	winver.exe	20
PID 2116 wrote to memory of 1124	2116	winver.exe	22

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1212

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1364
- C:\Users\Admin\AppData\Local\Temp\1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe
  "C:\Users\Admin\AppData\Local\Temp\1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe
    "C:\Users\Admin\AppData\Local\Temp\1c41d403e66b43f22be8ca512e22483be53f4c8ea2061d72279bf94802a58538.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\winver.exe
      winver
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1124-33-0x0000000001E30000-0x0000000001E36000-memory.dmp

Filesize
24KB

Download
memory/1124-28-0x0000000077A01000-0x0000000077A02000-memory.dmp

Filesize
4KB

Download
memory/1124-21-0x0000000001E30000-0x0000000001E36000-memory.dmp

Filesize
24KB

Download
memory/1124-26-0x0000000001E30000-0x0000000001E36000-memory.dmp

Filesize
24KB

Download
memory/1124-27-0x0000000077A01000-0x0000000077A02000-memory.dmp

Filesize
4KB

Download
memory/1212-14-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/1212-22-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/1212-23-0x0000000077A01000-0x0000000077A02000-memory.dmp

Filesize
4KB

Download
memory/1300-24-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/1300-16-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/1364-19-0x0000000002650000-0x0000000002656000-memory.dmp

Filesize
24KB

Download
memory/1364-25-0x0000000002650000-0x0000000002656000-memory.dmp

Filesize
24KB

Download
memory/1364-10-0x0000000077A01000-0x0000000077A02000-memory.dmp

Filesize
4KB

Download
memory/1364-8-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1364-4-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1364-3-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/2116-7-0x0000000000EB1000-0x0000000000EB2000-memory.dmp

Filesize
4KB

Download
memory/2116-9-0x0000000000EB0000-0x0000000000EC6000-memory.dmp

Filesize
88KB

Download
memory/2116-5-0x0000000000100000-0x0000000000106000-memory.dmp

Filesize
24KB

Download
memory/2116-34-0x00000000779B0000-0x0000000077B59000-memory.dmp

Filesize
1.7MB

Download
memory/2524-2-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download