Tinba.A_70 is a banking Trojan whose size is approximately 20KB. It typically arrives on an infected system using a Blackhole exploit kit. It has the capability to inject its code into legitimate processes to steal login credentials and sniff network traffic, targeting financial websites and government portals. Tinba is also known as Tinybanker.
Mutexes created
Directory level activity
File level activity
Registry level activity
Library level activity- load - library - C:\WINDOWS\system32\rpcss.dll
- load - library - C:\WINDOWS\system32\uxtheme.dll
- load - library - uxtheme.dll
- load - library - OLEAUT32.DLL
- load - library - oleaut32.dll
- load - library - ole32.dll
- load - library - SXS.DLL
- load - library - USER32
- load - library - C:\WINDOWS\system32\MSVBVM60.DLL
- load - library - MPR.DLL
- load - library - C:\WINDOWS\system32\VBoxMRXNP.dll
- load - library - C:\WINDOWS\System32\drprov.dll
- load - library - C:\WINDOWS\System32\ntlanman.dll
- load - library - C:\WINDOWS\System32\davclnt.dll
- load - library - C:\WINDOWS\system32\kernel32.dll
- load - library - kernel32.dll
- load - library - kernel32
- load - library - user32
- load - library - ntdll
- load - library - shell32
- load - library - advapi32
- load - library - kernel32
Process API calls used
- ZwMapViewOfSection
- VirtualProtectEx
- VirtualProtectEx
Registry API calls used
- NtOpenKey
- NtQueryValueKey
- RegOpenKeyExA
- RegOpenKeyExW
- RegQueryValueExW
- RegCloseKey
- NtOpenKey
System API calls used
- LdrGetDllHandle
- LdrLoadDll
- IsDebuggerPresent
- LdrGetProcedureAddress
- SetWindowsHookExA
- NtDelayExecution
- LdrGetProcedureAddress
Filesystem API calls used
- FindFirstFileExW
- NtQueryDirectoryFile
- NtOpenFile
- NtQueryInformationFile
- NtCreateFile
- NtOpenFile
Network
UDP source >> destination
TCP source >> destination
Domains:
DNS Request:
HTTP Request:
DLL related data
Number of DLL's imported = 1
|
