MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d06df16d5d4d51df9bf6c9cd3269bc7f48ff70b5c0a6902173d389cbf10b03d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tinba


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d06df16d5d4d51df9bf6c9cd3269bc7f48ff70b5c0a6902173d389cbf10b03d
SHA3-384 hash: 6004d7f5e4939e5be2617c5d209742fff788480ea57acd999a828dc47638a64ce88763b46cb289d0823caa1fd4ed0de3
SHA1 hash: 98ec9b58fcc06d0bcd485fc6bc21f8cb39c1e6fb
MD5 hash: b4bd550756a21981b0587181fade44f0
humanhash: eight-carbon-robert-paris
File name:3d06df16d5d4d51df9bf6c9cd3269bc7f48ff70b5c0a6902173d389cbf10b03d
Download: download sample
Signature Tinba
Create hunting rule
File size:165'376 bytes
First seen:2021-02-28 07:17:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b85dd0a13602bc0359cd142fcfc1bd8 (1 x Tinba)
ssdeep 3072:Yo/m/kgNronhMLr5cx/OP8u7bxvq7kKXPeJTkSpn72ohrNIshnFx+sbP:Yj1roh25c1OP8uNq4K/eRk52rNI0x
Threatray 8 similar samples on MalwareBazaar
TLSH E0F34B2C2350F896D4EE0972D1E395CD4140DF5BBFD2492B28D050CF9BA86ABD6362F6
Reporter JAMESWT_WT
Tags:Tinba

Intelligence

File Origin
# of uploads :
1
# of downloads :
816
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3d06df16d5d4d51df9bf6c9cd3269bc7f48ff70b5c0a6902173d389cbf10b03d
Verdict:
Malicious activity
Analysis date:
2021-02-28 09:06:21 UTC
Tags:
trojan tinba
Link:
https://app.any.run/tasks/2d3108a0-c8fb-4738-a08e-caea6d746f90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119868/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Sending a UDP request
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621003
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Detected unpacking (changes PE section rights)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359495 Sample: ysDoJgWjPV Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Multi AV Scanner detection for domain / URL 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 3 other signatures 2->46 8 ysDoJgWjPV.exe 2->8         started        process3 signatures4 48 Detected unpacking (changes PE section rights) 8->48 50 Contains functionality to inject threads in other processes 8->50 52 Writes to foreign memory regions 8->52 11 winver.exe 1 4 8->11         started        process5 dnsIp6 32 blackfreeqazyio.cc 216.218.185.162, 49726, 80 HURRICANEUS United States 11->32 30 C:\Users\user\AppData\Roaming\...\bin.exe, PE32 11->30 dropped 62 Creates autostart registry keys with suspicious names 11->62 64 Injects code into the Windows Explorer (explorer.exe) 11->64 66 Writes to foreign memory regions 11->66 68 3 other signatures 11->68 16 explorer.exe 3 11->16 injected 19 ShellExperienceHost.exe 11->19 injected 21 sihost.exe 11->21 injected 23 6 other processes 11->23 file7 signatures8 process9 signatures10 34 Contains functionality to inject threads in other processes 16->34 36 Writes to foreign memory regions 16->36 38 Creates a thread in another existing process (thread injection) 16->38 25 bin.exe 16->25         started        28 bin.exe 16->28         started        process11 signatures12 54 Antivirus detection for dropped file 25->54 56 Detected unpacking (changes PE section rights) 25->56 58 Machine Learning detection for dropped file 25->58 60 Contains functionality to inject threads in other processes 25->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d06df16d5d4d51df9bf6c9cd3269bc7f48ff70b5c0a6902173d389cbf10b03d/
Threat name:
Win32.Trojan.Tinba
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 20:26:34 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hudn6fwv2tkr36n7nsongju3y72i75yllqfgsaqxhu4jzpyqwa6q._file
Verdict:
malicious
Similar samples:
02afc67fc961203f4809101aeb60ef5553b6b2b3f142e39f80ba3f9e64f52704
Tinba
03be30bf83c48de2fc11174179c6b466cde149f2af7032dbc8bf2036a12b0e1a
Tinba
0982c38ddad347ce0ff426106db78f3e51b723d7d90308a970ef43ef84fc8d75
Tinba
5b7418517d962f6a77dedf03d99cf637fd0e202bcab8fa26441461a68b8d7cd2
Tinba
82abed1d037e286fb147d1ff13ab740bc338dc3ebf514e0e24d727e84cb2a460
Tinba
be41dee9f9b806f5932a9ed56c841d884f4d7f8dafcdd20b4debfe82cc4898d4
Tinba
ccea3ec883dbebf01bf405a8191e375dcdad2ab03b4601bd34b5261a3acf3fea
Tinba
ea0ce50f66a640eea126b60be3a15f0c0295f07c227e4ef5d68ac043063ce9c3
Tinba
Result
Malware family:
tinba
Create hunting rule
Score:
  10/10
Tags:
family:tinba banker persistence trojan
Link:
https://tria.ge/reports/210228-223bqnkwce/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Tinba / TinyBanker
Unpacked files
SH256 hash:
fae5c267689014bdd6d78545ebf2c0ff0b13458480252d145e5c931410bc6ea8
MD5 hash:
11d4e8c1fd0c99066e6c71ce183cbcff
SHA1 hash:
2f116d0e6fbebe1504dd252eb90b7ef18c7fa0a7
Link:
https://www.unpac.me/results/4102c3e4-590b-4f74-a5f0-7040398d0d19/
SH256 hash:
3d06df16d5d4d51df9bf6c9cd3269bc7f48ff70b5c0a6902173d389cbf10b03d
MD5 hash:
b4bd550756a21981b0587181fade44f0
SHA1 hash:
98ec9b58fcc06d0bcd485fc6bc21f8cb39c1e6fb
Link:
https://www.unpac.me/results/4102c3e4-590b-4f74-a5f0-7040398d0d19/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d06df16d5d4d51df9bf6c9cd3269bc7f48ff70b5c0a6902173d389cbf10b03d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119868/

Comments