Home / malware Trojan.Tinba.C
First posted on 29 September 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Tinba.C.
Explanation :
The Trojan executes the following file and injects itself into the process:
verclsid.exe
The Trojan decrypts its code inside verclside.exe and injects itself into the following file:
explorer.exe
The Trojan injects code into the following browsers:
Internet ExplorerFirefoxGoogle Chrome
The Trojan will steal credentials from the browser if any of the following strings are found in the URL:
https://[ANY CHARACTERS]
[ANY CHARACTERS]microsoft.[ANY CHARACTERS][ANY CHARACTERS]google.[ANY CHARACTERS][ANY CHARACTERS]accounts.google.[ANY CHARACTERS]/ServiceLoginAuth[ANY CHARACTERS][ANY CHARACTERS]facebook.[ANY CHARACTERS][ANY CHARACTERS]facebook.[ANY CHARACTERS]/login.php[ANY CHARACTERS][ANY CHARACTERS]onlinechat.gmx.[ANY CHARACTERS][ANY CHARACTERS]service.gmx.[ANY CHARACTERS]/cgi/login[ANY CHARACTERS]https://[ANY CHARACTERS].gateway.messenger.live.com[ANY CHARACTERS][ANY CHARACTERS]twitter.com[ANY CHARACTERS][ANY CHARACTERS]twitter.com/sessions[ANY CHARACTERS]
The Trojan hooks the following APIs in Internet Explorer:
HttpSendRequestAHttpSendRequestWInternetCloseHandle
The Trojan hooks the following APIs in Firefox:
PR_ClosePR_Write
The Trojan hooks the following functions for Google Chrome:
Undocumented Chrome.dll functions
The Trojan disables SPDY in Firefox by adding the following strings to %UserProfile%\Application Data\Mozilla\Firefox\Profiles\[RANDOM CHARACTERS].default\user.js:
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", fals
The Trojan uses a Domain Generation Algorithm to connect to a remote location using the following format:
[17 CHARACTERS].net
The Trojan may download an additional configuration file from the remote location and save it in the following location:
%UserProfile%\Application Data\Fobber\mlc.dfw
The Trojan may download updates and additional code and save it in the following location:
%UserProfile%\Application Data\Fobber\ktx.sdd
The Trojan sends the following information to the remote location:
Stolen credential informationVolume informationOperating System install dateLast update 29 September 2015