API tools faq
paste
Advertisement
VRad

#tinba_190220

VRad
Feb 20th, 2020
521
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.11 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #tinba #tinybanker #USB
  2.  
  3. https://pastebin.com/AAxcHDU9
  4.  
  5. previous_contact: n/a
  6.  
  7. FAQ: https://www.cyber.nj.gov/threat-profiles/trojan-variants/tinba
  8.  
  9. attack_vector
  10. --------------
  11. USB > *.exe > AppData\Roaming\Microsoft\*\*.exe > HKCU\Software\Classes\.exe
  12.  
  13. email_headers
  14. --------------
  15. na
  16.  
  17. files
  18. --------------
  19. SHA-256 a3bd158dd6d44991665cf3a53b7825ac6d5e94645701360d4b2b26128fd92586
  20. File name WINSETUP.exe [ PE32 executable | MingWin32 v?.? (h) ]
  21. File size 1.27 MB (1327147 bytes)
  22.  
  23. SHA-256 28b7941e0c45f7e01deef2d45b922690894b3ad3e7ebbf4b6719835037e0c963
  24. File name System Volume Information.exe [ PE32 executable | MingWin32 v?.? (h) ]
  25. File size 1.27 MB (1327147 bytes)
  26.  
  27. SHA-256 cd11f758195f347094457c42e622000ad363071fdb1f891d343341c3fb94921e
  28. File name PallTronic_FFS02.exe [ PE32 executable | MingWin32 v?.? (h) ]
  29. File size 1.27 MB (1327147 bytes)
  30.  
  31. activity
  32. **************
  33. PL_SCR USB Drive
  34.  
  35. C2 5.175.209.151
  36.  
  37. netwrk
  38. --------------
  39. [http]
  40.  
  41. 5.175.209.151 POST /ft/si.php?reg&ver=6.8&comp=system_name&addinfo=user;%20Windows... HTTP/1.1 fortis
  42.  
  43. comp
  44. --------------
  45. winlogon.exe 2804 TCP localhost 52471 5.175.209.151 80 SYN_SENT
  46.  
  47. proc
  48. --------------
  49. X:\System Volume Information.exe
  50. "C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe" /START "C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe"
  51. C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe
  52.  
  53. persist
  54. --------------
  55. HKCU\Software\Classes\.exe 20.02.2020 17:02
  56. Software\Classes\.exe
  57. c:\users\operator\appdata\roaming\microsoft\lib\winlogon.exe 24.01.2013 0:16
  58. "C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe" /START "%1" %*
  59.  
  60. drop
  61. --------------
  62. C:\tmp\boeowhrfeparymlhnaaiqln.jpg.cr
  63. C:\Users\operator\AppData\Roaming\Microsoft\lib
  64. C:\Users\operator\AppData\Roaming\Microsoft\lib\chmdata\host.exe
  65. C:\Users\operator\AppData\Roaming\Microsoft\lib\chmdata\w32pl.bin
  66. C:\Users\operator\AppData\Roaming\Microsoft\lib\chmdata\x64.dat
  67. C:\Users\operator\AppData\Roaming\Microsoft\lib\libfx
  68. C:\Users\operator\AppData\Roaming\Microsoft\lib\msql\host.exe
  69. C:\Users\operator\AppData\Roaming\Microsoft\lib\msql\upd.dll
  70. C:\Users\operator\AppData\Roaming\Microsoft\lib\msql\x64.dat
  71. C:\Users\operator\AppData\Roaming\Microsoft\lib\sdrv\srcd.exe
  72. C:\Users\operator\AppData\Roaming\Microsoft\lib\x64\innodb.dmp
  73. C:\Users\operator\AppData\Roaming\Microsoft\lib\sdrv.dat
  74. C:\Users\operator\AppData\Roaming\Microsoft\lib\sdrv.exe
  75. C:\Users\operator\AppData\Roaming\Microsoft\lib\srcd.dmp
  76. C:\Users\operator\AppData\Roaming\Microsoft\lib\syslink.dll
  77. C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe
  78. C:\Users\operator\AppData\Roaming\Microsoft\lib\zlib.dat
  79.  
  80. # # #
  81. https://www.virustotal.com/gui/file/a3bd158dd6d44991665cf3a53b7825ac6d5e94645701360d4b2b26128fd92586/details
  82. https://analyze.intezer.com/#/analyses/d166876d-e623-44c7-8333-af923b8ec510
  83.  
  84. https://www.virustotal.com/gui/file/28b7941e0c45f7e01deef2d45b922690894b3ad3e7ebbf4b6719835037e0c963/details
  85.  
  86. https://www.virustotal.com/gui/file/cd11f758195f347094457c42e622000ad363071fdb1f891d343341c3fb94921e/details
  87.  
  88.  
  89. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!