ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (com)

000 : 00 00 81 83 00 01 00 00 00 01 00 00 0c 6d 6d 6d .............mmm
010 : 6d 6d 6d 6d 6d 6d 6d 6d 6d 03 63 6f 6d 00 00 0f mmmmmmmmm.com...
020 : 00 01 c0 19 00 06 00 01 00 00 03 83 00 3d 01 61 .............=.a
030 : 0c 67 74 6c 64 2d 73 65 72 76 65 72 73 03 6e 65 .gtld-servers.ne
040 : 74 00 05 6e 73 74 6c 64 0c 76 65 72 69 73 69 67 t..nstld.verisig
050 : 6e 2d 67 72 73 c0 19 57 d8 82 b6 00 00 07 08 00 n-grs..W........
060 : 00 03 84 00 09 3a 80 00 01 51 80 .....:...Q.

Description:

• Tinba, or 'TinyBanker' is banking credentials stealing malware. Detailed background information can be found here:
• http://blog.anubisnetworks.com/blog/a-look-inside-tinba-botnets
• http://garage4hackers.com/entry.php?b=3086
• https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant
• https://devcentral.f5.com/d/f5-soc-tinba-malware-analysis-report?download=true

False Positive:

• YES
• This rule detects query responses for second level domain names of length 12 (mmmmmmmmmmmm.com)
• A real detection would appear random.
• This is a good IOC, but prone to false positives.

Action:

• None