SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tinymet (Back to overview)

TinyMet

aka: TiniMet

Actor(s): Anunak, TA505

VTCollection    

TinyMet is a meterpreter stager.

References
2021-10-21CrowdStrikeAlex Clinton, Tasha Robinson
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet
2021-05-11CrowdStrikeThe Falcon Complete Team
Response When Minutes Matter: Rising Up Against Ransomware
TinyMet
2020-12-14BluelivAlberto Marín, Blueliv Labs Team, Carlos Rubio
Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet
2020-06-17Twitter (@VK_intel)malwrhunterteam, Vitali Kremez
Tweet on signed Tinymet payload (V.02) used by TA505
TinyMet
2020-04-14SecurityIntelligenceMelissa Frydrych
TA505 Continues to Infect Networks With SDBbot RAT
SDBbot TinyMet TA505
2020-03-26TelekomThomas Barabosch
TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-02-28Financial Security InstituteFinancial Security Institute
Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7
2019-08-20Github (SherifEldeeb)Sherif Eldeeb
Source code: TinyMet
TinyMet
2019-03-20FlashpointJason Reaves, Joshua Platt
FIN7 Revisited: Inside Astra Panel and SQLRat Malware
DNSRat TinyMet
Yara Rules
[TLP:WHITE] win_tinymet_auto (20260504 | Detects win.tinymet.)
rule win_tinymet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.tinymet."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c9 6a5f 56 668908 }
            // n = 4, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   6a5f                 | push                0x5f
            //   56                   | push                esi
            //   668908               | mov                 word ptr [eax], cx

        $sequence_1 = { 2bf0 75e7 a1???????? 5f 5e }
            // n = 5, score = 100
            //   2bf0                 | sub                 esi, eax
            //   75e7                 | jne                 0xffffffe9
            //   a1????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_2 = { 75e4 8d45e8 68???????? 50 e8???????? 8d45f0 }
            // n = 6, score = 100
            //   75e4                 | jne                 0xffffffe6
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_3 = { 68???????? e9???????? 8d45ec 6a10 50 56 }
            // n = 6, score = 100
            //   68????????           |                     
            //   e9????????           |                     
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   6a10                 | push                0x10
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_4 = { e8???????? 83c410 b80033a084 385d10 be00022084 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   b80033a084           | mov                 eax, 0x84a03300
            //   385d10               | cmp                 byte ptr [ebp + 0x10], bl
            //   be00022084           | mov                 esi, 0x84200200

        $sequence_5 = { 68???????? ff15???????? 8bf8 85ff 0f84c0000000 }
            // n = 5, score = 100
            //   68????????           |                     
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   0f84c0000000         | je                  0xc6

        $sequence_6 = { 6a04 6800100000 8d7801 8d0c3f 51 }
            // n = 5, score = 100
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   8d7801               | lea                 edi, [eax + 1]
            //   8d0c3f               | lea                 ecx, [edi + edi]
            //   51                   | push                ecx

        $sequence_7 = { 50 6800100000 8d043b 50 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   6800100000           | push                0x1000
            //   8d043b               | lea                 eax, [ebx + edi]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules