SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tinymet (Back to overview)

TinyMet

aka: TiniMet

Actor(s): Anunak, TA505

TinyMet is a meterpreter stager.

References
2021-10-21CrowdStrikeAlex Clinton, Tasha Robinson
@online{clinton:20211021:stopping:3c26152, author = {Alex Clinton and Tasha Robinson}, title = {{Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign}}, date = {2021-10-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/}, language = {English}, urldate = {2021-11-02} } Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet
2021-05-11CrowdStrikeThe Falcon Complete Team
@online{team:20210511:response:7e4cf2d, author = {The Falcon Complete Team}, title = {{Response When Minutes Matter: Rising Up Against Ransomware}}, date = {2021-05-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/}, language = {English}, urldate = {2021-05-13} } Response When Minutes Matter: Rising Up Against Ransomware
TinyMet
2020-12-14BluelivAlberto Marín, Carlos Rubio, Blueliv Labs Team
@online{marn:20201214:using:e81621e, author = {Alberto Marín and Carlos Rubio and Blueliv Labs Team}, title = {{Using Qiling Framework to Unpack TA505 packed samples}}, date = {2020-12-14}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/}, language = {English}, urldate = {2020-12-15} } Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet
2020-06-17Twitter (@VK_intel)Vitali Kremez, malwrhunterteam
@online{kremez:20200617:signed:f8eecc6, author = {Vitali Kremez and malwrhunterteam}, title = {{Tweet on signed Tinymet payload (V.02) used by TA505}}, date = {2020-06-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1273292957429510150}, language = {English}, urldate = {2020-06-18} } Tweet on signed Tinymet payload (V.02) used by TA505
TinyMet
2020-04-14SecurityIntelligenceMelissa Frydrych
@online{frydrych:20200414:ta505:9b31f77, author = {Melissa Frydrych}, title = {{TA505 Continues to Infect Networks With SDBbot RAT}}, date = {2020-04-14}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/}, language = {English}, urldate = {2023-02-17} } TA505 Continues to Infect Networks With SDBbot RAT
SDBbot TinyMet TA505
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7
2019-08-20Github (SherifEldeeb)Sherif Eldeeb
@online{eldeeb:20190820:source:66124bb, author = {Sherif Eldeeb}, title = {{Source code: TinyMet}}, date = {2019-08-20}, organization = {Github (SherifEldeeb)}, url = {https://github.com/SherifEldeeb/TinyMet}, language = {English}, urldate = {2020-02-13} } Source code: TinyMet
TinyMet
2019-03-20FlashpointJoshua Platt, Jason Reaves
@online{platt:20190320:fin7:bac265f, author = {Joshua Platt and Jason Reaves}, title = {{FIN7 Revisited: Inside Astra Panel and SQLRat Malware}}, date = {2019-03-20}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/}, language = {English}, urldate = {2019-12-18} } FIN7 Revisited: Inside Astra Panel and SQLRat Malware
DNSRat TinyMet
Yara Rules
[TLP:WHITE] win_tinymet_auto (20230407 | Detects win.tinymet.)
rule win_tinymet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-29"
        version = "1"
        description = "Detects win.tinymet."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb03 83c602 6a2e 56 e8???????? 33c9 6a5f }
            // n = 7, score = 100
            //   eb03                 | jmp                 5
            //   83c602               | add                 esi, 2
            //   6a2e                 | push                0x2e
            //   56                   | push                esi
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   6a5f                 | push                0x5f

        $sequence_1 = { 6a5f 56 668908 e8???????? 8bf8 }
            // n = 5, score = 100
            //   6a5f                 | push                0x5f
            //   56                   | push                esi
            //   668908               | mov                 word ptr [eax], cx
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_2 = { 751b 68???????? e9???????? ff15???????? 85c0 7407 68???????? }
            // n = 7, score = 100
            //   751b                 | jne                 0x1d
            //   68????????           |                     
            //   e9????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   68????????           |                     

        $sequence_3 = { a3???????? 6a04 c600bf 8d45fc 50 }
            // n = 5, score = 100
            //   a3????????           |                     
            //   6a04                 | push                4
            //   c600bf               | mov                 byte ptr [eax], 0xbf
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax

        $sequence_4 = { 6a02 894df0 59 53 6a01 51 66a3???????? }
            // n = 7, score = 100
            //   6a02                 | push                2
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   59                   | pop                 ecx
            //   53                   | push                ebx
            //   6a01                 | push                1
            //   51                   | push                ecx
            //   66a3????????         |                     

        $sequence_5 = { 51 66a3???????? 66894dec 668945ee ff15???????? }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   66a3????????         |                     
            //   66894dec             | mov                 word ptr [ebp - 0x14], cx
            //   668945ee             | mov                 word ptr [ebp - 0x12], ax
            //   ff15????????         |                     

        $sequence_6 = { 7416 6a04 8d45fc c745fc80330000 50 6a1f }
            // n = 6, score = 100
            //   7416                 | je                  0x18
            //   6a04                 | push                4
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   c745fc80330000       | mov                 dword ptr [ebp - 4], 0x3380
            //   50                   | push                eax
            //   6a1f                 | push                0x1f

        $sequence_7 = { 7412 0fbe043e 03d8 46 }
            // n = 4, score = 100
            //   7412                 | je                  0x14
            //   0fbe043e             | movsx               eax, byte ptr [esi + edi]
            //   03d8                 | add                 ebx, eax
            //   46                   | inc                 esi

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules