tinba | 2c66741a7454ed6f9bfb29a7ac2784b0ff745a9e98a81902d54ac958482933b8

General

Target

2025-03-30_278c0ec8a3d550c377f588316b2daa9a_amadey_rhadamanthys_smoke-loader.exe
Size

225KB
MD5

278c0ec8a3d550c377f588316b2daa9a
SHA1

7f0f151ba3ed6b96b91e046ba6ecbe90cd5e9425
SHA256

2c66741a7454ed6f9bfb29a7ac2784b0ff745a9e98a81902d54ac958482933b8
SHA512

37949609cb666ad9aba3c58d9873a448806704ff35c42799a034ed33d40efaa742f9a94a9baf633d27133638b46068a18ab9ac80860e4fd226eb3029687f9efc
SSDEEP

6144:+A2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:+ATuTAnKGwUAW3ycQqgf

Score

10^/10

tinba banker discovery trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_278c0ec8a3d550c377f588316b2daa9a_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2992	winver.exe
2992	winver.exe
2992	winver.exe
2992	winver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2992	winver.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2992	2340	2025-03-30_278c0ec8a3d550c377f588316b2daa9a_amadey_rhadamanthys_smoke-loader.exe	29
PID 2340 wrote to memory of 2992	2340	2025-03-30_278c0ec8a3d550c377f588316b2daa9a_amadey_rhadamanthys_smoke-loader.exe	29
PID 2340 wrote to memory of 2992	2340	2025-03-30_278c0ec8a3d550c377f588316b2daa9a_amadey_rhadamanthys_smoke-loader.exe	29
PID 2340 wrote to memory of 2992	2340	2025-03-30_278c0ec8a3d550c377f588316b2daa9a_amadey_rhadamanthys_smoke-loader.exe	29
PID 2340 wrote to memory of 2992	2340	2025-03-30_278c0ec8a3d550c377f588316b2daa9a_amadey_rhadamanthys_smoke-loader.exe	29
PID 2992 wrote to memory of 1264	2992	winver.exe	20
PID 2992 wrote to memory of 1124	2992	winver.exe	18
PID 2992 wrote to memory of 1212	2992	winver.exe	19
PID 2992 wrote to memory of 1264	2992	winver.exe	20
PID 2992 wrote to memory of 1552	2992	winver.exe	24
PID 2992 wrote to memory of 2340	2992	winver.exe	28

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1212

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1264
- C:\Users\Admin\AppData\Local\Temp\2025-03-30_278c0ec8a3d550c377f588316b2daa9a_amadey_rhadamanthys_smoke-loader.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-30_278c0ec8a3d550c377f588316b2daa9a_amadey_rhadamanthys_smoke-loader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2992

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1124-26-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download
memory/1124-11-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download
memory/1212-14-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/1212-28-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/1264-29-0x0000000002B20000-0x0000000002B26000-memory.dmp

Filesize
24KB

Download
memory/1264-3-0x0000000002B00000-0x0000000002B06000-memory.dmp

Filesize
24KB

Download
memory/1264-1-0x0000000002B00000-0x0000000002B06000-memory.dmp

Filesize
24KB

Download
memory/1264-6-0x0000000002B00000-0x0000000002B06000-memory.dmp

Filesize
24KB

Download
memory/1264-17-0x0000000002B20000-0x0000000002B26000-memory.dmp

Filesize
24KB

Download
memory/1552-20-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1552-27-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2340-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2992-25-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2992-4-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing