MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4790fc64eab7ddba713ee50eb54146306c1ec0df52965fd536277cff6c4bcf7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XTinyLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4790fc64eab7ddba713ee50eb54146306c1ec0df52965fd536277cff6c4bcf7d
SHA3-384 hash: f6d4a6f99a355c04b75558b3cd84b3841f2bf28720b5af82257d03ff36ca811cdd1cf6d9c080dce237afa65ace8371e7
SHA1 hash: 4fe9da257e4654a036911e255fd532ee64916473
MD5 hash: 9b2cbac329750c6023e0680f7820177d
humanhash: lake-chicken-cat-april
File name:9b2cbac329750c6023e0680f7820177d.exe
Download: download sample
Signature XTinyLoader
Create hunting rule
File size:2'907'136 bytes
First seen:2025-08-07 12:44:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 64e90efe1fef3d0c441e2e03b07e8768 (4 x XTinyLoader, 1 x Amadey)
ssdeep 49152:TcmNnQZFakDk6srev/Sf1DNNxqtj7UQmapTnjAfgrLN+0sSNPQt4t:TpQZ8kDk6n/SxxqBUMLjAOLA0sSBQ6
Threatray 86 similar samples on MalwareBazaar
TLSH T15BD501C6677D80A2D25D1B752C57FE27852EF90F162D3B8B6F07EF1E41282B075A8182
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 96a8f8f2b0e8ea96 (1 x AsyncRAT, 1 x XTinyLoader)
Reporter abuse_ch
Tags:exe XTinyLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9b2cbac329750c6023e0680f7820177d.exe
Verdict:
Malicious activity
Analysis date:
2025-08-07 12:45:13 UTC
Tags:
auto-reg golang
Link:
https://app.any.run/tasks/9116e311-34df-449b-9a02-da50ac2f5509

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19491/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68949fc91e8a59ee04e710ac
Tags:
clipbanker nemty
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Сreating synchronization primitives
Loading a suspicious library
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68949fec397fd3ce6fa0c493/reports/bf62c167-403a-47d8-8095-849bb364a262/overview
Verdict:
Malicious
Labled as:
Dropper.Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4790fc64eab7ddba713ee50eb54146306c1ec0df52965fd536277cff6c4bcf7d
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/602a7049-8579-4e1a-abba-710cde36a606
Result
Threat name:
GO Injector, MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1752317
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GO Injector
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1752317 Sample: bqi5g69a5E.exe Startdate: 07/08/2025 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for dropped file 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 8 other signatures 2->77 11 bqi5g69a5E.exe 4 2->11         started        14 qsnkd.exe 2->14         started        16 regsvr32.exe 2->16         started        18 qsnkd.exe 2->18         started        process3 file4 55 C:\Users\user\AppData\Roaming\xid.exe, PE32 11->55 dropped 57 C:\Users\user\AppData\Roaming\bip.exe, PE32 11->57 dropped 59 C:\Users\user\AppData\Roaming\abb.exe, PE32 11->59 dropped 20 bip.exe 4 11->20         started        23 abb.exe 1 3 11->23         started        26 xid.exe 11->26         started        process5 file6 79 Antivirus detection for dropped file 20->79 81 Multi AV Scanner detection for dropped file 20->81 28 bip.exe 9 20->28         started        53 C:\ProgramData\qsnkd.exe, PE32 23->53 dropped 83 Found evasive API chain (may stop execution after checking mutex) 23->83 31 qsnkd.exe 12 23->31         started        signatures7 process8 dnsIp9 61 C:\Users\user\...\5PaleVioletRed_2.pfx, PE32+ 28->61 dropped 63 C:\Users\user\AppData\Local\...\nss62F3.tmp, data 28->63 dropped 35 regsvr32.exe 28->35         started        37 regsvr32.exe 28->37         started        65 176.46.157.65, 80 ESTPAKEE Iran (ISLAMIC Republic Of) 31->65 67 Antivirus detection for dropped file 31->67 69 Multi AV Scanner detection for dropped file 31->69 file10 signatures11 process12 process13 39 regsvr32.exe 1 35->39         started        signatures14 85 Found evasive API chain (may stop execution after checking mutex) 39->85 87 Suspicious powershell command line found 39->87 89 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->89 91 2 other signatures 39->91 42 powershell.exe 37 39->42         started        45 powershell.exe 39->45         started        47 explorer.exe 39->47 injected process15 signatures16 93 Loading BitLocker PowerShell Module 42->93 49 conhost.exe 42->49         started        51 conhost.exe 45->51         started        process17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4790fc64eab7ddba713ee50eb54146306c1ec0df52965fd536277cff6c4bcf7d
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/9b2cbac329750c6023e0680f7820177d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4790fc64eab7ddba713ee50eb54146306c1ec0df52965fd536277cff6c4bcf7d/
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2025-07-20 13:08:46 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i6ipyzhkw7o3u4j64uhlkqkggbwb5qg7kklf7vjwe56p63clz56q._file
Verdict:
malicious
Label(s):
xtinyloader
Create hunting rule
Similar samples:
1bbdcc5b5289aa6fda46bc95df96207b02fddafc13b9b0d436516fbc81a1f05a
XTinyLoader
1e7c2f76cda9a87962bdf277253c135ecf40c0e7cefe782eeb7d0128e55b1aa8
XTinyLoader
21d33f9239c70349cb43042488ecf98aa79cc0166e0827c866a17b149fd62dab
XTinyLoader
230a32c117cafcc4f521f53a8addc9f7c366140677fdb4f5d03096d306144d1c
XTinyLoader
6a66a4adae504bbbc1645ff0009a3ebd860e0b64762f95f6d9f8567b227c276e
XTinyLoader
994d115922a3ce8324114199fb7d06d7c8276779f83523b66b8c05505b81376e
XTinyLoader
a66296782acd77f0fc362522093c3d9af5728fa2c7010f5257aecc3e8c7a145d
XTinyLoader
bbbd287a99f521d93784ed8294acddc658b9962c1f2138719e07ee8787f1f666
XTinyLoader
error
XTinyLoader
+ 76 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250807-py7m1s1vav/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6a874078-a834-40c4-8c2b-112a6d52d174
Unpacked files
SH256 hash:
4790fc64eab7ddba713ee50eb54146306c1ec0df52965fd536277cff6c4bcf7d
MD5 hash:
9b2cbac329750c6023e0680f7820177d
SHA1 hash:
4fe9da257e4654a036911e255fd532ee64916473
Link:
https://www.unpac.me/results/28f25829-1da3-4e2d-bc37-b8d965e28aa9/
SH256 hash:
70b70334ba655483c5d7a14eaea048b9a06d6f3f9b26996044df0e22d08f059b
MD5 hash:
3b6638cea23ccbea85e333a819b34430
SHA1 hash:
09b57f9c30a6fdcf8e6e5aaf0a878721853764bc
Link:
https://www.unpac.me/results/28f25829-1da3-4e2d-bc37-b8d965e28aa9/
SH256 hash:
6520e1e6aa4d5a140cee5629c4a86cc302c93d703f136a3f05ab3a5e31df2ecc
MD5 hash:
2306546844da87886d2714adda802917
SHA1 hash:
600df059575827d611f1375c2cafcbfedfcd9ff7
Link:
https://www.unpac.me/results/28f25829-1da3-4e2d-bc37-b8d965e28aa9/
SH256 hash:
91dc0dffecc4589e737c4ed79a6e7690568f7ef4c233cb4a7ba0b1dd2ef39eda
MD5 hash:
704d8d89b6b1027af01e33515a7980bb
SHA1 hash:
9db4a53b68a01ad43a2081cdc9c36ea823d62fed
Detections:
SUSP_XORed_Mozilla
Create hunting rule
Link:
https://www.unpac.me/results/28f25829-1da3-4e2d-bc37-b8d965e28aa9/
Parent samples :
91dc0dffecc4589e737c4ed79a6e7690568f7ef4c233cb4a7ba0b1dd2ef39eda
4790fc64eab7ddba713ee50eb54146306c1ec0df52965fd536277cff6c4bcf7d
SH256 hash:
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
MD5 hash:
b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 hash:
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
Link:
https://www.unpac.me/results/28f25829-1da3-4e2d-bc37-b8d965e28aa9/
SH256 hash:
4326844c1ab6cd11e1a4e2c6982fef1a2414a093718680f087b00d0bfb10676b
MD5 hash:
1fa386c140c5415da701bc036742db2f
SHA1 hash:
a5ea9a1322d682c7d68b3d552acc83d43c37f567
Link:
https://www.unpac.me/results/28f25829-1da3-4e2d-bc37-b8d965e28aa9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4790fc64eab7ddba713ee50eb54146306c1ec0df52965fd536277cff6c4bcf7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19491/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments