{ "id": "18c5693b-786c-4d6f-b316-509395344269", "created_at": "2026-04-06T00:18:29.537112Z", "updated_at": "2026-04-10T13:12:52.274918Z", "deleted_at": null, "sha1_hash": "c230009dfa3191eb0a7da02bc84545ee8c2a2afd", "title": "Mini Analysis of the TinyBanker Tinba", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 902026, "plain_text": "Mini Analysis of the TinyBanker Tinba\r\nBy Kimberly\r\nArchived: 2026-04-05 18:09:15 UTC\r\nToday we’ll have a look at Tinba (Tiny Banker), the smallest banker in the world. Without the use of a packer or\r\ncrypter Tinba is around 20 KB, default configuration and web injects included. A few days ago the source code of\r\nTinba 1 was released on a closed underground forum. Reference.\r\nTinba uses MiTB (Man in The Browser) tricks and web injects to change the appearance of certain webpages.\r\nObjective: circumvent two factor Authentication and/or trick the victim in giving up additional sensitive data.\r\nTinba uses RC4 encryption to communicate with its C\u0026C servers. The key and the servers are hardcoded into the\r\nbinary. Before downloading updates from the C\u0026C server, Tinba sends out an RC4 encrypted string.\r\nI accidentally found this sample of Tinba because the author used the same crypter as ZeuS GameOver Reloaded.\r\nThe sample was submitted to VirusTotal the same day as the new ZeuS GameOver and seems to be the payload of\r\na spam email targeting mainly users from Poland and the Czech Republic. We can find back traces of the crypter\r\nin the memory space of Tinba:\r\n0. 0x987041 (17): OU___Enemy %d ,\r\n1. 0x987053 (13): OU___Bomb %d\r\nAlong with the following strings:\r\n0. 0x14562a8 (11): LoadBitmapA\r\n1. 0x14562d0 (13): IntersectRect\r\n2. 0x1456342 (18): CreateCompatibleDC\r\n3. 0x1456358 (22): CreateCompatibleBitmap\r\n4. 0x145637c (14): ImageList_Draw\r\n5. 0x145638e (19): ImageList_AddMasked\r\nhttp://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html\r\nPage 1 of 11\n\nThe executable is 88.0 KB (90,112 bytes) and contains an RCData resource with the ID 56. The size (9479176\r\nbytes) is fake; it’s bigger than the size of the executable. This will cause a warning in Olly and makes it harder to\r\nextract the resource.\r\nhttp://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html\r\nPage 2 of 11\n\nThe resource with the ID 56 contains a fake JPG header. JPEGsnoop, a free windows application able to examine\r\nand decode the inner details of JPEG images, reports an unknown marker at the offset 0x000004B1 and notifies of\r\nexisting data after EOF. Hiding an executable in a resource is a method to evade anti-virus detections.\r\nUpon execution TINBA.EXE [PID 2724] launches an instance of itself [PID 3004]. Note the size of the\r\nexecutable: 20KB.\r\nAfter approximately 1 minute (I noticed the SLEEP command in the code but didn’t time it) TINBA.EXE will\r\nlaunch an instance of TASKMGR.EXE (Windows Task Manager), inject code into the newly created process and\r\nexit.\r\nBefore terminating its process, TINBA.EXE contained the following Section:\r\nhttp://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html\r\nPage 3 of 11\n\n\\BaseNamedObjects\\redhot\r\nThe same Section is found back in the TASKMGR.EXE process.