:D opensc, trojanforge.co many zoo lolz! :roll:
Hi,
Tinba goes 64 bit. Attached signed and unsigned files.
Enjoy,
- p4r4n0id
A forum for reverse engineering, OS internals and malware analysis
Attachments
pwd: infected
(218.59 KiB) Downloaded 95 times
(218.59 KiB) Downloaded 95 times
Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/
http://p4r4n0id.com/
As I have been asked for after a tweet on Bedep pushing it, here are 8 samples from the "Sparkus" Tinba.
Not the smallest trojan-banker anymore ;)
(oldest first)
ea35a40751ad09cdf5eec12d3f445b8e
afb2a5e8e60b6288576bafedbdfd9563
networkglasgow.com [**] /testing/
151.248.118.116
39134 | 151.248.116.0/22 | UNITEDNET | RU | REG.RU | DOMAIN NAMES REGISTRAR REG.RU LTD
9fd9d95234c12e0e67db8fa863101338
pxvsvwllsvqn.com [**] /testing/
95.183.8.139
42244 | 95.183.8.0/23 | ESERVER | RU | IHC.RU | IHC.RU NETWORK IN ESERVER.RU
c4355538e97eca0f6c18ea01955a860c
bccbghcbcdxo.com 185.22.232.51
48172 | 185.22.232.0/23 | OVERSUN | RU | IHC.RU | IHC.RU NETWORK IN OVERSUN and DGA
16388ffa09af51350db2ac469f216757
8f7c8ef20a2ad55acf90f82ebfd935af
07a9f19907e774fa45c6597901fe32f2
09/29/2014-02:58:21.952247 mulwovuuyydj.com [**] /testing/ [**] -> 109.62.255.132:80
59aca8b6bc452861d314fefb9aabe6a8
mulwovuuyydj .com 109.62.255.132
Not the smallest trojan-banker anymore ;)
(oldest first)
ea35a40751ad09cdf5eec12d3f445b8e
afb2a5e8e60b6288576bafedbdfd9563
networkglasgow.com [**] /testing/
151.248.118.116
39134 | 151.248.116.0/22 | UNITEDNET | RU | REG.RU | DOMAIN NAMES REGISTRAR REG.RU LTD
9fd9d95234c12e0e67db8fa863101338
pxvsvwllsvqn.com [**] /testing/
95.183.8.139
42244 | 95.183.8.0/23 | ESERVER | RU | IHC.RU | IHC.RU NETWORK IN ESERVER.RU
c4355538e97eca0f6c18ea01955a860c
bccbghcbcdxo.com 185.22.232.51
48172 | 185.22.232.0/23 | OVERSUN | RU | IHC.RU | IHC.RU NETWORK IN OVERSUN and DGA
16388ffa09af51350db2ac469f216757
8f7c8ef20a2ad55acf90f82ebfd935af
07a9f19907e774fa45c6597901fe32f2
09/29/2014-02:58:21.952247 mulwovuuyydj.com [**] /testing/ [**] -> 109.62.255.132:80
59aca8b6bc452861d314fefb9aabe6a8
mulwovuuyydj .com 109.62.255.132
Attachments
Pass: infected - 8 items
(625.23 KiB) Downloaded 93 times
(625.23 KiB) Downloaded 93 times
I think "Sparkus" Tinba samples may appear much earlier . For instance
https://www.virustotal.com/fr/file/3816 ... 410241586/ ( dropped by 690b3aa7810c254620003906718b5fb2)
https://www.virustotal.com/fr/file/1525 ... 410242519/ (dropped by bc457647c36f750f865cacaf3e3e7c32)
Regards
https://www.virustotal.com/fr/file/3816 ... 410241586/ ( dropped by 690b3aa7810c254620003906718b5fb2)
https://www.virustotal.com/fr/file/1525 ... 410242519/ (dropped by bc457647c36f750f865cacaf3e3e7c32)
Regards
Yep. "Oldest first" was referering to the samples that were attached in the zip.
Just 8 samples I gathered via Bedep.
Just 8 samples I gathered via Bedep.
Signed Tinba
MD5 0da85ba18c8100fe4c07027a45acb769
SHA-1 01e989731bac313e70a9633e0d55db2363a4c58f
SHA-256 33d8ee4de05a73aae37029f8e591e3c3b06c1a00d0e6c67f555b28b75d4c84f3
Attached is sample along with web injects
MD5 0da85ba18c8100fe4c07027a45acb769
SHA-1 01e989731bac313e70a9633e0d55db2363a4c58f
SHA-256 33d8ee4de05a73aae37029f8e591e3c3b06c1a00d0e6c67f555b28b75d4c84f3
Attached is sample along with web injects
Attachments
pw: infected
(122.82 KiB) Downloaded 100 times
(122.82 KiB) Downloaded 100 times
try to connect to
ppp-141-101-12-38.wildpark.net
Ukraine
-------------------------------
pidriliusmako29.com
vxlevccilptg.com
dedtinokgodt.com
ibihhlyctjmb.com
kfqqboboojir.com
rplhvvwopmvu.com
ptxyrgeetsjq.com
bjddeebdbjcc.com
hcwwglhcrwtl.com
etjvjixhnqhq.com
rurphkjqpsry.com
evslssstuqlp.com
ppp-141-101-12-38.wildpark.net
Ukraine
-------------------------------
pidriliusmako29.com
vxlevccilptg.com
dedtinokgodt.com
ibihhlyctjmb.com
kfqqboboojir.com
rplhvvwopmvu.com
ptxyrgeetsjq.com
bjddeebdbjcc.com
hcwwglhcrwtl.com
etjvjixhnqhq.com
rurphkjqpsry.com
evslssstuqlp.com
Newish one:
edd2dc70969c6afaae23796b373f3b4e007084cc
Gettings stuck debugging this, not sure if its my environment or what.
bp on createprocessa, it injects into winver.exe
winver does ReadProcessMemory from orig process and rets to it.
It then does a CC xor loop to get "USER32" and immediately calls loadlibrary.
000A0AF0 call dword_401075[ebx]
This call ends up crashing with eax being 0
inc dword ptr [eax+10h] (in ntdll_RtlpWaitForCriticalSection)
run it without debug, its fine, injects into explorer.
any ideas, what am i missing.
edd2dc70969c6afaae23796b373f3b4e007084cc
Gettings stuck debugging this, not sure if its my environment or what.
bp on createprocessa, it injects into winver.exe
winver does ReadProcessMemory from orig process and rets to it.
It then does a CC xor loop to get "USER32" and immediately calls loadlibrary.
000A0AF0 call dword_401075[ebx]
This call ends up crashing with eax being 0
inc dword ptr [eax+10h] (in ntdll_RtlpWaitForCriticalSection)
run it without debug, its fine, injects into explorer.
any ideas, what am i missing.
Attachments
(63.28 KiB) Downloaded 92 times
Tinba Trojan Sets Its Sights on Romania - Limor Kessem - IBM X-Force - 2015-08-12
Here are some data for those interested :
Here this Romanian focused Tinba pushed by Angler the 2015-07-24 (fiddler attached)
Sample from that fiddler pass :
81b6c79575d49738e94200caa7906eef (attached)
Samples from 2 days ago:
0785c8dbb7231b79a6f8b5b63f654485(attached)
Here are some data for those interested :
Here this Romanian focused Tinba pushed by Angler the 2015-07-24 (fiddler attached)
Sample from that fiddler pass :
81b6c79575d49738e94200caa7906eef (attached)
Samples from 2 days ago:
0785c8dbb7231b79a6f8b5b63f654485(attached)
Attachments
Fiddler, 2 samples. Password : infected
(381.35 KiB) Downloaded 62 times
(381.35 KiB) Downloaded 62 times