SHARE
TWEET

#tinba_190220

VRad Feb 20th, 2020 (edited) 294 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #tinba #tinybanker #USB
  2.  
  3. https://pastebin.com/AAxcHDU9
  4.  
  5. previous_contact:   n/a
  6.  
  7. FAQ:            https://www.cyber.nj.gov/threat-profiles/trojan-variants/tinba
  8.  
  9. attack_vector
  10. --------------
  11. USB > *.exe > AppData\Roaming\Microsoft\*\*.exe > HKCU\Software\Classes\.exe
  12.  
  13. email_headers
  14. --------------
  15. na
  16.  
  17. files
  18. --------------
  19. SHA-256     a3bd158dd6d44991665cf3a53b7825ac6d5e94645701360d4b2b26128fd92586
  20. File name   WINSETUP.exe            [ PE32 executable | MingWin32 v?.? (h) ]
  21. File size   1.27 MB (1327147 bytes)
  22.  
  23. SHA-256     28b7941e0c45f7e01deef2d45b922690894b3ad3e7ebbf4b6719835037e0c963
  24. File name   System Volume Information.exe   [ PE32 executable | MingWin32 v?.? (h) ]
  25. File size   1.27 MB (1327147 bytes)
  26.  
  27. SHA-256     cd11f758195f347094457c42e622000ad363071fdb1f891d343341c3fb94921e
  28. File name   PallTronic_FFS02.exe        [ PE32 executable | MingWin32 v?.? (h) ]
  29. File size   1.27 MB (1327147 bytes)
  30.  
  31. activity
  32. **************
  33. PL_SCR      USB Drive      
  34.  
  35. C2      5.175.209.151
  36.  
  37. netwrk
  38. --------------
  39. [http]
  40.  
  41. 5.175.209.151   POST /ft/si.php?reg&ver=6.8&comp=system_name&addinfo=user;%20Windows... HTTP/1.1    fortis
  42.  
  43. comp
  44. --------------
  45. winlogon.exe    2804    TCP localhost   52471   5.175.209.151   80  SYN_SENT
  46.  
  47. proc
  48. --------------
  49. X:\System Volume Information.exe
  50. "C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe" /START "C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe"
  51. C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe
  52.  
  53. persist
  54. --------------
  55. HKCU\Software\Classes\.exe              20.02.2020 17:02   
  56. Software\Classes\.exe          
  57. c:\users\operator\appdata\roaming\microsoft\lib\winlogon.exe    24.01.2013 0:16
  58. "C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe" /START "%1" %*
  59.  
  60. drop
  61. --------------
  62. C:\tmp\boeowhrfeparymlhnaaiqln.jpg.cr
  63. C:\Users\operator\AppData\Roaming\Microsoft\lib
  64. C:\Users\operator\AppData\Roaming\Microsoft\lib\chmdata\host.exe
  65. C:\Users\operator\AppData\Roaming\Microsoft\lib\chmdata\w32pl.bin
  66. C:\Users\operator\AppData\Roaming\Microsoft\lib\chmdata\x64.dat
  67. C:\Users\operator\AppData\Roaming\Microsoft\lib\libfx
  68. C:\Users\operator\AppData\Roaming\Microsoft\lib\msql\host.exe
  69. C:\Users\operator\AppData\Roaming\Microsoft\lib\msql\upd.dll
  70. C:\Users\operator\AppData\Roaming\Microsoft\lib\msql\x64.dat
  71. C:\Users\operator\AppData\Roaming\Microsoft\lib\sdrv\srcd.exe
  72. C:\Users\operator\AppData\Roaming\Microsoft\lib\x64\innodb.dmp
  73. C:\Users\operator\AppData\Roaming\Microsoft\lib\sdrv.dat
  74. C:\Users\operator\AppData\Roaming\Microsoft\lib\sdrv.exe
  75. C:\Users\operator\AppData\Roaming\Microsoft\lib\srcd.dmp
  76. C:\Users\operator\AppData\Roaming\Microsoft\lib\syslink.dll
  77. C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe
  78. C:\Users\operator\AppData\Roaming\Microsoft\lib\zlib.dat
  79.  
  80. # # #
  81. https://www.virustotal.com/gui/file/a3bd158dd6d44991665cf3a53b7825ac6d5e94645701360d4b2b26128fd92586/details
  82. https://analyze.intezer.com/#/analyses/d166876d-e623-44c7-8333-af923b8ec510
  83.  
  84. https://www.virustotal.com/gui/file/28b7941e0c45f7e01deef2d45b922690894b3ad3e7ebbf4b6719835037e0c963/details
  85.  
  86. https://www.virustotal.com/gui/file/cd11f758195f347094457c42e622000ad363071fdb1f891d343341c3fb94921e/details
  87.  
  88.  
  89. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top