\r\nTASKMGR.EXE:\r\nReads the Volume Name and Serial Number\r\nCreates a directory named \"AdobeChk\" in the %APPDATA% folder\r\nRenames TINBA.exe to %APPDATA%\\AdobeChk\\chk.exe\r\nc:\\Documents and Settings\\[User Name]\\Application Data\\AdobeChk\\chk.exe\r\nDate: 7/14/2014 4:36 PM\r\nSize: 90,112 bytes\r\nCreates the following Registry entry so that CHK.EXE runs each time Windows starts:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run \"AdobeChk\"\r\nType: REG_SZ\r\nData: C:\\Documents and Settings\\[User Name]\\Application Data\\AdobeChk\\chk.exe\r\nSets tabs and frames to run within the same process in IE:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main \"TabProcGrowth\"\r\nType: REG_DWORD\r\nData: 01, 00, 00, 00\r\nhttp://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html\r\nPage 4 of 11\n\nTASKMGR.EXE will establish a little routine in case the file or the Registry keys are deleted but the procedure\r\nlooks a bit flawed to me. The injected process attempts to create a folder that already exists (resulting in a name\r\ncollision) and checks for a file called \"empty\" in the folder where TINBA.EXE was located.\r\nTinba sends out an RC4 encrypted string to the C\u0026C located at plsecdirect.ru and receives a 403 Forbidden. The\r\ndecrypted string is EHLO.\r\nhttp://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html\r\nPage 5 of 11\n\nHardcoded User Agent:\r\nMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\nRC4 key:\r\nwer8c7ygbw485ghw\r\nHardcoded C\u0026C:\r\nplsecdirect.ru - 91.237.198.54\r\nframesoutchk.ru - 91.237.198.54\r\nTargeted Browsers:\r\niexplore.exe | firefox.exe | maxthon.exe | chrome.exe\r\nPath to configuration and web injects:\r\nC:\\Documents and Settings\\[User Name]\\Application Data\\AdobeChk\\cof.dat\r\nC:\\Documents and Settings\\[User Name]\\Application Data\\AdobeChk\\cot.dat\r\nMemory Strings:\r\n00. 0x3b170e (20): POST /re/ HTTP/1.1\r\n01.  \r\n02. 0x3b1739 (71): Accept: text/html, application/xhtml+xml, */*\r\nhttp://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html\r\nPage 6 of 11\n\n03. Accept-Language: en-US\r\n04.  \r\n05. 0x3b1791 (75): User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\n06. 0x3b17ed (57):\r\n07. Content-Type: application/x-www-form-urlencoded\r\n08. Host:\r\n09. 0x3b1842 (18):\r\n10. Content-Length:\r\n11. 0x3b1875 (48):\r\n12. Connection: Close\r\n13. Cache-Control: no-cache\r\n14.  \r\n15. 0x3b215d (13):\r\n16. [urlfilter]\r\n17.  \r\n18. 0x3b22c4 (13):\r\n19. data_before\r\n20.  \r\n21. 0x3b22f5 (10):\r\n22. data_end\r\n23.  \r\n24. 0x3b2329 (13):\r\n25. data_inject\r\n26.  \r\n27. 0x3b235e (10):\r\n28. data_end\r\nhttp://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html\r\nPage 7 of 11\n\n29.  \r\n30. 0x3b2392 (12):\r\n31. data_after\r\n32.  \r\n33. 0x3b23c6 (10):\r\n34. data_end\r\n35.  \r\n36. 0x3b25e3 (14): %SAVEDATA_*=*%\r\n37. 0x3b26aa (11): %BOTDATA_*%\r\n38. 0x3b28e8 (15): X-Frame-Options\r\n39. 0x3b2aab (27): Accept-Encoding: identity\r\n40. 0x3b2adc (50): If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT\r\n41. 