{
	"id": "832e36b0-77da-4bff-bae6-0b118b879976",
	"created_at": "2026-04-06T00:06:35.773189Z",
	"updated_at": "2026-04-10T03:20:03.41662Z",
	"deleted_at": null,
	"sha1_hash": "41f6dbbda6c30a431784c4988130e5e32e589840",
	"title": "May 31 - Tinba / Zusy - tiny banker trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 72399,
	"plain_text": "May 31 - Tinba / Zusy - tiny banker trojan\r\nArchived: 2026-04-05 15:23:57 UTC\r\nMay 31 - Tinba / Zusy - tiny banker trojan\r\nAmazon.com 8\" Gremlin\r\nTinba aka Zusy is an interesting tiny (18-20KB) banker trojan. It is not the smallest in use these days, Andromeda\r\nbot is 13 KB for resident and only 9 KB for non-resident versions. I got a few samples and hoped to come up with\r\nenough data for an IDS signature but they did a good emulation of the real systems, so it is not trivial. One thing\r\nvery consistent is 13 byte initial RC4 encoded request.\r\nI am posting details here, if you come up with a signature, please share with Emerging Threats or here.\r\nPeter's list of features\r\nIt hooks into browsers and steals login data and sniffs on network traffic. \r\nUses Man in The Browser (MiTB) tricks and webinjects in order to change the look and feel of certain\r\nwebpages with the purpose of circumventing Two factor Authentification (2FA) or tricking the infected\r\nuser to give away additional sensitive data such as credit card data or TANs.\r\nNo packing or advanced encryption (yet)\r\nIt allocates new memory space where this specific injection function is stored and injects itself into the\r\nnewly created process “winver.exe” (Version Reporter Applet) dropped into the windows system folder. \r\nTinba also injects itself into both \"explorer.exe\" and \"svchost.exe\" processes.\r\nTinba uses primarily four different libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll and\r\nuser32.dll.  \r\nThe main components are copied into the\r\n[%userprofile%]/Application Data/Default/bin.exe and the encrypted configuration file “cfg.dat”\r\naccompanied by the webinject file named “web.dat”.\r\nTinba uses four hardcoded domains for its C\u0026C communication.\r\nhttp://contagiodump.blogspot.com/2012/06/amazon.html\r\nPage 1 of 6\n\nDownload\r\n   Download the binaries listed above (email if you need the password)\r\n- thanks to Charles G for sharing\r\ndakotavolandos.com\r\ndak1otavola1ndos.com\r\ndako22tavol2andos.com\r\nd3akotav33olandos.com\r\nd4ak4otavolandos.com   \r\nwiecatinsu8.exe\r\nSha-256: 078a122a9401dd47a61369ac769d9e707d9e86bdf7ad91708510b9a4584e8d49\r\nMD5:  c141be7ef8a49c2e8bda5e4a856386ac\r\nSize: 19968\r\nSha-256: ce9483f6284903d8d76d60f1a96b3ade33c77ded0cac1d1c2dc8979879d6f91e.dak1otavola1ndos.com\r\nMD5:  6244604b4fe75b652c05a217ac90eeac\r\nSize: 19968\r\nSha-256:  8cc5050f513ed22780d4e85857a77a1fb2a3083d792cd550089b64e1d2ef58e9\r\nMD5:  08ab7f68c6b3a4a2a745cc244d41d213\r\nSize: 19968\r\nSha-256: 94e3fbcfb8d6f3fae34b1bc196c78082d35dc5a0084510c2c0b3ef38bc7b9cc2\r\nMD5:  debfdbd33d6e4695877d0a789212c013\r\n Size: 19968\r\nSha-256:  0505f7e556f5fa5624e763fb72a769eb73c497ef8f855d706a0203848fd41c24\r\nMD5:  8e8cd6dc7759f4b74ec0bfa84db5b1a5\r\nSize: 20480\r\nSha-256: 4144bc0bf25e55fbc65c1c03831ab1a82bc9cb267f8dd6264f5d0c55585ffd55\r\nMD5:  d1c13acddb7c13d0cf5a5c49e53a2906\r\nSize: 19968\r\nSha-256: 09478bf4833505d3d7b66d4f30ccce6b9fde3ea51b9ccf6fdeadc008efba43d8\r\nMD5:  b6991e7497a31fada9877907c63a5888\r\nSize: 18432\r\nhttp://contagiodump.blogspot.com/2012/06/amazon.html\r\nPage 2 of 6\n\n=======================================\r\nmonsboys.biz\r\nuwyhbgwiechgi.com\r\nieubietubviurb.com  \r\nSha-256:  e7db4b0d0ef2804d9161670908697a93032a4c1809066d54ec6f9bcc8befa341.exe\r\nMD5:  0e252ec52d7f4604d6b8894e479de233\r\nSize: 20480\r\nSha-256: c33b7e2da7e7746950615f04bca55603f6c9082dd2352efe12173f408494c660\r\nMD5:  b062be1e561c20b6fb829ad9a3303431\r\nSize: 19456\r\n====================================\r\nSha-256: ed09eee5ff1de74f7af7d9666a321726e745ef12c5766753b75c20c00ed6dd9b\r\nMD5:  b4b9486d3eea4dc3b643b6bd89a4a67d\r\nSize: 19456\r\nbasdinopowadoar.com\r\nazonpowzanadinoar.com\r\nsbasdinopowadoar.com\r\nTraffic\r\nPOST /h/index.php HTTP/1.1\r\nHost: dakotavolandos.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: identity\r\nConnection: close\r\nContent-Type: application/octet-stream\r\nContent-Length: 13\r\ny0J.......ii.HTTP/1.1 200 OK\r\nServer: nginx/0.7.67\r\nDate: Wed, 16 May 2012 18:20:16 GMT\r\nContent-Type: text/html\r\nConnection: close\r\nhttp://contagiodump.blogspot.com/2012/06/amazon.html\r\nPage 3 of 6\n\nX-Powered-By: PHP/5.3.3-7+squeeze3\r\nContent-Length: 81363\r\nVary: Accept-Encoding\r\n=======================================\r\nPOST /h/index.php HTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip, deflate\r\nHost: sbasdinopowadoar.com\r\nContent-Length: 13\r\nConnection: Close\r\nCache-Control: no-cache\r\n4.`.......ii.HTTP/1.1 200 OK\r\nDate: Mon, 04 Jun 2012 11:31:06 GMT\r\nServer: Apache/2.2.16 (Debian)\r\nX-Powered-By: PHP/5.3.13-1~dotdeb.0\r\nVary: Accept-Encoding\r\nContent-Encoding: gzip\r\nContent-Length: 30\r\nConnection: close\r\nContent-Type: text/html\r\n.............`..ff.....p......\r\n==================================\r\nPOST /nnt/index.php HTTP/1.1\r\nHost: monsboys.biz\r\nUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: identity\r\nConnection: close\r\nContent-Type: application/octet-stream\r\nContent-Length: 13\r\n4.`......j..9HTTP/1.1 403 Forbidden\r\nDate: Mon, 04 Jun 2012 11:44:28 GMT\r\nServer: Apache\r\nhttp://contagiodump.blogspot.com/2012/06/amazon.html\r\nPage 4 of 6\n\nVary: Accept-Encoding\r\nContent-Length: 396\r\nConnection: close\r\nContent-Type: text/html; charset=iso-8859-1\r\n===============================================\r\nPOST /dataSafer3er/ HTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip, deflate\r\nHost: sbasdinopowadoar.com\r\nContent-Length: 13\r\nConnection: Close\r\nCache-Control: no-cache\r\n4.`.......ii.HTTP/1.1 200 OK\r\nDate: Wed, 06 Jun 2012 05:07:15 GMT\r\nServer: Apache/2.2.16 (Debian)\r\nX-Powered-By: PHP/5.3.13-1~dotdeb.0\r\nVary: Accept-Encoding\r\nContent-Encoding: gzip\r\nContent-Length: 30\r\nConnection: close\r\nContent-Type: text/html\r\nDomain info\r\nbasdinopowadoar.com\r\nazonpowzanadinoar.com\r\nsbasdinopowadoar.com (sinkholed)\r\nAndrash  Bakkers admin@azonpowzanadinoar.com (or domain above)\r\n+022.8260566 +022.8260566\r\nAhdv inc\r\nAleje Ujazdowskie 20-44\r\nWarszawa,Warszawa,AF 00540\r\nDomain Name:basdinopowadoar.com\r\nRecord last updated at 2012-05-26 12:54:16\r\nhttp://contagiodump.blogspot.com/2012/06/amazon.html\r\nPage 5 of 6\n\nRecord created on 5/26/2012\r\nRecord expired on 05/26/2013\r\nDomain servers in listed order:\r\nns1.dns-diy.net      ns2.dns-diy.net\r\nOther domains that belong to \"Andrash Bakkers\"\r\nalfa-secure.com  \r\n      \r\nwizestreem.net           /je/2fwygag.bin Zeus C2\r\ndenitraspetr.com         Zeus C2\r\ndonotstoptillu.com     /WCES7tT/forum.php 31.186.103.29  Known Spyeye  C2 (Zusy?)\r\nescapefgtyuoi.com     /WCES7tT/forum.php  31.186.103.29 Known Spyeye  C2 (Zusy?)\r\nspacepushhere.com    /WCES7tT/forum.php 195.210.47.230 Known Spyeye  C2 (Zusy?)\r\ntropikana-tour.com    \r\nk-login.com\r\njackeydu.com  \r\nmonsboys.biz\r\nDomain Name:                                 MONSBOYS.BIZ\r\nDomain ID:                                   D48970895-BIZ\r\nSponsoring Registrar:                        DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A\r\nPUBLICDOMAINREGISTRY.COM\r\nSponsoring Registrar IANA ID:                303\r\nRegistrar URL (registration services):       www.publicdomainregistry.com\r\nDomain Status:                               clientTransferProhibited\r\nRegistrant ID:                               DI_11711862\r\nRegistrant Name:                             Kimberly\r\nRegistrant Organization:                     Kimberly\r\nRegistrant Address1:                         1 South Drive\r\nRegistrant City:                             Hyde Park\r\nRegistrant State/Province:                   New York\r\nRegistrant Postal Code:                      12538\r\nRegistrant Country:                          United States\r\nRegistrant Country Code:                     US\r\nRegistrant Phone Number:                     +845.2290250\r\nRegistrant Email:                            \r\nSource: http://contagiodump.blogspot.com/2012/06/amazon.html\r\nhttp://contagiodump.blogspot.com/2012/06/amazon.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://contagiodump.blogspot.com/2012/06/amazon.html"
	],
	"report_names": [
		"amazon.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433995,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41f6dbbda6c30a431784c4988130e5e32e589840.pdf",
		"text": "https://archive.orkl.eu/41f6dbbda6c30a431784c4988130e5e32e589840.txt",
		"img": "https://archive.orkl.eu/41f6dbbda6c30a431784c4988130e5e32e589840.jpg"
	}
}