MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f95ac617c436b748175dc09856e835ce7911ae9ad904b36237756e366bf727f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TinyNuke


Vendor detections: 14


Intelligence 14 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f95ac617c436b748175dc09856e835ce7911ae9ad904b36237756e366bf727f
SHA3-384 hash: 722c5197f2d784ae46f490edf848f50c54374d361d70df899c9d4fceba5afae68cb0a43d3057327b9a9c8a60682c5379
SHA1 hash: 9a6423c3c2b64ef5b4756fe5d9f648460d9ec1a4
MD5 hash: 80363cf53ed46bafdd5267122cecc241
humanhash: earth-beryllium-sierra-double
File name:USDT Flash Software.exe
Download: download sample
Signature TinyNuke
Create hunting rule
File size:4'000'000 bytes
First seen:2025-05-11 17:41:19 UTC
Last seen:2025-05-11 17:44:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 223f8057932cb61043b0989210626737 (6 x Amadey, 4 x SVCStealer, 4 x RedLineStealer)
ssdeep 49152:zQ4DcuRj9vi284GNM6VQBl8bzdAYvVIIRLFERCRmjhFE/g8FSp:loojh84GNRVA+HVSccwBF8
TLSH T1AB06AE0672A404F9F56BD17AC9428656E7B2B8150370D7CF53A087AA2F23BE15F3E721
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter xVantl
Tags:exe stealer TinyNuke

Intelligence

File Origin
# of uploads :
2
# of downloads :
723
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
USDTFlashSoftware.exe
Verdict:
Malicious activity
Analysis date:
2025-05-11 17:39:13 UTC
Tags:
stealer auto-reg svcstealer crypto-regex python
Link:
https://app.any.run/tasks/899683e7-065f-4b4a-bbf4-04ec2b843ff7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Tinukebot-10037263-0
Create hunting rule

Win.Trojan.Ulise-10037990-0
Create hunting rule

Win.Downloader.Marte-10040026-0
Create hunting rule

Win.Malware.Tinukebot-10040717-0
Create hunting rule

Win.Malware.Ulise-10040718-0
Create hunting rule

MiscreantPunch.SingleXOR.EXE.170.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6820e0c04a59e5a2ce03b127
Tags:
infosteal emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% subdirectories
Launching a process
Searching for synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm evasive explorer fingerprint fingerprint hacktool lolbin microsoft_visual_cc msiexec obfuscated overlay overlay packed packed stealer xor-pe
Link:
https://www.filescan.io/uploads/6820e1740b64e174c421d941/reports/a74306b1-4d4e-4692-893b-70b0ce539df7/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/4f95ac617c436b748175dc09856e835ce7911ae9ad904b36237756e366bf727f
Malware family:
Gapz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f911ffd-49b1-4ee6-b9ed-0fb0d255e70b
Result
Threat name:
MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1687287
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected generic credential text file
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sample uses process hollowing technique
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1687287 Sample: USDT Flash Software.exe Startdate: 11/05/2025 Architecture: WINDOWS Score: 100 57 diamotrix.world 2->57 65 Suricata IDS alerts for network traffic 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 5 other signatures 2->71 10 USDT Flash Software.exe 5 2->10         started        signatures3 process4 file5 43 C:\Users\user\AppData\Roaming\xcxcx.exe, PE32+ 10->43 dropped 45 C:\Users\user\AppData\Roaming\vcvcv.exe, PE32+ 10->45 dropped 47 C:\Users\user\AppData\Roaming\dfetrrd.exe, PE32+ 10->47 dropped 49 C:\Users\user\AppData\Roaming\dfddcv.exe, PE32+ 10->49 dropped 13 xcxcx.exe 2 1 10->13         started        17 dfetrrd.exe 1 2 10->17         started        19 dfddcv.exe 70 10->19         started        21 vcvcv.exe 10->21         started        process6 file7 51 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 13->51 dropped 99 Multi AV Scanner detection for dropped file 13->99 101 Found evasive API chain (may stop execution after checking mutex) 13->101 103 Contains functionality to inject threads in other processes 13->103 117 5 other signatures 13->117 23 explorer.exe 57 8 13->23 injected 53 C:\Users\user\...\29B66A378F333886582548.exe, PE32+ 17->53 dropped 105 Found API chain indicative of debugger detection 17->105 107 Creates multiple autostart registry keys 17->107 109 Contains functionality to inject code into remote processes 17->109 119 4 other signatures 17->119 26 msiexec.exe 1 17->26         started        55 C:\ProgramData\...\System_info.txt, ASCII 19->55 dropped 111 Tries to harvest and steal browser information (history, passwords, etc) 19->111 113 Tries to steal Crypto Currency Wallets 19->113 115 Detected generic credential text file 19->115 signatures8 process9 dnsIp10 75 System process connects to network (likely due to code injection or exploit) 23->75 77 Creates autostart registry keys with suspicious names 23->77 79 Creates multiple autostart registry keys 23->79 83 2 other signatures 23->83 29 29B66A378F333886582548.exe 3 23->29         started        32 29B66A378F333886582548.exe 3 23->32         started        34 ebecabcdbbbdc.exe 23->34         started        36 ebecabcdbbbdc.exe 23->36         started        59 213.226.113.53, 49692, 49695, 49696 PINDC-ASRU Russian Federation 26->59 61 213.226.113.54, 49693, 49697, 49705 PINDC-ASRU Russian Federation 26->61 63 diamotrix.world 185.156.72.8, 80 ITDELUXE-ASRU Russian Federation 26->63 81 Changes the view of files in windows explorer (hidden files and folders) 26->81 signatures11 process12 signatures13 85 Writes to foreign memory regions 29->85 87 Allocates memory in foreign processes 29->87 89 Modifies the context of a thread in another process (thread injection) 29->89 91 Found direct / indirect Syscall (likely to bypass EDR) 29->91 38 msiexec.exe 29->38         started        93 Multi AV Scanner detection for dropped file 32->93 95 Sample uses process hollowing technique 32->95 97 Injects a PE file into a foreign processes 32->97 41 msiexec.exe 32->41         started        process14 signatures15 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 38->73
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4f95ac617c436b748175dc09856e835ce7911ae9ad904b36237756e366bf727f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f95ac617c436b748175dc09856e835ce7911ae9ad904b36237756e366bf727f/
Threat name:
Win64.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2025-05-10 14:39:46 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
29 of 37 (78.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6k2yyl4invxjalv3qeyk3udlttzcgxjvwiewnrdo5logzv7oj7q._file
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:svcstealer discovery downloader persistence pyinstaller spyware stealer
Link:
https://tria.ge/reports/250511-v93q4a11ct/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Blocklisted process makes network request
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects SvcStealer Payload
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
176.113.115.149
185.81.68.156
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/905a715c-2d28-444b-8892-917db5860dfd
Unpacked files
SH256 hash:
4f95ac617c436b748175dc09856e835ce7911ae9ad904b36237756e366bf727f
MD5 hash:
80363cf53ed46bafdd5267122cecc241
SHA1 hash:
9a6423c3c2b64ef5b4756fe5d9f648460d9ec1a4
Detections:
win_tinynuke_g0
Create hunting rule
Link:
https://www.unpac.me/results/2e3b3889-bab3-4f90-80d6-6af293a121af/
SH256 hash:
aa672f641e08865278dbdc3f08adc4374b49b2166f38d85bcd703e5a2a159ce6
MD5 hash:
8f01d0d388b259f474f87f58f7fe3c35
SHA1 hash:
30c8c8bf2d78dd5df3c0ebf7e2b27299760d298f
Detections:
win_tinynuke_g0
Create hunting rule
ReflectiveLoader
Create hunting rule
INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Link:
https://www.unpac.me/results/2e3b3889-bab3-4f90-80d6-6af293a121af/
SH256 hash:
45a8a2c609604b0e2ee743d63b4b54b00bfb571fe600b0bae88791618d427963
MD5 hash:
569b40679272b41828b04ebea134496c
SHA1 hash:
9f37d7e2b91b5558bc82a6dd5c0eefe28e167700
Detections:
ReflectiveLoader
Create hunting rule
INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Link:
https://www.unpac.me/results/2e3b3889-bab3-4f90-80d6-6af293a121af/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4f95ac617c43/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f95ac617c436b748175dc09856e835ce7911ae9ad904b36237756e366bf727f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:Detects Reflective DLL injection artifacts
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:svc_stealer
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:SVC Stealer Payload
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TinyNuke

Executable exe 4f95ac617c436b748175dc09856e835ce7911ae9ad904b36237756e366bf727f

(this sample)

  
Dropping
svcstealer
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments