tinba | 4ff15734c11b247a4c3fc7871e9a8bfd648d20b7c09438aca1b5f45fc52b0b86

General

Target

2025-03-30_64867de072235cf392911dd2dd1c6209_amadey_rhadamanthys_smoke-loader.exe
Size

225KB
MD5

64867de072235cf392911dd2dd1c6209
SHA1

b16a368485816fcf4f17fa2d955bd6c785de4a38
SHA256

4ff15734c11b247a4c3fc7871e9a8bfd648d20b7c09438aca1b5f45fc52b0b86
SHA512

e9078865d5af71a812169722d8caaffa04efe8f44bbbadf7a5900f8829741fed3e2ac64e7f3f4f29aa034779e7520a49b6cfaad57eb1b2ced88ec9abe2d05a06
SSDEEP

6144:BA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:BATuTAnKGwUAW3ycQqgf

Score

10^/10

tinba banker discovery trojan

Malware Config

Signatures

Tinba / TinyBanker
Banking trojan which uses packet sniffing to steal data.
trojan banker tinba
Tinba family
tinba
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_64867de072235cf392911dd2dd1c6209_amadey_rhadamanthys_smoke-loader.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2116	winver.exe
2116	winver.exe
2116	winver.exe
2116	winver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2116	winver.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2116	2916	2025-03-30_64867de072235cf392911dd2dd1c6209_amadey_rhadamanthys_smoke-loader.exe	30
PID 2916 wrote to memory of 2116	2916	2025-03-30_64867de072235cf392911dd2dd1c6209_amadey_rhadamanthys_smoke-loader.exe	30
PID 2916 wrote to memory of 2116	2916	2025-03-30_64867de072235cf392911dd2dd1c6209_amadey_rhadamanthys_smoke-loader.exe	30
PID 2916 wrote to memory of 2116	2916	2025-03-30_64867de072235cf392911dd2dd1c6209_amadey_rhadamanthys_smoke-loader.exe	30
PID 2916 wrote to memory of 2116	2916	2025-03-30_64867de072235cf392911dd2dd1c6209_amadey_rhadamanthys_smoke-loader.exe	30
PID 2116 wrote to memory of 1204	2116	winver.exe	21
PID 2116 wrote to memory of 1104	2116	winver.exe	19
PID 2116 wrote to memory of 1168	2116	winver.exe	20
PID 2116 wrote to memory of 1204	2116	winver.exe	21
PID 2116 wrote to memory of 1628	2116	winver.exe	23
PID 2116 wrote to memory of 2916	2116	winver.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1204
- C:\Users\Admin\AppData\Local\Temp\2025-03-30_64867de072235cf392911dd2dd1c6209_amadey_rhadamanthys_smoke-loader.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-30_64867de072235cf392911dd2dd1c6209_amadey_rhadamanthys_smoke-loader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1104-26-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1104-9-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1168-12-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/1168-29-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/1204-6-0x0000000002950000-0x0000000002956000-memory.dmp

Filesize
24KB

Download
memory/1204-15-0x0000000002920000-0x0000000002926000-memory.dmp

Filesize
24KB

Download
memory/1204-1-0x0000000002950000-0x0000000002956000-memory.dmp

Filesize
24KB

Download
memory/1204-3-0x0000000002950000-0x0000000002956000-memory.dmp

Filesize
24KB

Download
memory/1204-27-0x0000000002920000-0x0000000002926000-memory.dmp

Filesize
24KB

Download
memory/1628-18-0x0000000001C10000-0x0000000001C16000-memory.dmp

Filesize
24KB

Download
memory/1628-28-0x0000000001C10000-0x0000000001C16000-memory.dmp

Filesize
24KB

Download
memory/2116-23-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/2116-4-0x0000000000100000-0x0000000000106000-memory.dmp

Filesize
24KB

Download
memory/2916-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing