SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tinynuke (Back to overview)

TinyNuke

aka: NukeBot, Nuclear Bot, MicroBankingTrojan, Xbot
URLhaus      

TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.

References
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-03-21AhnLabASEC Analysis Team
@online{team:20220321:bitrat:865b183, author = {ASEC Analysis Team}, title = {{BitRAT Disguised as Windows Product Key Verification Tool Being Distributed}}, date = {2022-03-21}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/32781/}, language = {English}, urldate = {2022-04-14} } BitRAT Disguised as Windows Product Key Verification Tool Being Distributed
BitRAT TinyNuke
2021-10-20AhnLabASEC Analysis Team
@online{team:20211020:vnc:b2f7937, author = {ASEC Analysis Team}, title = {{VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group}}, date = {2021-10-20}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/27346/}, language = {English}, urldate = {2022-04-15} } VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group
TinyNuke
2019-12-17Brian Krebs
@online{krebs:20191217:nuclear:88151cd, author = {Brian Krebs}, title = {{Nuclear Bot Author Arrested in Sextortion Case}}, date = {2019-12-17}, url = {https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/}, language = {English}, urldate = {2020-01-07} } Nuclear Bot Author Arrested in Sextortion Case
TinyNuke Varenyky
2018-05-21JuniperPaul Kimayong
@online{kimayong:20180521:nukebot:dcd8985, author = {Paul Kimayong}, title = {{Nukebot Banking Trojan targeting people in France}}, date = {2018-05-21}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702}, language = {English}, urldate = {2019-11-22} } Nukebot Banking Trojan targeting people in France
TinyNuke
2018-02-02BitSightTiago Pereira
@online{pereira:20180202:break:b0556dc, author = {Tiago Pereira}, title = {{Break Out Of The Tinynuke Malware}}, date = {2018-02-02}, organization = {BitSight}, url = {https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet}, language = {English}, urldate = {2020-01-06} } Break Out Of The Tinynuke Malware
TinyNuke
2017-07-19Kaspersky LabsSergey Yunakovsky
@online{yunakovsky:20170719:nukebot:cba3e87, author = {Sergey Yunakovsky}, title = {{The NukeBot banking Trojan: from rough drafts to real threats}}, date = {2017-07-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/}, language = {English}, urldate = {2019-12-20} } The NukeBot banking Trojan: from rough drafts to real threats
TinyNuke
2017-04-06KrebsOnSecurityBrian Krebs
@online{krebs:20170406:selfproclaimed:542e91e, author = {Brian Krebs}, title = {{Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer}}, date = {2017-04-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/nuclear-bot/}, language = {English}, urldate = {2019-07-27} } Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer
TinyNuke
2017-03-28SecurityIntelligenceLimor Kessem, Ilya Kolmanovich
@online{kessem:20170328:nukebot:2b33bbb, author = {Limor Kessem and Ilya Kolmanovich}, title = {{The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak}}, date = {2017-03-28}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/}, language = {English}, urldate = {2020-01-05} } The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak
TinyNuke
2016-12-19NetScoutDennis Schwarz
@online{schwarz:20161219:dismantling:b7af8dd, author = {Dennis Schwarz}, title = {{Dismantling a Nuclear Bot}}, date = {2016-12-19}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/}, language = {English}, urldate = {2020-01-09} } Dismantling a Nuclear Bot
TinyNuke
Yara Rules
[TLP:WHITE] win_tinynuke_auto (20230125 | Detects win.tinynuke.)
rule win_tinynuke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.tinynuke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 55 8bec 817d0c00040000 }
            // n = 4, score = 1600
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   817d0c00040000       | cmp                 dword ptr [ebp + 0xc], 0x400

        $sequence_1 = { 8d45f8 50 56 57 ff35???????? c745f803000000 ff75fc }
            // n = 7, score = 1400
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff35????????         |                     
            //   c745f803000000       | mov                 dword ptr [ebp - 8], 3
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_2 = { 6800000040 ff7508 ff15???????? 53 }
            // n = 4, score = 1400
            //   6800000040           | push                0x40000000
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   53                   | push                ebx

        $sequence_3 = { 8bf0 8d45fc 50 53 56 57 ff15???????? }
            // n = 7, score = 1400
            //   8bf0                 | mov                 esi, eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_4 = { 8d8530f6ffff 50 6802020000 ff15???????? }
            // n = 4, score = 1400
            //   8d8530f6ffff         | lea                 eax, [ebp - 0x9d0]
            //   50                   | push                eax
            //   6802020000           | push                0x202
            //   ff15????????         |                     

        $sequence_5 = { 8945f4 8d85d4feffff 50 ff15???????? }
            // n = 4, score = 1400
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8d85d4feffff         | lea                 eax, [ebp - 0x12c]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_6 = { ff35???????? a3???????? ff75f4 ff15???????? ff35???????? a3???????? ff75f4 }
            // n = 7, score = 1400
            //   ff35????????         |                     
            //   a3????????           |                     
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   a3????????           |                     
            //   ff75f4               | push                dword ptr [ebp - 0xc]

        $sequence_7 = { 59 33f6 57 ff15???????? 8bc6 5e }
            // n = 6, score = 1400
            //   59                   | pop                 ecx
            //   33f6                 | xor                 esi, esi
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi

        $sequence_8 = { ff75ec ff75fc e8???????? 83c40c 5f }
            // n = 5, score = 1300
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   5f                   | pop                 edi

        $sequence_9 = { ff35???????? 8d85a4feffff 50 ff15???????? ff35???????? }
            // n = 5, score = 1300
            //   ff35????????         |                     
            //   8d85a4feffff         | lea                 eax, [ebp - 0x15c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ff35????????         |                     

        $sequence_10 = { 6a2a 50 8945fc ff15???????? }
            // n = 4, score = 800
            //   6a2a                 | push                0x2a
            //   50                   | push                eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     

        $sequence_11 = { a3???????? 68e2010000 68???????? 68???????? }
            // n = 4, score = 800
            //   a3????????           |                     
            //   68e2010000           | push                0x1e2
            //   68????????           |                     
            //   68????????           |                     

        $sequence_12 = { ff7508 ff15???????? ff35???????? ff7508 }
            // n = 4, score = 800
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_13 = { ff35???????? ff7508 ff15???????? 68???????? }
            // n = 4, score = 800
            //   ff35????????         |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   68????????           |                     

        $sequence_14 = { ff75fc ff15???????? a3???????? ff35???????? ff75f8 ff15???????? }
            // n = 6, score = 800
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   a3????????           |                     
            //   ff35????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     

        $sequence_15 = { a3???????? ff35???????? ff75ec ff15???????? }
            // n = 4, score = 800
            //   a3????????           |                     
            //   ff35????????         |                     
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff15????????         |                     

        $sequence_16 = { 8a00 3c0a 7409 3c0d 740f }
            // n = 5, score = 800
            //   8a00                 | mov                 al, byte ptr [eax]
            //   3c0a                 | cmp                 al, 0xa
            //   7409                 | je                  0xb
            //   3c0d                 | cmp                 al, 0xd
            //   740f                 | je                  0x11

        $sequence_17 = { c70604000000 e8???????? eb18 83f803 7519 }
            // n = 5, score = 800
            //   c70604000000         | mov                 dword ptr [esi], 4
            //   e8????????           |                     
            //   eb18                 | jmp                 0x1a
            //   83f803               | cmp                 eax, 3
            //   7519                 | jne                 0x1b

        $sequence_18 = { 8d85d0fcffff 50 e8???????? 59 8d85d0fcffff 50 8d85d8feffff }
            // n = 7, score = 700
            //   8d85d0fcffff         | lea                 eax, [ebp - 0x330]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d85d0fcffff         | lea                 eax, [ebp - 0x330]
            //   50                   | push                eax
            //   8d85d8feffff         | lea                 eax, [ebp - 0x128]

        $sequence_19 = { ff15???????? 8b35???????? 8d430c 50 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   8d430c               | lea                 eax, [ebx + 0xc]
            //   50                   | push                eax

        $sequence_20 = { e8???????? 83ec04 89c6 8b442418 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   89c6                 | mov                 esi, eax
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]

