MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2d87dcf2c71c499f9501a672da82f086a8e14c0f45945ff5aaa8f2efb727cd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XTinyLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2d87dcf2c71c499f9501a672da82f086a8e14c0f45945ff5aaa8f2efb727cd6
SHA3-384 hash: d605b5b0eefd713aec0f97ccbb9dfdcd5efb8f236144d6c66fd887c43b91cf13442d2f0f41e4ea2ecd5ccbfcb5c6039f
SHA1 hash: cb75a156c5f85115491164e20a99232661e28dab
MD5 hash: 8eadce6a5dce52b4dcfa6c3ffb421894
humanhash: oscar-lamp-coffee-king
File name:8eadce6a5dce52b4dcfa6c3ffb421894.exe
Download: download sample
Signature XTinyLoader
Create hunting rule
File size:2'043'392 bytes
First seen:2025-08-07 12:44:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 64e90efe1fef3d0c441e2e03b07e8768 (4 x XTinyLoader, 1 x Amadey)
ssdeep 49152:2cm10YY1Zs+aSigppddTWKFcRGpfemx+MMJi0cFvwp:2SYisybHMK8GpfeOMJiZw
Threatray 85 similar samples on MalwareBazaar
TLSH T174951311B5908071DA3616730CF89FBAEA3EB9211F619ACBB3900F6D9F305D2D734A56
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe XTinyLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8eadce6a5dce52b4dcfa6c3ffb421894.exe
Verdict:
Malicious activity
Analysis date:
2025-08-07 12:53:12 UTC
Tags:
auto-reg
Link:
https://app.any.run/tasks/bbc93ed5-9eae-4235-ad48-2178072f3148

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19488/
Detection(s):
ditekSHen.MALWARE.Win.Ransomware.Nemty.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68949fbf1e8a59ee04e7108c
Tags:
ransomware extens nemty spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Reading critical registry keys
Creating a file in the %temp% directory
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Сreating synchronization primitives
Loading a suspicious library
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Connection attempt to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug blackhole microsoft_visual_cc obfuscated packed
Link:
https://www.filescan.io/uploads/68949fc69ef4d2ff7cf07269/reports/a998e179-9c3e-47da-bc7f-539875e42bd0/overview
Verdict:
Malicious
Labled as:
Dropper.Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c2d87dcf2c71c499f9501a672da82f086a8e14c0f45945ff5aaa8f2efb727cd6
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/085b0d4e-135d-4f25-bb3d-952f0d540578
Result
Threat name:
GO Injector, MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1752319
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GO Injector
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1752319 Sample: nSV2jKRfza.exe Startdate: 07/08/2025 Architecture: WINDOWS Score: 100 72 Antivirus detection for dropped file 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 7 other signatures 2->78 11 nSV2jKRfza.exe 4 2->11         started        14 regsvr32.exe 2->14         started        17 eqoqt.exe 2->17         started        19 eqoqt.exe 2->19         started        process3 file4 56 C:\Users\user\AppData\Roaming\xiucndx.exe, PE32 11->56 dropped 58 C:\Users\user\AppData\Roaming\bwovfux.exe, PE32 11->58 dropped 60 C:\Users\user\AppData\Roaming\abyxucb.exe, PE32 11->60 dropped 21 bwovfux.exe 4 11->21         started        24 abyxucb.exe 1 3 11->24         started        27 xiucndx.exe 11->27         started        96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->96 signatures5 process6 file7 80 Multi AV Scanner detection for dropped file 21->80 29 bwovfux.exe 9 21->29         started        54 C:\ProgramData\eqoqt.exe, PE32 24->54 dropped 82 Antivirus detection for dropped file 24->82 84 Found evasive API chain (may stop execution after checking mutex) 24->84 32 eqoqt.exe 12 24->32         started        signatures8 process9 dnsIp10 62 C:\Users\user\AppData\Local\LightBlue_2.pfx, PE32+ 29->62 dropped 64 C:\Users\user\AppData\Local\...\nsy7851.tmp, data 29->64 dropped 36 regsvr32.exe 29->36         started        38 regsvr32.exe 29->38         started        66 176.46.157.65, 80 ESTPAKEE Iran (ISLAMIC Republic Of) 32->66 68 Antivirus detection for dropped file 32->68 70 Multi AV Scanner detection for dropped file 32->70 file11 signatures12 process13 process14 40 regsvr32.exe 1 36->40         started        signatures15 86 Found evasive API chain (may stop execution after checking mutex) 40->86 88 Suspicious powershell command line found 40->88 90 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 40->90 92 2 other signatures 40->92 43 powershell.exe 9 40->43         started        46 powershell.exe 40->46         started        48 explorer.exe 40->48 injected process16 signatures17 94 Loading BitLocker PowerShell Module 43->94 50 conhost.exe 43->50         started        52 conhost.exe 46->52         started        process18
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c2d87dcf2c71c499f9501a672da82f086a8e14c0f45945ff5aaa8f2efb727cd6
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/8eadce6a5dce52b4dcfa6c3ffb421894
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2d87dcf2c71c499f9501a672da82f086a8e14c0f45945ff5aaa8f2efb727cd6/
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2025-07-18 16:34:37 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ylmh3tzmohcjt6kqdjts3kbpbbvi4fga6rmul722vkhs563sptla._file
Verdict:
malicious
Label(s):
xtinyloader
Create hunting rule
Similar samples:
1002fc4c644e879e1f70a75c373151ddddcb41b2619a8e90f64e1fec8086e565
XTinyLoader
4790fc64eab7ddba713ee50eb54146306c1ec0df52965fd536277cff6c4bcf7d
XTinyLoader
6a66a4adae504bbbc1645ff0009a3ebd860e0b64762f95f6d9f8567b227c276e
XTinyLoader
db703718a4b0b0f73b1609a448383f221aaa87b10d2b97da28d19a1f472d406d
XTinyLoader
e6b3328e1c410fbff389fcf3c99b7b19e608ca16ede705df019276d249a819be
XTinyLoader
error
XTinyLoader
f49f785728dcf19df96637f08f31689bf074f145fb797659bfd2bb889bd55c8d
XTinyLoader
+ 75 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250807-pyvnfs1vas/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/96c652fa-6c7e-41c3-b25f-5ddd9e204622
Unpacked files
SH256 hash:
c2d87dcf2c71c499f9501a672da82f086a8e14c0f45945ff5aaa8f2efb727cd6
MD5 hash:
8eadce6a5dce52b4dcfa6c3ffb421894
SHA1 hash:
cb75a156c5f85115491164e20a99232661e28dab
Link:
https://www.unpac.me/results/da2177f5-bbf2-49ea-bc34-402d2d482444/
SH256 hash:
2b79dc38bfbc63d083eabad67d21c7956c84f47418767a54f39b0a315dd6bda0
MD5 hash:
c32a92f0abf5b418c6be864b4f02016f
SHA1 hash:
15a336678b307e455f8abea41c8e81045856bbd2
Link:
https://www.unpac.me/results/da2177f5-bbf2-49ea-bc34-402d2d482444/
SH256 hash:
1629ad8a07b2ad5ecdfc452aa18aa1ffc455d7f7d898bbcd84213b4c7f6c206c
MD5 hash:
5f292bd88216308f52790afae46bb567
SHA1 hash:
1b5c7f1cb7e2cc3d7a59b6195198e782ba2ca39b
Detections:
SUSP_XORed_Mozilla
Create hunting rule
Link:
https://www.unpac.me/results/da2177f5-bbf2-49ea-bc34-402d2d482444/
Parent samples :
c2d87dcf2c71c499f9501a672da82f086a8e14c0f45945ff5aaa8f2efb727cd6
5d9a813d6d97a1280a794c470dffa1b8c7bc7b3afd76a1af8d511c20d2a35984
SH256 hash:
7b6d8dbf22fa857a8d2ebfc70c995b45dd7d51399103015caf22a66686b05fd7
MD5 hash:
4a56306f5ab243aef25fc73d76b83582
SHA1 hash:
b7960c26d5ad79461a6294ca56d77a1f1ef5f7f7
Link:
https://www.unpac.me/results/da2177f5-bbf2-49ea-bc34-402d2d482444/
SH256 hash:
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
MD5 hash:
b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 hash:
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
Link:
https://www.unpac.me/results/da2177f5-bbf2-49ea-bc34-402d2d482444/
SH256 hash:
c67249e40e61119b42858961315466a324a5a42b87f9718df8772051df695f4b
MD5 hash:
09f45631f54c7b5ec5bf345cc17f7021
SHA1 hash:
516d9cec65bb94cffe2510fd54f8b5c3d5dcf353
Link:
https://www.unpac.me/results/da2177f5-bbf2-49ea-bc34-402d2d482444/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/da2177f5-bbf2-49ea-bc34-402d2d482444/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c2d87dcf2c71c499f9501a672da82f086a8e14c0f45945ff5aaa8f2efb727cd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_NullSoftInst_Combo_Oct20_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious NullSoft Installer combination with common Copyright strings
Reference:https://twitter.com/malwrhunterteam/status/1313023627177193472
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19488/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments