SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tinynuke (Back to overview)

TinyNuke

aka: NukeBot, Nuclear Bot, MicroBankingTrojan, Xbot
URLhaus      

TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.

References
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-03-21AhnLabASEC Analysis Team
@online{team:20220321:bitrat:865b183, author = {ASEC Analysis Team}, title = {{BitRAT Disguised as Windows Product Key Verification Tool Being Distributed}}, date = {2022-03-21}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/32781/}, language = {English}, urldate = {2022-04-14} } BitRAT Disguised as Windows Product Key Verification Tool Being Distributed
BitRAT TinyNuke
2021-10-20AhnLabASEC Analysis Team
@online{team:20211020:vnc:b2f7937, author = {ASEC Analysis Team}, title = {{VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group}}, date = {2021-10-20}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/27346/}, language = {English}, urldate = {2022-04-15} } VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group
TinyNuke
2019-12-17Brian Krebs
@online{krebs:20191217:nuclear:88151cd, author = {Brian Krebs}, title = {{Nuclear Bot Author Arrested in Sextortion Case}}, date = {2019-12-17}, url = {https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/}, language = {English}, urldate = {2020-01-07} } Nuclear Bot Author Arrested in Sextortion Case
TinyNuke Varenyky
2018-05-21JuniperPaul Kimayong
@online{kimayong:20180521:nukebot:dcd8985, author = {Paul Kimayong}, title = {{Nukebot Banking Trojan targeting people in France}}, date = {2018-05-21}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702}, language = {English}, urldate = {2019-11-22} } Nukebot Banking Trojan targeting people in France
TinyNuke
2018-02-02BitSightTiago Pereira
@online{pereira:20180202:break:b0556dc, author = {Tiago Pereira}, title = {{Break Out Of The Tinynuke Malware}}, date = {2018-02-02}, organization = {BitSight}, url = {https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet}, language = {English}, urldate = {2020-01-06} } Break Out Of The Tinynuke Malware
TinyNuke
2017-07-19Kaspersky LabsSergey Yunakovsky
@online{yunakovsky:20170719:nukebot:cba3e87, author = {Sergey Yunakovsky}, title = {{The NukeBot banking Trojan: from rough drafts to real threats}}, date = {2017-07-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/}, language = {English}, urldate = {2019-12-20} } The NukeBot banking Trojan: from rough drafts to real threats
TinyNuke
2017-04-06KrebsOnSecurityBrian Krebs
@online{krebs:20170406:selfproclaimed:542e91e, author = {Brian Krebs}, title = {{Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer}}, date = {2017-04-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/nuclear-bot/}, language = {English}, urldate = {2019-07-27} } Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer
TinyNuke
2017-03-28SecurityIntelligenceLimor Kessem, Ilya Kolmanovich
@online{kessem:20170328:nukebot:2b33bbb, author = {Limor Kessem and Ilya Kolmanovich}, title = {{The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak}}, date = {2017-03-28}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/}, language = {English}, urldate = {2020-01-05} } The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak
TinyNuke
2016-12-19NetScoutDennis Schwarz
@online{schwarz:20161219:dismantling:b7af8dd, author = {Dennis Schwarz}, title = {{Dismantling a Nuclear Bot}}, date = {2016-12-19}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/}, language = {English}, urldate = {2020-01-09} } Dismantling a Nuclear Bot
TinyNuke
Yara Rules
[TLP:WHITE] win_tinynuke_auto (20221125 | Detects win.tinynuke.)
rule win_tinynuke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.tinynuke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 55 8bec 817d0c00040000 }
            // n = 4, score = 1600
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   817d0c00040000       | cmp                 dword ptr [ebp + 0xc], 0x400

        $sequence_1 = { 53 6aff ff7508 6a00 68e9fd0000 ff15???????? 8bc3 }
            // n = 7, score = 1400
            //   53                   | push                ebx
            //   6aff                 | push                -1
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   68e9fd0000           | push                0xfde9
            //   ff15????????         |                     
            //   8bc3                 | mov                 eax, ebx

        $sequence_2 = { ff35???????? a3???????? e8???????? 83c418 a3???????? 5f 5e }
            // n = 7, score = 1400
            //   ff35????????         |                     
            //   a3????????           |                     
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   a3????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_3 = { 8bf8 57 ffd6 ff35???????? }
            // n = 4, score = 1400
            //   8bf8                 | mov                 edi, eax
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   ff35????????         |                     

        $sequence_4 = { 8d8530f6ffff 50 6802020000 ff15???????? }
            // n = 4, score = 1400
            //   8d8530f6ffff         | lea                 eax, [ebp - 0x9d0]
            //   50                   | push                eax
            //   6802020000           | push                0x202
            //   ff15????????         |                     

        $sequence_5 = { 8945f4 8d85d4feffff 50 ff15???????? }
            // n = 4, score = 1400
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8d85d4feffff         | lea                 eax, [ebp - 0x12c]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_6 = { 72e5 5f 5b 5e 5d c3 55 }
            // n = 7, score = 1400
            //   72e5                 | jb                  0xffffffe7
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_7 = { ff750c 57 56 ff15???????? 56 }
            // n = 5, score = 1400
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff15????????         |                     
            //   56                   | push                esi

        $sequence_8 = { ff75ec ff75fc e8???????? 83c40c 5f }
            // n = 5, score = 1300
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   5f                   | pop                 edi

        $sequence_9 = { 50 ff15???????? ff35???????? 8d85a4feffff 50 }
            // n = 5, score = 1300
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   8d85a4feffff         | lea                 eax, [ebp - 0x15c]
            //   50                   | push                eax

        $sequence_10 = { eb18 83f803 7519 ff7608 }
            // n = 4, score = 800
            //   eb18                 | jmp                 0x1a
            //   83f803               | cmp                 eax, 3
            //   7519                 | jne                 0x1b
            //   ff7608               | push                dword ptr [esi + 8]

        $sequence_11 = { a3???????? ff35???????? ff75ec ff15???????? }
            // n = 4, score = 800
            //   a3????????           |                     
            //   ff35????????         |                     
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff15????????         |                     

        $sequence_12 = { 8a00 3c0a 7409 3c0d 740f }
            // n = 5, score = 800
            //   8a00                 | mov                 al, byte ptr [eax]
            //   3c0a                 | cmp                 al, 0xa
            //   7409                 | je                  0xb
            //   3c0d                 | cmp                 al, 0xd
            //   740f                 | je                  0x11

        $sequence_13 = { ff35???????? ff7508 ff15???????? 68???????? }
            // n = 4, score = 800
            //   ff35????????         |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   68????????           |                     

        $sequence_14 = { c70604000000 e8???????? eb18 83f803 }
            // n = 4, score = 800
            //   c70604000000         | mov                 dword ptr [esi], 4
            //   e8????????           |                     
            //   eb18                 | jmp                 0x1a
            //   83f803               | cmp                 eax, 3

        $sequence_15 = { 6a2a 50 8945fc ff15???????? }
            // n = 4, score = 800
            //   6a2a                 | push                0x2a
            //   50                   | push                eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     

        $sequence_16 = { ff7508 ff15???????? ff35???????? ff7508 }
            // n = 4, score = 800
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_17 = { a3???????? 68e2010000 68???????? 68???????? e8???????? }
            // n = 5, score = 800
            //   a3????????           |                     
            //   68e2010000           | push                0x1e2
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_18 = { ff15???????? a3???????? ff35???????? ff75f8 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   a3????????           |                     
            //   ff35????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_19 = { ff15???????? 8d85d0fcffff 50 e8???????? 59 8d85d0fcffff 50 }
            // n = 7, score = 700
            //   ff15????????         |                     
            //   8d85d0fcffff         | lea                 eax, [ebp - 0x330]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d85d0fcffff         | lea                 eax, [ebp - 0x330]
            //   50                   | push                eax

        $sequence_20 = { ff15???????? 8b35???????? 8d430c 50 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   8d430c               | lea                 eax, [ebx + 0xc]
            //   50                   | push                eax

        $sequence_21 = { 8bf1 85f6 750d 85d2 7405 }
            // n = 5, score = 100
            //   8bf1                 | mov                 esi, ecx
            //   85f6                 | test                esi, esi
            //   750d                 | jne                 0xf
            //   85d2                 | test                edx, edx
            //   7405                 | je                  7

        $sequence_22 = { 3b44242c 740c 83c438 b801000000 }
            // n = 4, score = 100
            //   3b44242c             | cmp                 eax, dword ptr [esp + 0x2c]
            //   740c                 | je                  0xe
            //   83c438               | add                 esp, 0x38
            //   b801000000           | mov                 eax, 1

        $sequence_23 = { 8b1485c8920210 837c163800 7417 8a441634 8845f4 }
            // n = 5, score = 100
            //   8b1485c8920210       | mov                 edx, dword ptr [eax*4 + 0x100292c8]
            //   837c163800           | cmp                 dword ptr [esi + edx + 0x38], 0
            //   7417                 | je                  0x19
            //   8a441634             | mov                 al, byte ptr [esi + edx + 0x34]
            //   8845f4               | mov                 byte ptr [ebp - 0xc], al

        $sequence_24 = { 8b0f 83ec08 85c9 75d6 8344241814 8b442418 8b400c }
            // n = 7, score = 100
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   83ec08               | sub                 esp, 8
            //   85c9                 | test                ecx, ecx
            //   75d6                 | jne                 0xffffffd8
            //   8344241814           | add                 dword ptr [esp + 0x18], 0x14
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]

        $sequence_25 = { 75b7 8b7c241c 8b8780000000 01d8 89442418 }
            // n = 5, score = 100
            //   75b7                 | jne                 0xffffffb9
            //   8b7c241c             | mov                 edi, dword ptr [esp + 0x1c]
            //   8b8780000000         | mov                 eax, dword ptr [edi + 0x80]
            //   01d8                 | add                 eax, ebx
            //   89442418             | mov                 dword ptr [esp + 0x18], eax

        $sequence_26 = { c744241400000000 c744241000000000 c744240c50c30000 c744240850c30000 }
            // n = 4, score = 100
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   c744240c50c30000     | mov                 dword ptr [esp + 0xc], 0xc350
            //   c744240850c30000     | mov                 dword ptr [esp + 8], 0xc350

        $sequence_27 = { 0fb710 89d1 c1fa0c 83fa03 750d 8b16 }
            // n = 6, score = 100
            //   0fb710               | movzx               edx, word ptr [eax]
            //   89d1                 | mov                 ecx, edx
            //   c1fa0c               | sar                 edx, 0xc
            //   83fa03               | cmp                 edx, 3
            //   750d                 | jne                 0xf
            //   8b16                 | mov                 edx, dword ptr [esi]

        $sequence_28 = { 891c24 c744240800000000 c744240401000000 01d8 }
            // n = 4, score = 100
            //   891c24               | mov                 dword ptr [esp], ebx
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240401000000     | mov                 dword ptr [esp + 4], 1
            //   01d8                 | add                 eax, ebx

        $sequence_29 = { 8b5c2440 e8???????? 83ec04 8d44242c 891c24 }
            // n = 5, score = 100
            //   8b5c2440             | mov                 ebx, dword ptr [esp + 0x40]
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4
            //   8d44242c             | lea                 eax, [esp + 0x2c]
            //   891c24               | mov                 dword ptr [esp], ebx

        $sequence_30 = { 75c9 a1???????? 05???????? 89c7 }
            // n = 4, score = 100
            //   75c9                 | jne                 0xffffffcb
            //   a1????????           |                     
            //   05????????           |                     
            //   89c7                 | mov                 edi, eax

    condition:
        7 of them and filesize < 1196032
}
Download all Yara Rules