MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d9a813d6d97a1280a794c470dffa1b8c7bc7b3afd76a1af8d511c20d2a35984. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XTinyLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d9a813d6d97a1280a794c470dffa1b8c7bc7b3afd76a1af8d511c20d2a35984
SHA3-384 hash: ed9b9342c408ba88bcec845f5f34f431874d29a1b09802ec96af13d0cb6f6aaa3b97ca80966c226cee657934bf53c0a5
SHA1 hash: 9a8d10bd4b428480c133221d9f91dde60121a9c8
MD5 hash: 63ca9d6b92d19f9800e5a1b36bf68470
humanhash: arizona-moon-salami-four
File name:63ca9d6b92d19f9800e5a1b36bf68470.exe
Download: download sample
Signature XTinyLoader
Create hunting rule
File size:2'043'392 bytes
First seen:2025-08-07 12:44:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 64e90efe1fef3d0c441e2e03b07e8768 (4 x XTinyLoader, 1 x Amadey)
ssdeep 49152:6cm10YY1Zs+aSigppddTWKFcRGpfemx+MMJi0cFvwp:6SYisybHMK8GpfeOMJiZw
Threatray 86 similar samples on MalwareBazaar
TLSH T189951311B5908071DA3616730CF89FBAEA3EB9211F619ACBB3900F6D9F305D2D734A56
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe XTinyLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Netflix-Email-Validator-Premium.exe
Verdict:
Malicious activity
Analysis date:
2025-07-27 14:51:01 UTC
Tags:
auto-reg golang
Link:
https://app.any.run/tasks/edf97db5-39d8-41bf-9713-602b415f84c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19489/
Detection(s):
ditekSHen.MALWARE.Win.Ransomware.Nemty.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68863cd4af3050dc8d318dc1
Tags:
ransomware dropper nemty virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% directory
Reading critical registry keys
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Сreating synchronization primitives
Loading a suspicious library
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
microsoft_visual_cc obfuscated packed packed packer_detected redline
Link:
https://www.filescan.io/uploads/68949fc7397fd3ce6fa0c460/reports/8d5caec3-4077-4c3a-af00-f585543fb841/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5d9a813d6d97a1280a794c470dffa1b8c7bc7b3afd76a1af8d511c20d2a35984
Gathering data
Result
Threat name:
GO Injector, MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1752318
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GO Injector
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1752318 Sample: Lo3JKIE5vI.exe Startdate: 07/08/2025 Architecture: WINDOWS Score: 100 72 Antivirus detection for dropped file 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 7 other signatures 2->78 11 Lo3JKIE5vI.exe 4 2->11         started        14 regsvr32.exe 2->14         started        17 nvgta.exe 2->17         started        19 2 other processes 2->19 process3 file4 60 C:\Users\user\AppData\Roaming\xiucndx.exe, PE32 11->60 dropped 62 C:\Users\user\AppData\Roaming\bwovfux.exe, PE32 11->62 dropped 64 C:\Users\user\AppData\Roaming\abyxucb.exe, PE32 11->64 dropped 21 bwovfux.exe 4 11->21         started        24 abyxucb.exe 1 3 11->24         started        27 xiucndx.exe 11->27         started        100 Suspicious powershell command line found 14->100 29 powershell.exe 14->29         started        signatures5 process6 file7 84 Multi AV Scanner detection for dropped file 21->84 31 bwovfux.exe 9 21->31         started        58 C:\ProgramData\nvgta.exe, PE32 24->58 dropped 86 Antivirus detection for dropped file 24->86 88 Found evasive API chain (may stop execution after checking mutex) 24->88 34 nvgta.exe 12 24->34         started        90 Loading BitLocker PowerShell Module 29->90 38 conhost.exe 29->38         started        signatures8 process9 dnsIp10 66 C:\Users\user\AppData\Local\LightBlue_2.pfx, PE32+ 31->66 dropped 68 C:\Users\user\AppData\Local\...\nsw5A85.tmp, data 31->68 dropped 40 regsvr32.exe 31->40         started        42 regsvr32.exe 31->42         started        70 176.46.157.65, 80 ESTPAKEE Iran (ISLAMIC Republic Of) 34->70 80 Antivirus detection for dropped file 34->80 82 Multi AV Scanner detection for dropped file 34->82 file11 signatures12 process13 process14 44 regsvr32.exe 1 40->44         started        signatures15 92 Found evasive API chain (may stop execution after checking mutex) 44->92 94 Suspicious powershell command line found 44->94 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->96 98 2 other signatures 44->98 47 powershell.exe 37 44->47         started        50 powershell.exe 44->50         started        52 explorer.exe 44->52 injected process16 signatures17 102 Loading BitLocker PowerShell Module 47->102 54 conhost.exe 47->54         started        56 conhost.exe 50->56         started        process18
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5d9a813d6d97a1280a794c470dffa1b8c7bc7b3afd76a1af8d511c20d2a35984
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/63ca9d6b92d19f9800e5a1b36bf68470
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d9a813d6d97a1280a794c470dffa1b8c7bc7b3afd76a1af8d511c20d2a35984/
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.ClipBanker
Link:
https://tip.neiki.dev/file/5d9a813d6d97a1280a794c470dffa1b8c7bc7b3afd76a1af8d511c20d2a35984
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2025-07-20 10:12:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwnicplns6qsqctzjrdq375bxdd3y6z27v3kdl4nkeocbuvdlgca._file
Verdict:
malicious
Label(s):
xtinyloader
Create hunting rule
Similar samples:
1a3b31b13826aa5ecd6629afafa5d3e08f308617f0be75aab590d21cfdb7bc8f
XTinyLoader
3e5c3ca7b20c3e35115307d76acb8ca7724f30a009f883b2cd93a113040ef18b
XTinyLoader
4fec337926905f8320a256918ae630037045ccfee6032065e1f8645f458337cc
XTinyLoader
720da27621335893eb8b2bf8350f213e6bf559359e6f9071822f027d812a2a55
XTinyLoader
8e5e311c0af982943d5e7c6ba8d4dc5436b083f7144e84ecb0981f0010a47126
XTinyLoader
994d115922a3ce8324114199fb7d06d7c8276779f83523b66b8c05505b81376e
XTinyLoader
bbbd287a99f521d93784ed8294acddc658b9962c1f2138719e07ee8787f1f666
XTinyLoader
error
XTinyLoader
+ 76 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250807-pyvnfsvnv4/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/60dd2d04-7a0e-4f4a-8651-2cee92d93b20
Unpacked files
SH256 hash:
5d9a813d6d97a1280a794c470dffa1b8c7bc7b3afd76a1af8d511c20d2a35984
MD5 hash:
63ca9d6b92d19f9800e5a1b36bf68470
SHA1 hash:
9a8d10bd4b428480c133221d9f91dde60121a9c8
Link:
https://www.unpac.me/results/1a61525e-a1ca-4605-a2e3-c013055146cd/
SH256 hash:
2b79dc38bfbc63d083eabad67d21c7956c84f47418767a54f39b0a315dd6bda0
MD5 hash:
c32a92f0abf5b418c6be864b4f02016f
SHA1 hash:
15a336678b307e455f8abea41c8e81045856bbd2
Link:
https://www.unpac.me/results/1a61525e-a1ca-4605-a2e3-c013055146cd/
SH256 hash:
1629ad8a07b2ad5ecdfc452aa18aa1ffc455d7f7d898bbcd84213b4c7f6c206c
MD5 hash:
5f292bd88216308f52790afae46bb567
SHA1 hash:
1b5c7f1cb7e2cc3d7a59b6195198e782ba2ca39b
Detections:
SUSP_XORed_Mozilla
Create hunting rule
Link:
https://www.unpac.me/results/1a61525e-a1ca-4605-a2e3-c013055146cd/
Parent samples :
c2d87dcf2c71c499f9501a672da82f086a8e14c0f45945ff5aaa8f2efb727cd6
5d9a813d6d97a1280a794c470dffa1b8c7bc7b3afd76a1af8d511c20d2a35984
SH256 hash:
7b6d8dbf22fa857a8d2ebfc70c995b45dd7d51399103015caf22a66686b05fd7
MD5 hash:
4a56306f5ab243aef25fc73d76b83582
SHA1 hash:
b7960c26d5ad79461a6294ca56d77a1f1ef5f7f7
Link:
https://www.unpac.me/results/1a61525e-a1ca-4605-a2e3-c013055146cd/
SH256 hash:
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
MD5 hash:
b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 hash:
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
Link:
https://www.unpac.me/results/1a61525e-a1ca-4605-a2e3-c013055146cd/
SH256 hash:
c67249e40e61119b42858961315466a324a5a42b87f9718df8772051df695f4b
MD5 hash:
09f45631f54c7b5ec5bf345cc17f7021
SHA1 hash:
516d9cec65bb94cffe2510fd54f8b5c3d5dcf353
Link:
https://www.unpac.me/results/1a61525e-a1ca-4605-a2e3-c013055146cd/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/1a61525e-a1ca-4605-a2e3-c013055146cd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d9a813d6d97a1280a794c470dffa1b8c7bc7b3afd76a1af8d511c20d2a35984

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_NullSoftInst_Combo_Oct20_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious NullSoft Installer combination with common Copyright strings
Reference:https://twitter.com/malwrhunterteam/status/1313023627177193472
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19489/

Comments