SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tinba (Back to overview)

Tinba

aka: Zusy, TinyBanker, Illi
URLhaus    

There is no description at this point.

References
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2019-08-13AdalogicsDavid Korczynski
@online{korczynski:20190813:state:a4ad074, author = {David Korczynski}, title = {{The state of advanced code injections}}, date = {2019-08-13}, organization = {Adalogics}, url = {https://adalogics.com/blog/the-state-of-advanced-code-injections}, language = {English}, urldate = {2020-01-13} } The state of advanced code injections
Dridex Emotet Tinba
2018-07-05ZscalerDhanalakshmi
@online{dhanalakshmi:20180705:look:c39d2cb, author = {Dhanalakshmi}, title = {{A Look At Recent Tinba Banking Trojan Variant}}, date = {2018-07-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant}, language = {English}, urldate = {2019-11-20} } A Look At Recent Tinba Banking Trojan Variant
Tinba
2015-08-12SecurityIntelligenceLimor Kessem
@online{kessem:20150812:tinba:250e880, author = {Limor Kessem}, title = {{Tinba Trojan Sets Its Sights on Romania}}, date = {2015-08-12}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/}, language = {English}, urldate = {2020-01-06} } Tinba Trojan Sets Its Sights on Romania
Tinba
2015-06-18SWITCH Security BlogSlavo Greminger
@online{greminger:20150618:so:28825c8, author = {Slavo Greminger}, title = {{So Long, and Thanks for All the Domains}}, date = {2015-06-18}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/}, language = {English}, urldate = {2019-07-11} } So Long, and Thanks for All the Domains
Tinba
2014-09-22SecurityIntelligenceAssaf Regev, Tal Darsan
@online{regev:20140922:tinba:088fca0, author = {Assaf Regev and Tal Darsan}, title = {{Tinba Malware Reloaded and Attacking Banks Around the World}}, date = {2014-09-22}, organization = {SecurityIntelligence}, url = {http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/}, language = {English}, urldate = {2020-01-09} } Tinba Malware Reloaded and Attacking Banks Around the World
Tinba
2014-07-16StopMalvertisingKimberly
@online{kimberly:20140716:mini:58ac768, author = {Kimberly}, title = {{Mini Analysis of the TinyBanker Tinba}}, date = {2014-07-16}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html}, language = {English}, urldate = {2020-01-08} } Mini Analysis of the TinyBanker Tinba
Tinba
2012-06-06Contagio DumpMila Parkour
@online{parkour:20120606:tinba:4159446, author = {Mila Parkour}, title = {{Tinba / Zusy - tiny banker trojan}}, date = {2012-06-06}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/06/amazon.html}, language = {English}, urldate = {2019-07-08} } Tinba / Zusy - tiny banker trojan
Tinba
2012-06-04John Leyden
@online{leyden:20120604:small:eb760a3, author = {John Leyden}, title = {{Small banking Trojan poses major risk}}, date = {2012-06-04}, url = {http://www.theregister.co.uk/2012/06/04/small_banking_trojan/}, language = {English}, urldate = {2020-01-08} } Small banking Trojan poses major risk
Tinba
2012CSIS Trend MicroPeter Kruse (CSIS), Feike Hacquebord (Trend Micro), Robert McArdle (Trend Micro)
@techreport{csis:2012:w32tinba:542635f, author = {Peter Kruse (CSIS) and Feike Hacquebord (Trend Micro) and Robert McArdle (Trend Micro)}, title = {{W32.Tinba (Tinybanker) The Turkish Incident}}, date = {2012}, institution = {CSIS Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf}, language = {English}, urldate = {2019-12-24} } W32.Tinba (Tinybanker) The Turkish Incident
Tinba
Yara Rules
[TLP:WHITE] win_tinba_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_tinba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4510 aa 8b450c ab }
            // n = 4, score = 1100
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   aa                   | stosb               byte ptr es:[edi], al
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_1 = { 8b7508 ad 50 56 }
            // n = 4, score = 1100
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_2 = { 8a241f 88240f 88041f 41 }
            // n = 4, score = 1000
            //   8a241f               | mov                 ah, byte ptr [edi + ebx]
            //   88240f               | mov                 byte ptr [edi + ecx], ah
            //   88041f               | mov                 byte ptr [edi + ebx], al
            //   41                   | inc                 ecx

        $sequence_3 = { 6a00 6a00 6a00 ff750c 6a00 6a00 ff7508 }
            // n = 7, score = 1000
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_4 = { 834a3520 a4 f6420101 7448 }
            // n = 4, score = 900
            //   834a3520             | or                  dword ptr [edx + 0x35], 0x20
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   f6420101             | test                byte ptr [edx + 1], 1
            //   7448                 | je                  0x4a

        $sequence_5 = { ab b86e743a20 ab 037df8 }
            // n = 4, score = 900
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   b86e743a20           | mov                 eax, 0x203a746e
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   037df8               | add                 edi, dword ptr [ebp - 8]

        $sequence_6 = { 89c7 49 8706 49 89c6 }
            // n = 5, score = 900
            //   89c7                 | mov                 edi, eax
            //   49                   | dec                 ecx
            //   8706                 | xchg                dword ptr [esi], eax
            //   49                   | dec                 ecx
            //   89c6                 | mov                 esi, eax

        $sequence_7 = { aa 89f0 ab 48 83ec20 4c 89f1 }
            // n = 7, score = 900
            //   aa                   | stosb               byte ptr es:[edi], al
            //   89f0                 | mov                 eax, esi
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   48                   | dec                 eax
            //   83ec20               | sub                 esp, 0x20
            //   4c                   | dec                 esp
            //   89f1                 | mov                 ecx, esi

        $sequence_8 = { 8b4114 83f8fd 7506 8b4108 8b4014 }
            // n = 5, score = 900
            //   8b4114               | mov                 eax, dword ptr [ecx + 0x14]
            //   83f8fd               | cmp                 eax, -3
            //   7506                 | jne                 8
            //   8b4108               | mov                 eax, dword ptr [ecx + 8]
            //   8b4014               | mov                 eax, dword ptr [eax + 0x14]

        $sequence_9 = { 7401 a5 f7423504000000 7401 a4 48 8d7a2b }
            // n = 7, score = 900
            //   7401                 | je                  3
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   f7423504000000       | test                dword ptr [edx + 0x35], 4
            //   7401                 | je                  3
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   48                   | dec                 eax
            //   8d7a2b               | lea                 edi, [edx + 0x2b]

        $sequence_10 = { eb02 0437 aa c14d0804 3b7d0c 73e6 fc }
            // n = 7, score = 900
            //   eb02                 | jmp                 4
            //   0437                 | add                 al, 0x37
            //   aa                   | stosb               byte ptr es:[edi], al
            //   c14d0804             | ror                 dword ptr [ebp + 8], 4
            //   3b7d0c               | cmp                 edi, dword ptr [ebp + 0xc]
            //   73e6                 | jae                 0xffffffe8
            //   fc                   | cld                 

        $sequence_11 = { 7416 66b80d0a 66ab b8436f6f6b ab b869653a20 ab }
            // n = 7, score = 900
            //   7416                 | je                  0x18
            //   66b80d0a             | mov                 ax, 0xa0d
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   b8436f6f6b           | mov                 eax, 0x6b6f6f43
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   b869653a20           | mov                 eax, 0x203a6569
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_12 = { 83ef0e 85c0 741b 66b80d0a 66ab b855736572 }
            // n = 6, score = 900
            //   83ef0e               | sub                 edi, 0xe
            //   85c0                 | test                eax, eax
            //   741b                 | je                  0x1d
            //   66b80d0a             | mov                 ax, 0xa0d
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   b855736572           | mov                 eax, 0x72657355

    condition:
        7 of them and filesize < 57344
}
[TLP:WHITE] win_tinba_w0   (20170605 | Tinba 2 (DGA) banking trojan)
rule win_tinba_w0 
{
    meta:
        author = "n3sfox <n3sfox@gmail.com>"
        date = "2015/11/07"
        description = "Tinba 2 (DGA) banking trojan"
        reference = "https://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world"
        filetype = "memory"
        hash1 = "c7f662594f07776ab047b322150f6ed0"
        hash2 = "dc71ef1e55f1ddb36b3c41b1b95ae586"
        hash3 = "b788155cb82a7600f2ed1965cffc1e88"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/tinba2.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba"
        malpedia_version = "20170605"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str3 = "NtCreateUserProcess"
        $str4 = "NtQueryDirectoryFile"
        $str5 = "RtlCreateUserThread"
        $str6 = "DeleteUrlCacheEntry"
        $str7 = "PR_Read"
        $str8 = "PR_Write"
        $pubkey = "BEGIN PUBLIC KEY"
        $code1 = {50 87 44 24 04 6A ?? E8}

    condition:
        all of ($str*) and $pubkey and $code1
}
Download all Yara Rules