MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91a472a8df4bcc3b375a0bc8e70d79d62dda475cbf61efbb869fba40226b28ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tinba


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91a472a8df4bcc3b375a0bc8e70d79d62dda475cbf61efbb869fba40226b28ae
SHA3-384 hash: 6ca3d401106e41398b308a77e6aa55286cacef80ab8e61115f007ca09cc858fcc9f821bf3023e4a9e9caa62ada41bfd8
SHA1 hash: 4c8f30b98d7b04d60c13f2ebe5720a2d830146bb
MD5 hash: 8c6c87764af41c58248f5e0376fe6b06
humanhash: mirror-venus-iowa-connecticut
File name:91a472a8df4bcc3b375a0bc8e70d79d62dda475cbf61efbb869fba40226b28ae
Download: download sample
Signature Tinba
Create hunting rule
File size:89'789 bytes
First seen:2020-06-29 07:47:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1df020b6c2e8bcf9136bff4a34fa42aa (1 x Tinba)
ssdeep 1536:k5P2vIg7dNrTAzZv3FaGU5LR0YTjipvF2a:6P2QO+Zv3FNo2YvQd2a
Threatray 96 similar samples on MalwareBazaar
TLSH 47931821B2E88466F56B0374083547EA59327C226EB4C5BF7F09B75C3C7099A9A90F1B
Reporter JAMESWT_WT
Tags:Tinba

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/15929/
Detection(s):
Win.Trojan.Emotet-6444504-0
Create hunting rule

Win.Malware.Vbkryjetor-6622845-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91a472a8df4bcc3b375a0bc8e70d79d62dda475cbf61efbb869fba40226b28ae/
Threat name:
Win32.Virus.Hematite
Create hunting rule
Status:
Malicious
First seen:
2020-06-20 02:05:28 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
052a7198fb77bc35af1b12cb629da41fd6d4be4f0c008c006f254f538301a3b5
Tinba
1002b7508336031b4e5c992ac2ab451c75f2782dd10f831829a9af87d32ed482
Tinba
1372551a1b2824bb421929fc8cdf683e64c53a48080be18335612a47fbd8a197
Tinba
251823645d1460928c1fd5f7cb861fb31e690238bb2707b2f2647baff98f9ca4
Tinba
697826e37f4032bffefac7a16507e97e4adecb92615c796dfb47f3c3cb83750e
Tinba
6ff412089c62ae8bea2f552a70420fe4834b00bd6f58cb413e2b0857b06cc177
Tinba
9d88f50d2a47b2339497c9ea6cb7cb1f669865e1e8df8e9363b147b0fdc75aef
Tinba
bc3729fcbb326ce373f348d481a61f6d4468c6013d3c712224c54a64c9c278f9
Tinba
e615fe028fe30d535f142962719d8f9348b66805a8c81bbf7d78332d12f624c0
Tinba
fcb020fc827bf432792feef13068e8094ae0dd1f201fa398a360eecf6216630b
Tinba
+ 86 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence evasion trojan
Link:
https://tria.ge/reports/200629-lpddj4v6jn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_tinba_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_tinba_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_tinba_w0
Create hunting rule
Author:n3sfox <n3sfox@gmail.com>
Description:Tinba 2 (DGA) banking trojan
Reference:https://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/15929/

Comments