MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d2af9283f59dd98dc1852a5213d5092dd832c3e797c7ee57908fa9ff122983d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TinyNuke


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d2af9283f59dd98dc1852a5213d5092dd832c3e797c7ee57908fa9ff122983d
SHA3-384 hash: f2d3e26e62a3582759ded72e279d9c3c30c5bf7698b5d4564eadd1033769105598d670a2d58d5a03627b1fb3547efe41
SHA1 hash: 663b82c8c881be6f58acbd454aac2f68e7f959d6
MD5 hash: b7e00e7be81fefb7c57f2e5f9ba53310
humanhash: muppet-victor-spring-illinois
File name:vnc.exe
Download: download sample
Signature TinyNuke
Create hunting rule
File size:115'200 bytes
First seen:2025-01-02 08:30:25 UTC
Last seen:2025-01-28 16:25:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash efe9c653199957170a92ef694ca6f2f1 (1 x TinyNuke)
ssdeep 3072:rtwm5FikJSWy/Z5H3/nWSWyCsu2Z8mx6tWyEJQJW8chJeE:rWmPiKSBnVu2Z8zXt4JeE
TLSH T168B37D01F1D0C8B1D175053A1CA4AAF18E7DFDB08E599F9B6B8809B60F7C1D29634EA7
TrID 46.6% (.EXE) InstallShield setup (43053/19/16)
17.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
11.4% (.EXE) Win64 Executable (generic) (10522/11/4)
7.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter lontze7
Tags:92-255-57-155 exe TinyNuke

Intelligence

File Origin
# of uploads :
3
# of downloads :
433
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vnc.exe
Verdict:
No threats detected
Analysis date:
2025-01-02 08:57:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f3da94a7-0985-4b03-9aa7-fe8c6240876c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Tinukebot-10031688-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67764ec81ada707798254430
Tags:
emotet virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd dllhost explorer lolbin microsoft_visual_cc rundll32 verclsid
Link:
https://www.filescan.io/uploads/67764ec74c768bd101b00cc9/reports/f50517b8-52fe-44a7-9208-27da9c393737/overview
Verdict:
Malicious
Labled as:
Tinukebot.1.Generic
Link:
https://www.hybrid-analysis.com/sample/4d2af9283f59dd98dc1852a5213d5092dd832c3e797c7ee57908fa9ff122983d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac83e690-839d-4dc2-8527-4b8e23713640
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1583252
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4d2af9283f59dd98dc1852a5213d5092dd832c3e797c7ee57908fa9ff122983d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d2af9283f59dd98dc1852a5213d5092dd832c3e797c7ee57908fa9ff122983d/
Threat name:
Win32.Trojan.NukeBot
Create hunting rule
Status:
Malicious
First seen:
2024-10-10 16:00:19 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=juvpskb7lhozrxaykksscpkqsloyglb6pf6h5zlzbd5j74jcta6q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250102-kepwmswlel/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
Win.Malware.Tinukebot-10031688-0
YARA:
n/a
Link:
https://app.threat.zone/submission/926404f3-beef-431b-91a6-d2d6172b8a3b
Unpacked files
SH256 hash:
4d2af9283f59dd98dc1852a5213d5092dd832c3e797c7ee57908fa9ff122983d
MD5 hash:
b7e00e7be81fefb7c57f2e5f9ba53310
SHA1 hash:
663b82c8c881be6f58acbd454aac2f68e7f959d6
Detections:
win_tinynuke_g0
Create hunting rule
Link:
https://www.unpac.me/results/0bd63f76-f0ad-4273-89bd-1bd7f33ae46b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d2af9283f59dd98dc1852a5213d5092dd832c3e797c7ee57908fa9ff122983d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_david_CSC846
Create hunting rule
Author:David
Description:CSC-846 Golang
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TinyNuke

Executable exe 4d2af9283f59dd98dc1852a5213d5092dd832c3e797c7ee57908fa9ff122983d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3386209/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments