MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae83f5c0c261dbd56bf00da9da8de6581788b3c26b70615742e5733a8c304bc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TinyNuke


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae83f5c0c261dbd56bf00da9da8de6581788b3c26b70615742e5733a8c304bc9
SHA3-384 hash: efeae361458b4102b12aa263af6769d380b5cfa81c2d1be67a6f09ecd6a8d941d1b3a35273a5648c569e76e4f2dce43e
SHA1 hash: 855a907990a376652c98a9e84816a3100ddf4211
MD5 hash: f6d564f25159e650d1a16192e4c56227
humanhash: quebec-summer-seventeen-spaghetti
File name:fdeedcaaefbedfbc.exe
Download: download sample
Signature TinyNuke
Create hunting rule
File size:1'046'016 bytes
First seen:2025-05-29 20:12:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e338e39a117f8a9425b65baf838376c2 (1 x TinyNuke)
ssdeep 24576:Rl9CBQco2QUFjHAkkUyq/j9dfF2biBozrYkxy3mVhiEYp:R/q/j9viiKzkMA2Yp
TLSH T14325CF07315010AAF65A7237C45699B6D1BEF87943A246DFB320D6FA0F1B3C24F35A62
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:exe SVCStealer TinyNuke


Avatar
iamaachum
SVCStealer C2:
176.113.115.149
185.81.68.156

Intelligence

File Origin
# of uploads :
1
# of downloads :
416
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fdeedcaaefbedfbc.exe
Verdict:
Malicious activity
Analysis date:
2025-05-03 16:57:34 UTC
Tags:
auto-reg
Link:
https://app.any.run/tasks/604c75a2-1504-4027-b312-477ad0ccb1c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6239/
Detection(s):
Win.Downloader.Marte-10040026-0
Create hunting rule

Win.Malware.Ulise-10040718-0
Create hunting rule

MiscreantPunch.SingleXOR.EXE.170.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68164ae08474cc94a4e36775
Tags:
ransomware obfuscated dropper emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit explorer fingerprint lolbin obfuscated packed packed packer_detected powerloader verclsid xor-pe
Link:
https://www.filescan.io/uploads/6838bfb8171e01f95930fa7a/reports/b6de6e6d-2148-407b-bbf9-cf7601974553/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/ae83f5c0c261dbd56bf00da9da8de6581788b3c26b70615742e5733a8c304bc9
Malware family:
Gapz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27bf5a5d-9fcd-40f7-9e95-2cdea25c8781
Result
Threat name:
MicroClip, RedLine, SvcStealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1701802
Signature
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Contains functionality to send encrypted data to the internet
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected generic credential text file
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected MicroClip
Yara detected RedLine Stealer
Yara detected SvcStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1701802 Sample: fdeedcaaefbedfbc.exe Startdate: 29/05/2025 Architecture: WINDOWS Score: 100 45 diamotrix.world 2->45 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 9 other signatures 2->59 9 fdeedcaaefbedfbc.exe 2 1 2->9         started        signatures3 process4 file5 35 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 9->35 dropped 81 Found evasive API chain (may stop execution after checking mutex) 9->81 83 Contains functionality to inject threads in other processes 9->83 85 Injects code into the Windows Explorer (explorer.exe) 9->85 87 4 other signatures 9->87 13 explorer.exe 57 21 9->13 injected signatures6 process7 dnsIp8 47 92.255.57.100, 80 TELSPRU Russian Federation 13->47 49 92.255.57.102, 80 TELSPRU Russian Federation 13->49 51 3 other IPs or domains 13->51 37 C:\Users\user\AppData\Local\...\D465.tmp.exe, PE32+ 13->37 dropped 39 C:\Users\user\AppData\Local\...\8B77.tmp.exe, PE32+ 13->39 dropped 41 C:\Users\user\AppData\Local\...\7B8B.tmp.exe, PE32+ 13->41 dropped 43 2 other malicious files 13->43 dropped 91 System process connects to network (likely due to code injection or exploit) 13->91 93 Benign windows process drops PE files 13->93 95 Creates autostart registry keys with suspicious names 13->95 97 2 other signatures 13->97 18 7B8B.tmp.exe 85 13->18         started        22 5D1E.tmp.exe 10 4 13->22         started        24 D465.tmp.exe 13->24         started        26 6 other processes 13->26 file9 signatures10 process11 file12 31 C:\ProgramData\...\System_Info.txt, data 18->31 dropped 61 Multi AV Scanner detection for dropped file 18->61 63 Found API chain indicative of debugger detection 18->63 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->65 79 5 other signatures 18->79 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->67 69 Found many strings related to Crypto-Wallets (likely being stolen) 22->69 71 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->71 33 C:\Users\user\AppData\...\sysmrdrv.exe, PE32+ 24->33 dropped 73 Creates multiple autostart registry keys 24->73 28 sysmrdrv.exe 24->28         started        75 Found evasive API chain (may stop execution after checking mutex) 26->75 77 Contains functionality to inject threads in other processes 26->77 signatures13 process14 signatures15 89 Multi AV Scanner detection for dropped file 28->89
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ae83f5c0c261dbd56bf00da9da8de6581788b3c26b70615742e5733a8c304bc9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae83f5c0c261dbd56bf00da9da8de6581788b3c26b70615742e5733a8c304bc9/
Threat name:
Win64.Trojan.PowerLoader
Create hunting rule
Status:
Malicious
First seen:
2025-05-03 16:57:06 UTC
File Type:
PE+ (Exe)
Extracted files:
4
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2b7lqgcmhn5k27qbwu5vdpglalyrm6cnnygcv2c4vztvdbqjpeq._file
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:svcstealer discovery downloader persistence spyware stealer
Link:
https://tria.ge/reports/250529-yy1zxacp3s/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Executes dropped EXE
Reads user/profile data of web browsers
Detects SvcStealer Payload
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
176.113.115.149
185.81.68.156
Verdict:
Malicious
Tags:
Win.Downloader.Marte-10040026-0
YARA:
n/a
Link:
https://app.threat.zone/submission/ad30b9d8-4500-447b-9334-56f2a77a6a4d
Unpacked files
SH256 hash:
ae83f5c0c261dbd56bf00da9da8de6581788b3c26b70615742e5733a8c304bc9
MD5 hash:
f6d564f25159e650d1a16192e4c56227
SHA1 hash:
855a907990a376652c98a9e84816a3100ddf4211
Detections:
win_tinynuke_g0
Create hunting rule
Link:
https://www.unpac.me/results/eeb2d3ad-a7ba-4748-94c9-945c612f87a9/
SH256 hash:
1c271317ee5296cd87c8063ee8cc3bd1be02dc52542e651abc34b3fdfb4d9b39
MD5 hash:
225964f82c20a902ad7d3cf7e7188c6c
SHA1 hash:
80059695826fb2930705db004c5c16f99dee7af8
Detections:
ReflectiveLoader
Create hunting rule
INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Link:
https://www.unpac.me/results/eeb2d3ad-a7ba-4748-94c9-945c612f87a9/
Parent samples :
60e51b2abcd368df31c8cf584c2baa059b1c6f675d07f34ba197c598a21a3d3a
ae83f5c0c261dbd56bf00da9da8de6581788b3c26b70615742e5733a8c304bc9
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:Detects Reflective DLL injection artifacts
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TinyNuke

Executable exe ae83f5c0c261dbd56bf00da9da8de6581788b3c26b70615742e5733a8c304bc9

(this sample)

  
Link
https://tria.ge/250503-vf811sgk8x
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6239/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetSidSubAuthorityCount
ADVAPI32.dll::GetSidSubAuthority
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIntdll.dll::NtQueryInformationProcess
ntdll.dll::NtQueryInformationThread
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetTempFileNameA
KERNEL32.dll::GetTempPathA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExW
ADVAPI32.dll::RegSetValueExA

Comments