tinba | e8fea5cd34b6c3ccc3190fee8ff15c2202c3e85fe4d03cad85b6c3bc5d472c84

General

Target

2025-03-30_ad9a0f5976eaa735b8e15f0b1ed9d0ce_amadey_rhadamanthys_smoke-loader.exe
Size

225KB
MD5

ad9a0f5976eaa735b8e15f0b1ed9d0ce
SHA1

4250db59c140f597030d29b3bb2c5772e337e554
SHA256

e8fea5cd34b6c3ccc3190fee8ff15c2202c3e85fe4d03cad85b6c3bc5d472c84
SHA512

26137a6c93c4f0b8c45b52afc349bb98a019acbda1e99d476a87ea6baead2778479e9480626e1a95e7dc806d0fd000c4fb954a778e80986cea495e5f61e20831
SSDEEP

6144:LA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:LATuTAnKGwUAW3ycQqgf

Score

10^/10

tinba banker discovery trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_ad9a0f5976eaa735b8e15f0b1ed9d0ce_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2728	winver.exe
2728	winver.exe
2728	winver.exe
2728	winver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1192	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2728	winver.exe
1192	Explorer.EXE
1192	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1192	Explorer.EXE
1192	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2728	2832	2025-03-30_ad9a0f5976eaa735b8e15f0b1ed9d0ce_amadey_rhadamanthys_smoke-loader.exe	31
PID 2832 wrote to memory of 2728	2832	2025-03-30_ad9a0f5976eaa735b8e15f0b1ed9d0ce_amadey_rhadamanthys_smoke-loader.exe	31
PID 2832 wrote to memory of 2728	2832	2025-03-30_ad9a0f5976eaa735b8e15f0b1ed9d0ce_amadey_rhadamanthys_smoke-loader.exe	31
PID 2832 wrote to memory of 2728	2832	2025-03-30_ad9a0f5976eaa735b8e15f0b1ed9d0ce_amadey_rhadamanthys_smoke-loader.exe	31
PID 2832 wrote to memory of 2728	2832	2025-03-30_ad9a0f5976eaa735b8e15f0b1ed9d0ce_amadey_rhadamanthys_smoke-loader.exe	31
PID 2728 wrote to memory of 1192	2728	winver.exe	21
PID 2728 wrote to memory of 1096	2728	winver.exe	19
PID 2728 wrote to memory of 1160	2728	winver.exe	20
PID 2728 wrote to memory of 1192	2728	winver.exe	21
PID 2728 wrote to memory of 1668	2728	winver.exe	25
PID 2728 wrote to memory of 2832	2728	winver.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1096

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1192
- C:\Users\Admin\AppData\Local\Temp\2025-03-30_ad9a0f5976eaa735b8e15f0b1ed9d0ce_amadey_rhadamanthys_smoke-loader.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-30_ad9a0f5976eaa735b8e15f0b1ed9d0ce_amadey_rhadamanthys_smoke-loader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2728

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-9-0x0000000001FF0000-0x0000000001FF6000-memory.dmp

Filesize
24KB

Download
memory/1096-26-0x0000000001FF0000-0x0000000001FF6000-memory.dmp

Filesize
24KB

Download
memory/1160-29-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1160-12-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1192-3-0x0000000002630000-0x0000000002636000-memory.dmp

Filesize
24KB

Download
memory/1192-15-0x00000000020D0000-0x00000000020D6000-memory.dmp

Filesize
24KB

Download
memory/1192-1-0x0000000002630000-0x0000000002636000-memory.dmp

Filesize
24KB

Download
memory/1192-27-0x00000000020D0000-0x00000000020D6000-memory.dmp

Filesize
24KB

Download
memory/1192-6-0x0000000002630000-0x0000000002636000-memory.dmp

Filesize
24KB

Download
memory/1668-18-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1668-28-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2728-23-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2728-4-0x0000000000160000-0x0000000000166000-memory.dmp

Filesize
24KB

Download
memory/2832-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing