{
	"id": "f9b9130d-92fb-449b-aa6a-9c8bd17d0c0f",
	"created_at": "2026-04-06T00:10:23.66886Z",
	"updated_at": "2026-04-10T03:20:43.456383Z",
	"deleted_at": null,
	"sha1_hash": "8c15e29a8c85cf3a015a50a7bf0dcaefb2a86afb",
	"title": "Tinba Banking Trojan Variant | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1254957,
	"plain_text": "Tinba Banking Trojan Variant | Zscaler Blog\r\nBy Dhanalakshmi\r\nPublished: 2015-07-05 · Archived: 2026-04-05 16:22:10 UTC\r\nIntroduction \r\nTinba is information stealing Trojan. The main purpose of the malware is to steal information that could be\r\nbrowsing data, login credentials, or even banking information. This is achieved through code injection into system\r\nprocess (Winver.exe and Explorer.exe) and installing hooks into various browsers like IExplorer, Chrome, Firefox\r\nand Opera.\r\nTinba has been known to arrive via spammed e-mail attachments and drive-by downloads.  Recently, Angler\r\nExploit Kit instances were also found to be serving Tinba banking Trojan.\r\nDetailed Analysis of Tinba\r\nTinba is packed with a custom packer and uses well known anti-debugging technique using the WinAPI function\r\n“IsDebuggerPresent” to hinder reverse engineering of the binary image. The execution flow of the infection cycle\r\nfor Tinba is shown below.\r\nExecution flow of Tinba\r\nThe image below shows the custom packer code being used by the Tinba sample we were looking at.\r\nhttps://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant\r\nPage 1 of 8\n\nTinba unpacking Routine\r\nThe unpacked binary image is shown below which upon execution will perform code injection into system\r\nprocesses like Winver.exe and Explorer.exe.\r\nUnpacked Binary\r\nIt generates Mutex name using root volume information of the victim’s machine as shown below.\r\nhttps://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant\r\nPage 2 of 8\n\nMutex name generation\r\nRemote Thread in System Process\r\n \r\nA remote thread is created inside Explorer process that is responsible for creating a copy of Tinba Binary in\r\n%APPDATA% \u0026 auto start registry entry in Registry hive.\r\nExplorer remote thread\r\nThe Tinba binary is stored in a hidden folder which is created under %APPDATA% directory:\r\n C:\\Documents and setting \\username \\Application Data\\mutexname\\bin.exe\r\nIt also creates an auto-run registry entry to execute Tinba binary during every windows start-up as shown below:\r\nhttps://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant\r\nPage 3 of 8\n\nAuto start registry entry\r\nAnother thread is also created in Explorer process which is responsible for generating DGA (Domain Generation\r\nAlgorithm) domains and injecting code into browsers like IExplorer, Chrome, Firefox and Opera.\r\nExplorer local thread\r\nDomain Generation Algorithm\r\nThe following is the Domain Generation Algorithm (DGA) used by Tinba variant where every sample uses a\r\nhardcoded domain and seed to generate the DGA domains.\r\nDGA routine    \r\nhttps://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant\r\nPage 4 of 8\n\nHardcoded Domain and seed\r\nThese DGA domains are fast flux domains where single domain is frequently switched to different IPs by\r\nregistering it as part of the DNS A record list for a single domain.\r\ntargetHost targetIP\r\neudvwwwrmyqi.in 89.111.166.60\r\neudvwwwrmyqi.in 95.163.121.94\r\njrhijuuwgopx.com 176.31.62.78\r\njrhijuuwgopx.com 176.31.62.77\r\nnorubjjpsvfg.ru 210.1.226.15\r\nnorubjjpsvfg.ru 104.223.122.20\r\nnorubjjpsvfg.ru 104.223.15.16\r\nscpxsbsjjqje.ru 5.178.64.90\r\nscpxsbsjjqje.ru 192.198.90.228\r\nscpxsbsjjqje.ru 5.178.64.90\r\nwgwnmffclqvu.ru 192.198.90.228\r\nwgwnmffclqvu.ru 192.3.95.140\r\n \r\nhttps://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant\r\nPage 5 of 8\n\nRemote Thread in browsers\r\nThe Explorer thread searches for browser process either by checking path of the browser executable or by loaded\r\napplication specific DLL (e.g. NSS3.dll for firefox.exe). If the targeted browser process is found, then the\r\nsecondary thread is created in the process.\r\nBrowser thread\r\nThis thread is responsible to get updated Bot configuration details like Target URL list and strings (BOTUID )\r\nfrom a remote C\u0026C server. If there is no updated list of target URLs from C\u0026C server, then it uses default\r\ntargeted list of URLs which is stored in the injected code. The list of default target URLs after decryption is shown\r\nbelow.\r\nDefault Targeted URL list\r\nThe collected information form webmail, social media and the banking sites are stored in \"log.dat\" file.\r\nLog file path\r\nC\u0026C communication \u0026 Cryptography:\r\n \r\nhttps://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant\r\nPage 6 of 8\n\nThe POST request to C\u0026C server contains encrypted system information like system volume \u0026 version\r\ninformation.  The cryptography routine is a simple byte 'XOR' with an 8 bit 'ROR' of the key after each write. \r\nSend Data Encryption\r\nA sample Tinba POST request to DGA domains with 157 bytes of encrypted data is shown below.\r\nC\u0026C POST Request\r\nGeo distribution of C\u0026C call back attempts that we blocked in past one month:\r\nGeo Location\r\nWe have seen following C\u0026C server IP addresses:\r\n103.1.149[.]36\r\n104.223.122[.]20\r\n104.223.15[.]16\r\n104.223.15[.]234\r\nhttps://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant\r\nPage 7 of 8\n\n104.255.97[.]136\r\n104.255.97[.]15\r\n162.218.89[.]118\r\n176.31.62[.]77\r\n176.31.62[.]78\r\n192.198.90[.]228\r\n192.210.139[.]138\r\n192.3.95[.]140\r\n198.100.29[.]2\r\n198.56.237[.]21\r\n210.1.226[.]15      \r\n5.178.64[.]90\r\n5.2.189[.]251\r\n82.165.37[.]127\r\n89.111.166[.]60\r\n95.163.121[.]94\r\nConclusion:\r\n     Tinba also known as small banking Trojan continues to be prevalent in the wild.  The arrival method varies\r\nfrom e-mail spam, drive-by downloads and most recently Exploit Kit infection cycle. Zscaler ThreatlabZ is\r\nactively monitoring this malware family and ensuring coverage for our customers.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant\r\nhttps://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant"
	],
	"report_names": [
		"look-recent-tinba-banking-trojan-variant"
	],
	"threat_actors": [],
	"ts_created_at": 1775434223,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c15e29a8c85cf3a015a50a7bf0dcaefb2a86afb.pdf",
		"text": "https://archive.orkl.eu/8c15e29a8c85cf3a015a50a7bf0dcaefb2a86afb.txt",
		"img": "https://archive.orkl.eu/8c15e29a8c85cf3a015a50a7bf0dcaefb2a86afb.jpg"
	}
}