SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tinba (Back to overview)

Tinba

aka: Zusy, TinyBanker, Illi
URLhaus    

F-Secure notes that TinyBanker or short Tinba is usually distributed through malvertising (advertising content that leads the user to sites hosting malicious threats), exploit kits and spam email campaigns. According to news reports, Tinba has been found targeting bank customers in the United States and Europe.

If Tinba successfully infects a device, it can steal banking and personal information through webinjects. To do this, the malware monitors the user's browser activity and if specific banking portals are visited, Tinba injects code to present the victim with fake web forms designed to mimic the legitimate web site. The malware then tricks them into entering their personal information, log-in credentials, etc in the legitimate-looking page.

Tinba may also display socially-engineered messages to lure or pressure the user into entering their information on the fake page; for example, a message may be shown which attempts to convince the victim that funds were accidentally deposited to his account and must be refunded immediately.

References
2022-02-11Cisco TalosTalos
@online{talos:20220211:threat:fcad762, author = {Talos}, title = {{Threat Roundup for February 4 to February 11}}, date = {2022-02-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html}, language = {English}, urldate = {2022-02-14} } Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2019-08-13AdalogicsDavid Korczynski
@online{korczynski:20190813:state:a4ad074, author = {David Korczynski}, title = {{The state of advanced code injections}}, date = {2019-08-13}, organization = {Adalogics}, url = {https://adalogics.com/blog/the-state-of-advanced-code-injections}, language = {English}, urldate = {2020-01-13} } The state of advanced code injections
Dridex Emotet Tinba
2019-03-13CylanceTatsuya Hasegawa
@online{hasegawa:20190313:blackberry:328f6a5, author = {Tatsuya Hasegawa}, title = {{BlackBerry Cylance vs. Tinba Banking Trojan}}, date = {2019-03-13}, organization = {Cylance}, url = {https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan}, language = {English}, urldate = {2021-02-06} } BlackBerry Cylance vs. Tinba Banking Trojan
Tinba
2018-07-05ZscalerDhanalakshmi
@online{dhanalakshmi:20180705:look:c39d2cb, author = {Dhanalakshmi}, title = {{A Look At Recent Tinba Banking Trojan Variant}}, date = {2018-07-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant}, language = {English}, urldate = {2019-11-20} } A Look At Recent Tinba Banking Trojan Variant
Tinba
2015-08-12SecurityIntelligenceLimor Kessem
@online{kessem:20150812:tinba:250e880, author = {Limor Kessem}, title = {{Tinba Trojan Sets Its Sights on Romania}}, date = {2015-08-12}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/}, language = {English}, urldate = {2020-01-06} } Tinba Trojan Sets Its Sights on Romania
Tinba
2015-06-18SWITCH Security BlogSlavo Greminger
@online{greminger:20150618:so:28825c8, author = {Slavo Greminger}, title = {{So Long, and Thanks for All the Domains}}, date = {2015-06-18}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/}, language = {English}, urldate = {2019-07-11} } So Long, and Thanks for All the Domains
Tinba
2014-09-22SecurityIntelligenceAssaf Regev, Tal Darsan
@online{regev:20140922:tinba:088fca0, author = {Assaf Regev and Tal Darsan}, title = {{Tinba Malware Reloaded and Attacking Banks Around the World}}, date = {2014-09-22}, organization = {SecurityIntelligence}, url = {http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/}, language = {English}, urldate = {2020-01-09} } Tinba Malware Reloaded and Attacking Banks Around the World
Tinba
2014-07-16StopMalvertisingKimberly
@online{kimberly:20140716:mini:58ac768, author = {Kimberly}, title = {{Mini Analysis of the TinyBanker Tinba}}, date = {2014-07-16}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html}, language = {English}, urldate = {2020-01-08} } Mini Analysis of the TinyBanker Tinba
Tinba
2012-06-06Contagio DumpMila Parkour
@online{parkour:20120606:tinba:4159446, author = {Mila Parkour}, title = {{Tinba / Zusy - tiny banker trojan}}, date = {2012-06-06}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/06/amazon.html}, language = {English}, urldate = {2019-07-08} } Tinba / Zusy - tiny banker trojan
Tinba
2012-06-04John Leyden
@online{leyden:20120604:small:eb760a3, author = {John Leyden}, title = {{Small banking Trojan poses major risk}}, date = {2012-06-04}, url = {http://www.theregister.co.uk/2012/06/04/small_banking_trojan/}, language = {English}, urldate = {2020-01-08} } Small banking Trojan poses major risk
Tinba
2012CSIS Trend MicroPeter Kruse (CSIS), Feike Hacquebord (Trend Micro), Robert McArdle (Trend Micro)
@techreport{csis:2012:w32tinba:542635f, author = {Peter Kruse (CSIS) and Feike Hacquebord (Trend Micro) and Robert McArdle (Trend Micro)}, title = {{W32.Tinba (Tinybanker) The Turkish Incident}}, date = {2012}, institution = {CSIS Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf}, language = {English}, urldate = {2019-12-24} } W32.Tinba (Tinybanker) The Turkish Incident
Tinba
Yara Rules
[TLP:WHITE] win_tinba_auto (20230125 | Detects win.tinba.)
rule win_tinba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.tinba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7508 ad 50 56 }
            // n = 4, score = 1100
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_1 = { 8b4510 aa 8b450c ab }
            // n = 4, score = 1100
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   aa                   | stosb               byte ptr es:[edi], al
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_2 = { 6a00 6a00 6a00 ff750c 6a00 6a00 ff7508 }
            // n = 7, score = 1000
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_3 = { 8a241f 88240f 88041f 41 }
            // n = 4, score = 1000
            //   8a241f               | mov                 ah, byte ptr [edi + ebx]
            //   88240f               | mov                 byte ptr [edi + ecx], ah
            //   88041f               | mov                 byte ptr [edi + ebx], al
            //   41                   | inc                 ecx

