Trojan Tinba Bank in spam "on Post"

One of our readers-Gregory, shared with us the next sample spam "on Post" in which cyber criminals tell their victims about the alleged failure of the shipment. We are known for similar cases of the use of certain social engineering techniques that rely on trust wakes in the victim relying on quite likely event-as in this case the postman knocked at the door, but no one found.

Similar attacks we reported for spam "DHL" and other unwanted messages "on Post", in which malicious software or szyfrowało user files, or turned out a Trojan Emotet Bank (cf. "Scam on DHL" may contain Trojan Emotet Bank). However, in this case, it is probably the first in this year's attack using the released source code for a Trojan Tinba Bank, which by the author of the spam has been modified and for the moment only is detected by some antivirus programs .

As long as we do not know on what scale comprehensive is the new spam campaign aimed not only at potential mail clients, but also in all the Poles, who every day make use of the services of the home carrier. We recommend that you remain vigilant and carefully watch the messages that do not apply to us directly.

In the letter, email by Gregory, cyber criminals indirectly spread Trojan Tinba Bank, which according to analysts malware from G Data SecurityLabs in the year 2014 was one of the most used viruses to Rob European, particularly German and Polish users. In the attached message is a hyperlink that directs you to a fake website tracking the Polish post. Here's the original spelling:

From: 364 Mail Poland [mailto: [email protected]]

Posted: Wednesday, June 24, 2015 20:08

To: the e-mail address of the victim

Subject: 392785932 Information from your order


The consignment has not been delivered to the customer on 19 June 2015, because no one has opened the courier. Click on the link in order to obtain the information are subject to more of your package on our website. Pickup possible in the nearest office after presentation of the printed information.

Print data are subject to the ce marking of your shipment (<-a link to the fake page)

Warm regards,
Mail Poland.

If this message does not apply to You, click the link, to prevent the use of this email address.

The fake page of the Polish post

The link directs the victim to the crafted, but confusingly similar (except URL) of the page belonging to the Polish post, where to check package information the victim is invited to rewrite CAPTCHA code and download the attachment. We remind you that the real page tracking Mail:

That double-zipped attachment contains a Trojan Tinba Bank, which hides itself in the form of a PDF file – in fact, it is an executable EXE file (pdf_informacja_o_dzialki. exe). The Trojan queries the domain by checking whether the user has an active connection to the Internet, if so, the browser connects to the domain (IP: in order to download additional components, the configuration settings or send stolen data.

Running the file can lead to:

  • Download retrofitting a Trojan or other malicious software,
  • Display advertising or phishing messages on the computer screen that can redirect a user to a malicious Web sites (the malicious site),
  • Resetting operating systems,
  • Disable the firewall,
  • Damage to the files responsible for the proper functioning of the Web browsers,
  • And, in particular, steal sensitive information such as logins and passwords, credit card numbers, etc.


  • MD5: f3b3e960e87e5f1169abf5036ebd4f11
  • SHA256:7b218cd4afb791a1bf462f78c7d98df038066986788adeef59336c0bf6601786

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.