Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #tinba #tinybanker #USB
- https://pastebin.com/AAxcHDU9
- previous_contact: n/a
- FAQ: https://www.cyber.nj.gov/threat-profiles/trojan-variants/tinba
- attack_vector
- --------------
- USB > *.exe > AppData\Roaming\Microsoft\*\*.exe > HKCU\Software\Classes\.exe
- email_headers
- --------------
- na
- files
- --------------
- SHA-256 a3bd158dd6d44991665cf3a53b7825ac6d5e94645701360d4b2b26128fd92586
- File name WINSETUP.exe [ PE32 executable | MingWin32 v?.? (h) ]
- File size 1.27 MB (1327147 bytes)
- SHA-256 28b7941e0c45f7e01deef2d45b922690894b3ad3e7ebbf4b6719835037e0c963
- File name System Volume Information.exe [ PE32 executable | MingWin32 v?.? (h) ]
- File size 1.27 MB (1327147 bytes)
- SHA-256 cd11f758195f347094457c42e622000ad363071fdb1f891d343341c3fb94921e
- File name PallTronic_FFS02.exe [ PE32 executable | MingWin32 v?.? (h) ]
- File size 1.27 MB (1327147 bytes)
- activity
- **************
- PL_SCR USB Drive
- C2 5.175.209.151
- netwrk
- --------------
- [http]
- 5.175.209.151 POST /ft/si.php?reg&ver=6.8&comp=system_name&addinfo=user;%20Windows... HTTP/1.1 fortis
- comp
- --------------
- winlogon.exe 2804 TCP localhost 52471 5.175.209.151 80 SYN_SENT
- proc
- --------------
- X:\System Volume Information.exe
- "C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe" /START "C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe"
- C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe
- persist
- --------------
- HKCU\Software\Classes\.exe 20.02.2020 17:02
- Software\Classes\.exe
- c:\users\operator\appdata\roaming\microsoft\lib\winlogon.exe 24.01.2013 0:16
- "C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe" /START "%1" %*
- drop
- --------------
- C:\tmp\boeowhrfeparymlhnaaiqln.jpg.cr
- C:\Users\operator\AppData\Roaming\Microsoft\lib
- C:\Users\operator\AppData\Roaming\Microsoft\lib\chmdata\host.exe
- C:\Users\operator\AppData\Roaming\Microsoft\lib\chmdata\w32pl.bin
- C:\Users\operator\AppData\Roaming\Microsoft\lib\chmdata\x64.dat
- C:\Users\operator\AppData\Roaming\Microsoft\lib\libfx
- C:\Users\operator\AppData\Roaming\Microsoft\lib\msql\host.exe
- C:\Users\operator\AppData\Roaming\Microsoft\lib\msql\upd.dll
- C:\Users\operator\AppData\Roaming\Microsoft\lib\msql\x64.dat
- C:\Users\operator\AppData\Roaming\Microsoft\lib\sdrv\srcd.exe
- C:\Users\operator\AppData\Roaming\Microsoft\lib\x64\innodb.dmp
- C:\Users\operator\AppData\Roaming\Microsoft\lib\sdrv.dat
- C:\Users\operator\AppData\Roaming\Microsoft\lib\sdrv.exe
- C:\Users\operator\AppData\Roaming\Microsoft\lib\srcd.dmp
- C:\Users\operator\AppData\Roaming\Microsoft\lib\syslink.dll
- C:\Users\operator\AppData\Roaming\Microsoft\lib\winlogon.exe
- C:\Users\operator\AppData\Roaming\Microsoft\lib\zlib.dat
- # # #
- https://www.virustotal.com/gui/file/a3bd158dd6d44991665cf3a53b7825ac6d5e94645701360d4b2b26128fd92586/details
- https://analyze.intezer.com/#/analyses/d166876d-e623-44c7-8333-af923b8ec510
- https://www.virustotal.com/gui/file/28b7941e0c45f7e01deef2d45b922690894b3ad3e7ebbf4b6719835037e0c963/details
- https://www.virustotal.com/gui/file/cd11f758195f347094457c42e622000ad363071fdb1f891d343341c3fb94921e/details
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement