Mini Analysis of the TinyBanker Tinba
By Kimberly
Archived: 2026-04-05 18:09:15 UTC
Today we’ll have a look at Tinba (Tiny Banker), the smallest banker in the world. Without the use of a packer or
crypter Tinba is around 20 KB, default configuration and web injects included. A few days ago the source code of
Tinba 1 was released on a closed underground forum. Reference.
Tinba uses MiTB (Man in The Browser) tricks and web injects to change the appearance of certain webpages.
Objective: circumvent two factor Authentication and/or trick the victim in giving up additional sensitive data.
Tinba uses RC4 encryption to communicate with its C&C servers. The key and the servers are hardcoded into the
binary. Before downloading updates from the C&C server, Tinba sends out an RC4 encrypted string.
I accidentally found this sample of Tinba because the author used the same crypter as ZeuS GameOver Reloaded.
The sample was submitted to VirusTotal the same day as the new ZeuS GameOver and seems to be the payload of
a spam email targeting mainly users from Poland and the Czech Republic. We can find back traces of the crypter
in the memory space of Tinba:
0. 0x987041 (17): OU___Enemy %d ,
1. 0x987053 (13): OU___Bomb %d
Along with the following strings:
0. 0x14562a8 (11): LoadBitmapA
1. 0x14562d0 (13): IntersectRect
2. 0x1456342 (18): CreateCompatibleDC
3. 0x1456358 (22): CreateCompatibleBitmap
4. 0x145637c (14): ImageList_Draw
5. 0x145638e (19): ImageList_AddMasked
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html
Page 1 of 11

The executable is 88.0 KB (90,112 bytes) and contains an RCData resource with the ID 56. The size (9479176
bytes) is fake; it’s bigger than the size of the executable. This will cause a warning in Olly and makes it harder to
extract the resource.
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html
Page 2 of 11

The resource with the ID 56 contains a fake JPG header. JPEGsnoop, a free windows application able to examine
and decode the inner details of JPEG images, reports an unknown marker at the offset 0x000004B1 and notifies of
existing data after EOF. Hiding an executable in a resource is a method to evade anti-virus detections.
Upon execution TINBA.EXE [PID 2724] launches an instance of itself [PID 3004]. Note the size of the
executable: 20KB.
After approximately 1 minute (I noticed the SLEEP command in the code but didn’t time it) TINBA.EXE will
launch an instance of TASKMGR.EXE (Windows Task Manager), inject code into the newly created process and
exit.
Before terminating its process, TINBA.EXE contained the following Section:
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html
Page 3 of 11

\BaseNamedObjects\redhot
The same Section is found back in the TASKMGR.EXE process.
TASKMGR.EXE:
Reads the Volume Name and Serial Number
Creates a directory named "AdobeChk" in the %APPDATA% folder
Renames TINBA.exe to %APPDATA%\AdobeChk\chk.exe
c:\Documents and Settings\[User Name]\Application Data\AdobeChk\chk.exe
Date: 7/14/2014 4:36 PM
Size: 90,112 bytes
Creates the following Registry entry so that CHK.EXE runs each time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AdobeChk"
Type: REG_SZ
Data: C:\Documents and Settings\[User Name]\Application Data\AdobeChk\chk.exe
Sets tabs and frames to run within the same process in IE:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "TabProcGrowth"
Type: REG_DWORD
Data: 01, 00, 00, 00
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html
Page 4 of 11

TASKMGR.EXE will establish a little routine in case the file or the Registry keys are deleted but the procedure
looks a bit flawed to me. The injected process attempts to create a folder that already exists (resulting in a name
collision) and checks for a file called "empty" in the folder where TINBA.EXE was located.
Tinba sends out an RC4 encrypted string to the C&C located at plsecdirect.ru and receives a 403 Forbidden. The
decrypted string is EHLO.
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html
Page 5 of 11

Hardcoded User Agent:
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
RC4 key:
wer8c7ygbw485ghw
Hardcoded C&C:
plsecdirect.ru - 91.237.198.54
framesoutchk.ru - 91.237.198.54
Targeted Browsers:
iexplore.exe | firefox.exe | maxthon.exe | chrome.exe
Path to configuration and web injects:
C:\Documents and Settings\[User Name]\Application Data\AdobeChk\cof.dat
C:\Documents and Settings\[User Name]\Application Data\AdobeChk\cot.dat
Memory Strings:
00. 0x3b170e (20): POST /re/ HTTP/1.1
01.  
02. 0x3b1739 (71): Accept: text/html, application/xhtml+xml, */*
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html
Page 6 of 11

