MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1f3874c42cdd4e2c49477d7b2bc3ebd3bcd4e3a2cf882fa4d1ea09546c74f5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TinyNuke


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1f3874c42cdd4e2c49477d7b2bc3ebd3bcd4e3a2cf882fa4d1ea09546c74f5d
SHA3-384 hash: af71b88856e40dd69d1017f2fa52e8e2ab7b8bd8c8f161265e8c5263e1e61c7244673d91d599b34038af7a413d7bfaf8
SHA1 hash: b8d9631cbdfe5833db70c8995b539d3f1b5985b1
MD5 hash: 2a23b69ccccebf091787fc9861697bd0
humanhash: hydrogen-louisiana-cup-william
File name:762002910000000.bin
Download: download sample
Signature TinyNuke
Create hunting rule
File size:87'552 bytes
First seen:2020-08-02 15:27:08 UTC
Last seen:2020-08-02 16:32:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cfb70df4aaf457d2844d8359a4768b5d (1 x TinyNuke)
ssdeep 768:h9pA4NBM7oYo+tYbVINEGt1xvR4QB400nbYN5E7jqaEQJURIMpJn8ksWA+QPzlUl:hioYo+5FqI4gaNIIkCWsPz+CoSwjYkh
Threatray 11 similar samples on MalwareBazaar
TLSH CF837C1336D2C4B1D9A7023218B4DB46567FFD624BB1C5977BAA128E1E702D05F3A393
Reporter vm001cn
Tags:exe TinyNuke

Intelligence

File Origin
# of uploads :
2
# of downloads :
2'068
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37193/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34269635.24988.27765.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Searching for the window
Sending an HTTP GET request
Creating a file
Creating a file in the %temp% directory
Deleting a recently created file
Result
Threat name:
Tinynuke / Nukebot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/407201
Signature
Detected Tinynuke / Nukebot malware
Drops executable to a common third party application directory
Found Tor onion address
Installs TOR (Internet Anonymizer)
Machine Learning detection for dropped file
May use the Tor software to hide its network traffic
Modifies Internet Explorer zone settings
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses netsh to modify the Windows network and firewall settings
Yara detected TinyNuke
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255831 Sample: 762002910000000.bin Startdate: 02/08/2020 Architecture: WINDOWS Score: 92 87 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->87 89 Detected Tinynuke / Nukebot malware 2->89 91 Yara detected TinyNuke 2->91 93 4 other signatures 2->93 9 762002910000000.exe 414 2->9         started        14 firefox.exe 2->14         started        process3 dnsIp4 77 198.187.30.38, 49723, 80 NAMECHEAP-NETUS United States 9->77 65 C:\msdownld.tmp\AS3E5D93.tmp\tor.exe, PE32 9->65 dropped 67 C:\msdownld.tmp\AS3E303A.tmp\firefox.exe, PE32 9->67 dropped 69 C:\Users\user\AppData\Local\Temp\tor.exe, PE32 9->69 dropped 71 195 other files (2 malicious) 9->71 dropped 97 Installs TOR (Internet Anonymizer) 9->97 99 Drops executable to a common third party application directory 9->99 16 firefox.exe 170 9->16         started        20 setup.exe 6 9->20         started        file5 signatures6 process7 dnsIp8 57 C:\Users\user\AppData\Roaming\...\tor.exe, PE32 16->57 dropped 59 C:\Users\user\AppData\Roaming\...\firefox.exe, PE32 16->59 dropped 61 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32 16->61 dropped 63 65 other files (none is malicious) 16->63 dropped 85 Installs TOR (Internet Anonymizer) 16->85 23 firefox.exe 16->23         started        26 tor.exe 16->26         started        73 blamziya.com 192.64.118.108 NAMECHEAP-NETUS United States 20->73 75 192.168.2.1 unknown unknown 20->75 29 netsh.exe 20->29         started        31 netsh.exe 20->31         started        33 netsh.exe 20->33         started        35 5 other processes 20->35 file9 signatures10 process11 dnsIp12 95 Modifies Internet Explorer zone settings 23->95 37 tor.exe 23->37         started        79 79.172.193.32 SZERVERNET-HU-ASHU Hungary 26->79 81 37.153.1.10 SETI-WEBARU Russian Federation 26->81 83 5 other IPs or domains 26->83 39 conhost.exe 26->39         started        41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 35->47         started        49 conhost.exe 35->49         started        51 conhost.exe 35->51         started        53 2 other processes 35->53 signatures13 process14 process15 55 conhost.exe 37->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1f3874c42cdd4e2c49477d7b2bc3ebd3bcd4e3a2cf882fa4d1ea09546c74f5d/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-01 09:35:00 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hzyotcczxkofreuo7l3fpb6xu542tr2ft4if6snd2qjkrwhj5oq._file
Verdict:
suspicious
Similar samples:
4f79aa8d648c5a999fb91196040b6b68db284ba1b892217563df71db9ae477f3
TinyNuke
4f86175e5500be87cc95ea9fcaf565970e15a86b2aa3223f8ef8d25e72cec376
TinyNuke
6593fa326b8eb0b737a17889c50c539ac45f2f9215fdab50ffa62df1be7ec2d1
TinyNuke
692c58e28e0f0346adfbad2356dd8495ec8f07718ee40db171b50e8870526f96
TinyNuke
77ee7b0a10f3c0ab08c1b1f88ceb0dd979e9c2fee17ac5fd14c9ce27002f6078
TinyNuke
7d5ef8e6c5738ebc13718eee67f0b6cc354f3e28b135e4a378f69d57043299b8
TinyNuke
c5c5e59bb18bad1427714d0007b676e658d8e08faf5a0632ed88912f5816d525
TinyNuke
ccf1e6416673f50f016cfa1658e9dd29793195b9bc701fedc1218d122faeb6b2
TinyNuke
d322d619b77d7e1734dedd8f7f00c815fad6a59621ed9021be4a7866123c33a4
TinyNuke
ffe8dbb5865f5493872432f968c9a6183fdf7b79f62b17b5093af5028497cb33
TinyNuke
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200802-vbht9618he/
Behaviour
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Modifies service
Modifies service
Enumerates connected drives
Checks installed software on the system
JavaScript code in executable
Enumerates connected drives
JavaScript code in executable
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/e1f3874c42cdd4e2c49477d7b2bc3ebd3bcd4e3a2cf882fa4d1ea09546c74f5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/37193/

Comments