Introduction: Recently security researchers has found a smallest stealer Trojan that targets certain Financial Institutions through process injection and then injecting web inject module into the browsers, specifically in Net banking pages, similar to Zeus/SpyEye. The samples I have used to describe Tinba is from Contagio (Thank you Mila). Technical Details: The size of the Tinba files are between 19 KB to 20 KB. The sample was not packed, however looking at the sample in PEID revealed, the compiler
Traversing or Reversing a DLL is ever challenging (For Beginners and Intermediates). If a DLL comes with an EXE, its EXE’s job to load the DLL in the memory. But what if you get just a DLL alone to reverse. It’s cool rite ;-) Here I am going to Traverse a Financial Crimeware Trojan in the form of DLL. Step 1: Lets see the strings to guess what the DLL behaviour is. haa.. Don't see readable strings ? So it should be a packed file. Next step is to identify which packer. Step 2: To
Here I am going to ‘Traverse’ a Financial Crimeware which uses a simple Proxy technique. Intension of this analysis is to share my analysis for the beginners. But what is Financial Crimeware? The Malware or an Exploit are made to steal financial information such as Bank account number, password, credit card number, etc with an intension of making unauthorized transactions using the stolen information. This Crimeware is packed using UPX packer so I did not have much challenge in unpacking.