        $sequence_21 = { 8b400c 85c0 75a4 8b7c241c 8b4728 891c24 }
            // n = 6, score = 100
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   85c0                 | test                eax, eax
            //   75a4                 | jne                 0xffffffa6
            //   8b7c241c             | mov                 edi, dword ptr [esp + 0x1c]
            //   8b4728               | mov                 eax, dword ptr [edi + 0x28]
            //   891c24               | mov                 dword ptr [esp], ebx

        $sequence_22 = { 328248c0e16e 8883ff1fe06e 81fb00900100 75c9 a1???????? }
            // n = 5, score = 100
            //   328248c0e16e         | xor                 al, byte ptr [edx + 0x6ee1c048]
            //   8883ff1fe06e         | mov                 byte ptr [ebx + 0x6ee01fff], al
            //   81fb00900100         | cmp                 ebx, 0x19000
            //   75c9                 | jne                 0xffffffcb
            //   a1????????           |                     

        $sequence_23 = { 891c24 c744241881000000 c744241400000000 c744241000000000 c744240c50c30000 c744240850c30000 c744240400000000 }
            // n = 7, score = 100
            //   891c24               | mov                 dword ptr [esp], ebx
            //   c744241881000000     | mov                 dword ptr [esp + 0x18], 0x81
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   c744240c50c30000     | mov                 dword ptr [esp + 0xc], 0xc350
            //   c744240850c30000     | mov                 dword ptr [esp + 8], 0xc350
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0

        $sequence_24 = { ffd3 3c0c 741b c7050000000000000000 0f0b c7042400000000 }
            // n = 6, score = 100
            //   ffd3                 | call                ebx
            //   3c0c                 | cmp                 al, 0xc
            //   741b                 | je                  0x1d
            //   c7050000000000000000     | mov    dword ptr [0], 0
            //   0f0b                 | ud2                 
            //   c7042400000000       | mov                 dword ptr [esp], 0

        $sequence_25 = { 7432 8d4608 8d7c5608 8db42600000000 0fb710 89d1 c1fa0c }
            // n = 7, score = 100
            //   7432                 | je                  0x34
            //   8d4608               | lea                 eax, [esi + 8]
            //   8d7c5608             | lea                 edi, [esi + edx*2 + 8]
            //   8db42600000000       | lea                 esi, [esi]
            //   0fb710               | movzx               edx, word ptr [eax]
            //   89d1                 | mov                 ecx, edx
            //   c1fa0c               | sar                 edx, 0xc

        $sequence_26 = { 897701 c78550beffff00000000 ffd3 b001 }
            // n = 4, score = 100
            //   897701               | mov                 dword ptr [edi + 1], esi
            //   c78550beffff00000000     | mov    dword ptr [ebp - 0x41b0], 0
            //   ffd3                 | call                ebx
            //   b001                 | mov                 al, 1

        $sequence_27 = { 85ed 750c eb38 83c701 }
            // n = 4, score = 100
            //   85ed                 | test                ebp, ebp
            //   750c                 | jne                 0xe
            //   eb38                 | jmp                 0x3a
            //   83c701               | add                 edi, 1

        $sequence_28 = { 8db708010000 890424 89442418 e8???????? 89c3 8b4754 }
            // n = 6, score = 100
            //   8db708010000         | lea                 esi, [edi + 0x108]
            //   890424               | mov                 dword ptr [esp], eax
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   e8????????           |                     
            //   89c3                 | mov                 ebx, eax
            //   8b4754               | mov                 eax, dword ptr [edi + 0x54]

        $sequence_29 = { c745eca8f00110 c745f0c4f00110 897df4 897df8 }
            // n = 4, score = 100
            //   c745eca8f00110       | mov                 dword ptr [ebp - 0x14], 0x1001f0a8
            //   c745f0c4f00110       | mov                 dword ptr [ebp - 0x10], 0x1001f0c4
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   897df8               | mov                 dword ptr [ebp - 8], edi

        $sequence_30 = { 8bda 895de4 894de8 85c9 }
            // n = 4, score = 100
            //   8bda                 | mov                 ebx, edx
            //   895de4               | mov                 dword ptr [ebp - 0x1c], ebx
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   85c9                 | test                ecx, ecx

    condition:
        7 of them and filesize < 1196032
}
Download all Yara Rules