0x3b2e78 (18): Content-Length:\r\n42. 0x3b2ed8 (20): Transfer-Encoding:\r\n43. 0x3b3038 (19): X-Frame-Options:\r\n44. 0x3b306c (29): X-Content-Security-Policy:\r\nVirusTotal Results\r\ntinba.exe\r\nAdditional information\r\nMD5: faba9ee82dfa2629098c8ef884395d5a\r\nSHA1: c0e40cb29a1e6b5a4174727f49ef871aafb684d5\r\nhttp://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html\r\nPage 8 of 11\n\nSHA256: cbb16b01a8dcf3747a597ceb4176939f83083a6293b60aaca00e040970d63379\r\nFile size: 88.0 KB ( 90112 bytes )\r\nDetection ratio: 34 / 54\r\nAnalysis date: 2014-07-12 16:31:02\r\nAntivirus Result Update\r\nAd-Aware Trojan.GenericKD.1750488 20140712\r\nAegisLab 20140712\r\nAgnitum 20140712\r\nAhnLab-V3 Trojan/Win32.Zbot 20140712\r\nAntiVir TR/Crypt.Xpack.71693 20140712\r\nAntiy-AVL Trojan/Win32.Inject 20140712\r\nAvast Win32:Malware-gen 20140712\r\nAVG Generic_r.DYS 20140712\r\nBaidu-International Trojan.Win32.Tinba.BAX 20140712\r\nBitDefender Trojan.GenericKD.1750488 20140712\r\nBkav 20140711\r\nByteHero 20140712\r\nCAT-QuickHeal 20140712\r\nClamAV 20140712\r\nCMC 20140711\r\nCommtouch W32/Zbot.IWEE-4148 20140712\r\nComodo 20140712\r\nDrWeb Trojan.Encoder.682 20140712\r\nEmsisoft Trojan.GenericKD.1750488 (B) 20140712\r\nESET-NOD32 Win32/Tinba.AX 20140712\r\nF-Prot W32/Zbot.BZY 20140712\r\nF-Secure Trojan.GenericKD.1750488 20140712\r\nhttp://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html\r\nPage 9 of 11\n\nFortinet W32/Tinba.AX!tr 20140712\r\nGData Trojan.GenericKD.1750488 20140712\r\nIkarus Trojan-Spy.Zbot 20140712\r\nJiangmin 20140712\r\nK7AntiVirus 20140711\r\nK7GW 20140711\r\nKaspersky Trojan.Win32.Tinba.bl 20140712\r\nKingsoft 20140712\r\nMalwarebytes Trojan.Zbot 20140712\r\nMcAfee RDN/Generic.dx!ddw 20140712\r\nMcAfee-GW-Edition RDN/Generic.dx!ddw 20140711\r\nMicrosoft Trojan:Win32/Tinba.A 20140712\r\nMicroWorld-eScan Trojan.GenericKD.1750488 20140712\r\nNANO-Antivirus Trojan.Win32.Encoder.dcdrmp 20140712\r\nNorman Troj_Generic.UXHBG 20140712\r\nnProtect 20140711\r\nPanda Trj/CI.A 20140712\r\nQihoo-360 Win32/Trojan.Multi.daf 20140712\r\nRising 20140712\r\nSophos Troj/HkMain-AQ 20140712\r\nSUPERAntiSpyware 20140712\r\nSymantec Trojan.Zbot 20140712\r\nTencent Win32.Trojan.Tinba.Egek 20140712\r\nTheHacker 20140711\r\nTotalDefense 20140711\r\nTrendMicro TROJ_TINBA.TFB 20140712\r\nTrendMicro-HouseCall TROJ_TINBA.TFB 20140712\r\nhttp://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html\r\nPage 10 of 11\n\nVBA32 20140712\r\nVIPRE Trojan.Win32.Generic!BT 20140712\r\nViRobot Trojan.Win32.Agent.324096 20140712\r\nZillya 20140710\r\nZoner 20140711\r\nIf our research has helped you, please consider making a donation through PayPal.\r\nSource: http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html\r\nhttp://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html" ], "report_names": [ "mini-analysis-of-the-tinybanker-tinba.html" ], "threat_actors": [], "ts_created_at": 1775434709, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c230009dfa3191eb0a7da02bc84545ee8c2a2afd.pdf", "text": "https://archive.orkl.eu/c230009dfa3191eb0a7da02bc84545ee8c2a2afd.txt", "img": "https://archive.orkl.eu/c230009dfa3191eb0a7da02bc84545ee8c2a2afd.jpg" } }