Threat Database Trojans Trojan.Tinba


By Domesticus in Trojans

Threat Scorecard

Ranking: 17,978
Threat Level: 90 % (High)
Infected Computers: 1,538
First Seen: June 4, 2012
Last Seen: December 17, 2022
OS(es) Affected: Windows

Tinba is a banking Trojan whose purpose is to steal online banking credentials that victims enter in their browser. Tinba is primarily spread through malvertising campaigns, exploit kits and the ever-topical spam email campaigns. The main targets of the Trojan are bank customers residing in the United States and Europe.

The way Trojan.Tinba steals its victims online banking information is by using code injections that modify the portal pages of legitimate banking websites. The victim is presented with a very legitimate-looking, yet completely fake and malicious login interface for their respective bank. Using this login interface to enter sensitive data results in the login credentials being syphoned to the bad actors behind the Trojan.

Once the victim hits specific banking portals that are hard-coded in the malware, the original login interface is swapped with the malicious one through web injection. The web code injections are kept on the victim's hard drive and are encrypted using a key. The key itself is the name of the directory where the injection files are kept. Once it needs to inject the malicious code, Tinba decrypts it entirely and injects it in the browser's memory footprint with no other safety measures, which makes spotting the issue relatively easy for security researchers. The code injection itself and the fake info-stealing login interface use code that is very similar to that used by the Zeus banking Trojan.

Tinba is also known for resorting to social engineering tactics to urge its victims to enter their credentials in the fake login forms, even if the user did not originally intend to do any online banking. Such tactics include fake messages that the victim received an erroneous bank transfer and needs to refund the sum immediately, to avoid further trouble. Similar scare tactics are used by a lot of other types of malware, including rogue antivirus software and some niche cases of ransomware that attempt to scare the user into submission.

SpyHunter Detects & Remove Trojan.Tinba

File System Details

Trojan.Tinba may create the following file(s):
# File Name MD5 Detections
1. chk.exe 34c809f63528376356a5d85795f5ae22 224
2. chk.exe 42e844df5f940c6e1975ff7ebf4ba26a 171
3. chk.exe 15159e7dce479b2d5e378f16af68af2e 132
4. chk.exe 4a98ff2dc2428e00cc9d62d174d449b6 132
5. chk.exe da6115918cdcf1bf94701330655f059a 123
6. chk.exe 043eeec8f688100ac142f6b344c19ef8 96
7. chk.exe e16f974e3def7d9c16aa61f60a26abd7 74
8. chk.exe a18096552f1f7faedde02d4236c7a095 71
9. chk.exe 5e00fd790838796332d2c754ef7b8dd0 59
10. chk.exe 3ab9d894bfb21c2143c6b4b29e7a435c 50
11. chk.exe 70e91a8ef84783adc3c550bf3d5969f3 47
12. chk.exe d9f235cdf96453e74d184b7f5d1048a6 41
13. chk.exe 08ab359905a8316f9d86f0fd67b732a1 35
14. chk.exe b03787ba7021fb1394f6579a8f511ab3 32
15. bin.exe f6c5c74dd6805accbf57529b5214b3e0 4
16. WINLOGON.EXE 1e100c5435a8025e5bf471b09ec1a151 3
17. file.exe 08ab7f68c6b3a4a2a745cc244d41d213 1
18. %SystemDrive%\Documents and Settings\All Users\Application Data\default\bin.exe
19. %SystemDrive%\Documents and Settings\All Users\Application Data\default\web.dat

Registry Details

Trojan.Tinba may create the following registry entry or registry entries:
Regexp file mask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1609" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"default" = "%SystemDrive%\Documents and Settings\All Users\Application Data\default\bin.exe"

Related Posts


Most Viewed