03. Accept-Language: en-US
04.  
05. 0x3b1791 (75): User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
06. 0x3b17ed (57):
07. Content-Type: application/x-www-form-urlencoded
08. Host:
09. 0x3b1842 (18):
10. Content-Length:
11. 0x3b1875 (48):
12. Connection: Close
13. Cache-Control: no-cache
14.  
15. 0x3b215d (13):
16. [urlfilter]
17.  
18. 0x3b22c4 (13):
19. data_before
20.  
21. 0x3b22f5 (10):
22. data_end
23.  
24. 0x3b2329 (13):
25. data_inject
26.  
27. 0x3b235e (10):
28. data_end
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html
Page 7 of 11

29.  
30. 0x3b2392 (12):
31. data_after
32.  
33. 0x3b23c6 (10):
34. data_end
35.  
36. 0x3b25e3 (14): %SAVEDATA_*=*%
37. 0x3b26aa (11): %BOTDATA_*%
38. 0x3b28e8 (15): X-Frame-Options
39. 0x3b2aab (27): Accept-Encoding: identity
40. 0x3b2adc (50): If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT
41. 0x3b2e78 (18): Content-Length:
42. 0x3b2ed8 (20): Transfer-Encoding:
43. 0x3b3038 (19): X-Frame-Options:
44. 0x3b306c (29): X-Content-Security-Policy:
VirusTotal Results
tinba.exe
Additional information
MD5: faba9ee82dfa2629098c8ef884395d5a
SHA1: c0e40cb29a1e6b5a4174727f49ef871aafb684d5
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html
Page 8 of 11

SHA256: cbb16b01a8dcf3747a597ceb4176939f83083a6293b60aaca00e040970d63379
File size: 88.0 KB ( 90112 bytes )
Detection ratio: 34 / 54
Analysis date: 2014-07-12 16:31:02
Antivirus Result Update
Ad-Aware Trojan.GenericKD.1750488 20140712
AegisLab 20140712
Agnitum 20140712
AhnLab-V3 Trojan/Win32.Zbot 20140712
AntiVir TR/Crypt.Xpack.71693 20140712
Antiy-AVL Trojan/Win32.Inject 20140712
Avast Win32:Malware-gen 20140712
AVG Generic_r.DYS 20140712
Baidu-International Trojan.Win32.Tinba.BAX 20140712
BitDefender Trojan.GenericKD.1750488 20140712
Bkav 20140711
ByteHero 20140712
CAT-QuickHeal 20140712
ClamAV 20140712
CMC 20140711
Commtouch W32/Zbot.IWEE-4148 20140712
Comodo 20140712
DrWeb Trojan.Encoder.682 20140712
Emsisoft Trojan.GenericKD.1750488 (B) 20140712
ESET-NOD32 Win32/Tinba.AX 20140712
F-Prot W32/Zbot.BZY 20140712
F-Secure Trojan.GenericKD.1750488 20140712
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html
Page 9 of 11

Fortinet W32/Tinba.AX!tr 20140712
GData Trojan.GenericKD.1750488 20140712
Ikarus Trojan-Spy.Zbot 20140712
Jiangmin 20140712
K7AntiVirus 20140711
K7GW 20140711
Kaspersky Trojan.Win32.Tinba.bl 20140712
Kingsoft 20140712
Malwarebytes Trojan.Zbot 20140712
McAfee RDN/Generic.dx!ddw 20140712
McAfee-GW-Edition RDN/Generic.dx!ddw 20140711
Microsoft Trojan:Win32/Tinba.A 20140712
MicroWorld-eScan Trojan.GenericKD.1750488 20140712
NANO-Antivirus Trojan.Win32.Encoder.dcdrmp 20140712
Norman Troj_Generic.UXHBG 20140712
nProtect 20140711
Panda Trj/CI.A 20140712
Qihoo-360 Win32/Trojan.Multi.daf 20140712
Rising 20140712
Sophos Troj/HkMain-AQ 20140712
SUPERAntiSpyware 20140712
Symantec Trojan.Zbot 20140712
Tencent Win32.Trojan.Tinba.Egek 20140712
TheHacker 20140711
TotalDefense 20140711
TrendMicro TROJ_TINBA.TFB 20140712
TrendMicro-HouseCall TROJ_TINBA.TFB 20140712
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html
Page 10 of 11

VBA32 20140712
VIPRE Trojan.Win32.Generic!BT 20140712
ViRobot Trojan.Win32.Agent.324096 20140712
Zillya 20140710
Zoner 20140711
If our research has helped you, please consider making a donation through PayPal.
Source: http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html
Page 11 of 11