        $sequence_4 = { b3fd eb73 b3fe b738 887a19 80fd02 }
            // n = 6, score = 900
            //   b3fd                 | mov                 bl, 0xfd
            //   eb73                 | jmp                 0x75
            //   b3fe                 | mov                 bl, 0xfe
            //   b738                 | mov                 bh, 0x38
            //   887a19               | mov                 byte ptr [edx + 0x19], bh
            //   80fd02               | cmp                 ch, 2

        $sequence_5 = { 83c707 8b4508 83e00f 3c0a 7304 0430 eb02 }
            // n = 7, score = 900
            //   83c707               | add                 edi, 7
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83e00f               | and                 eax, 0xf
            //   3c0a                 | cmp                 al, 0xa
            //   7304                 | jae                 6
            //   0430                 | add                 al, 0x30
            //   eb02                 | jmp                 4

        $sequence_6 = { 8b7004 8d7e04 8b0e 3b4d10 7603 8b4d10 51 }
            // n = 7, score = 900
            //   8b7004               | mov                 esi, dword ptr [eax + 4]
            //   8d7e04               | lea                 edi, [esi + 4]
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   3b4d10               | cmp                 ecx, dword ptr [ebp + 0x10]
            //   7603                 | jbe                 5
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx

        $sequence_7 = { 0430 eb02 0437 aa }
            // n = 4, score = 900
            //   0430                 | add                 al, 0x30
            //   eb02                 | jmp                 4
            //   0437                 | add                 al, 0x37
            //   aa                   | stosb               byte ptr es:[edi], al

        $sequence_8 = { 85c0 741b 66b80d0a 66ab b855736572 ab }
            // n = 6, score = 900
            //   85c0                 | test                eax, eax
            //   741b                 | je                  0x1d
            //   66b80d0a             | mov                 ax, 0xa0d
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   b855736572           | mov                 eax, 0x72657355
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_9 = { 740f 80e7fe b918000000 48 8d3d83010000 383f 48 }
            // n = 7, score = 900
            //   740f                 | je                  0x11
            //   80e7fe               | and                 bh, 0xfe
            //   b918000000           | mov                 ecx, 0x18
            //   48                   | dec                 eax
            //   8d3d83010000         | lea                 edi, [0x183]
            //   383f                 | cmp                 byte ptr [edi], bh
            //   48                   | dec                 eax

        $sequence_10 = { f6d0 f6d4 f6d1 6689420f }
            // n = 4, score = 900
            //   f6d0                 | not                 al
            //   f6d4                 | not                 ah
            //   f6d1                 | not                 cl
            //   6689420f             | mov                 word ptr [edx + 0xf], ax

        $sequence_11 = { 48 83ec20 4c 89f1 48 c7c240000000 4c }
            // n = 7, score = 900
            //   48                   | dec                 eax
            //   83ec20               | sub                 esp, 0x20
            //   4c                   | dec                 esp
            //   89f1                 | mov                 ecx, esi
            //   48                   | dec                 eax
            //   c7c240000000         | mov                 edx, 0x40
            //   4c                   | dec                 esp

        $sequence_12 = { 8b4d08 8b4114 83f8fd 7506 }
            // n = 4, score = 900
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b4114               | mov                 eax, dword ptr [ecx + 0x14]
            //   83f8fd               | cmp                 eax, -3
            //   7506                 | jne                 8

    condition:
        7 of them and filesize < 57344
}
[TLP:WHITE] win_tinba_w0   (20170605 | Tinba 2 (DGA) banking trojan)
rule win_tinba_w0 {
    meta:
        author = "n3sfox <n3sfox@gmail.com>"
        date = "2015/11/07"
        description = "Tinba 2 (DGA) banking trojan"
        reference = "https://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world"
        filetype = "memory"
        hash = "c7f662594f07776ab047b322150f6ed0"
        hash = "dc71ef1e55f1ddb36b3c41b1b95ae586"
        hash = "b788155cb82a7600f2ed1965cffc1e88"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/tinba2.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba"
        malpedia_version = "20170605"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str3 = "NtCreateUserProcess"
        $str4 = "NtQueryDirectoryFile"
        $str5 = "RtlCreateUserThread"
        $str6 = "DeleteUrlCacheEntry"
        $str7 = "PR_Read"
        $str8 = "PR_Write"
        $pubkey = "BEGIN PUBLIC KEY"
        $code1 = {50 87 44 24 04 6A ?? E8}

    condition:
        all of ($str*) and $pubkey and $code1
}
Download all Yara Rules