A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24024  by Kafeine
 Wed Oct 01, 2014 1:26 pm
As I have been asked for after a tweet on Bedep pushing it, here are 8 samples from the "Sparkus" Tinba.
Not the smallest trojan-banker anymore ;)

(oldest first)

ea35a40751ad09cdf5eec12d3f445b8e
afb2a5e8e60b6288576bafedbdfd9563

networkglasgow.com [**] /testing/
151.248.118.116
39134 | 151.248.116.0/22 | UNITEDNET | RU | REG.RU | DOMAIN NAMES REGISTRAR REG.RU LTD

9fd9d95234c12e0e67db8fa863101338

pxvsvwllsvqn.com [**] /testing/
95.183.8.139
42244 | 95.183.8.0/23 | ESERVER | RU | IHC.RU | IHC.RU NETWORK IN ESERVER.RU

c4355538e97eca0f6c18ea01955a860c
​bccbghcbcdxo.com 185.22.232.51
48172 | 185.22.232.0/23 | OVERSUN | RU | IHC.RU | IHC.RU NETWORK IN OVERSUN and DGA

16388ffa09af51350db2ac469f216757
8f7c8ef20a2ad55acf90f82ebfd935af

07a9f19907e774fa45c6597901fe32f2
09/29/2014-02:58:21.952247 mulwovuuyydj.com [**] /testing/ [**] -> 109.62.255.132:80

59aca8b6bc452861d314fefb9aabe6a8
mulwovuuyydj .com 109.62.255.132
Attachments
Pass: infected - 8 items
(625.23 KiB) Downloaded 93 times
 #24766  by sysopfb
 Tue Dec 30, 2014 3:37 am
Signed Tinba

MD5 0da85ba18c8100fe4c07027a45acb769
SHA-1 01e989731bac313e70a9633e0d55db2363a4c58f
SHA-256 33d8ee4de05a73aae37029f8e591e3c3b06c1a00d0e6c67f555b28b75d4c84f3

Attached is sample along with web injects
Attachments
pw: infected
(122.82 KiB) Downloaded 101 times
 #24772  by ikolor
 Tue Dec 30, 2014 4:54 pm
try to connect to

ppp-141-101-12-38.wildpark.net

Ukraine
-------------------------------

pidriliusmako29.com
vxlevccilptg.com
dedtinokgodt.com
ibihhlyctjmb.com
kfqqboboojir.com
rplhvvwopmvu.com
ptxyrgeetsjq.com
bjddeebdbjcc.com
hcwwglhcrwtl.com
etjvjixhnqhq.com
rurphkjqpsry.com
evslssstuqlp.com
 #25520  by od1
 Fri Mar 27, 2015 2:47 pm
Newish one:
edd2dc70969c6afaae23796b373f3b4e007084cc

Gettings stuck debugging this, not sure if its my environment or what.

bp on createprocessa, it injects into winver.exe

winver does ReadProcessMemory from orig process and rets to it.

It then does a CC xor loop to get "USER32" and immediately calls loadlibrary.

000A0AF0 call dword_401075[ebx]

This call ends up crashing with eax being 0
inc dword ptr [eax+10h] (in ntdll_RtlpWaitForCriticalSection)

run it without debug, its fine, injects into explorer.

any ideas, what am i missing.
Attachments
(63.28 KiB) Downloaded 93 times
 #26504  by Kafeine
 Wed Aug 12, 2015 2:54 pm
Tinba Trojan Sets Its Sights on Romania - Limor Kessem - IBM X-Force - 2015-08-12

Here are some data for those interested :

Here this Romanian focused Tinba pushed by Angler the 2015-07-24 (fiddler attached)

Image

Sample from that fiddler pass :
81b6c79575d49738e94200caa7906eef (attached)

Samples from 2 days ago:
0785c8dbb7231b79a6f8b5b63f654485(attached)
Attachments
Fiddler, 2 samples. Password : infected
(381.35 KiB) Downloaded 62 times