MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c401be0d8b68307e031118653a860760842713ca9763ec55050d61a2d839fca4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TinyNuke


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c401be0d8b68307e031118653a860760842713ca9763ec55050d61a2d839fca4
SHA3-384 hash: d68f49dec5a23d2345ce4ebbd0cc776358c5a2bfbaaaed7397a0b8db03de27ed0e3d01be958aea40bd96a968eecbdf73
SHA1 hash: fd21888af91e7b4207c2ecfe45292e057219621a
MD5 hash: a6b4918f763f99f90f595c201f50239f
humanhash: tennessee-purple-earth-king
File name:a6b4918f763f99f90f595c201f50239f.exe
Download: download sample
Signature TinyNuke
Create hunting rule
File size:587'264 bytes
First seen:2025-02-07 16:29:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5550c38a1ba1bf89267abad76b56796 (4 x TinyNuke)
ssdeep 12288:jtuH9x+LgvHIh+bOH1JcyDIDPc5VQHzPgjc7yYzUa4y:jto9x+LgvHI+OHPcykU0zoIdL
TLSH T13FC4D00A77A40CB5E97BA13DC9938A0BC7B1785643A0E3CF236846DA5F237E1553E312
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe TinyNuke

Intelligence

File Origin
# of uploads :
1
# of downloads :
471
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Malware.Tinukebot-10040717-0
Create hunting rule

Win.Malware.Ulise-10040718-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a63648ab8a2d1c6bcd900e
Tags:
infosteal emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c401be0d8b68307e031118653a860760842713ca9763ec55050d61a2d839fca4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Gapz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9481bda5-d62d-468d-a35c-f8a7bf2e9755
Result
Threat name:
MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1609540
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1609540 Sample: DNBxENfoR7.exe Startdate: 07/02/2025 Architecture: WINDOWS Score: 100 75 diamotrix.online 2->75 97 Suricata IDS alerts for network traffic 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Antivirus detection for URL or domain 2->101 103 8 other signatures 2->103 10 DNBxENfoR7.exe 2 1 2->10         started        signatures3 process4 file5 57 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 10->57 dropped 117 Found evasive API chain (may stop execution after checking mutex) 10->117 119 Contains functionality to inject threads in other processes 10->119 121 Injects code into the Windows Explorer (explorer.exe) 10->121 123 4 other signatures 10->123 14 explorer.exe 52 13 10->14 injected signatures6 process7 dnsIp8 77 diamotrix.online 176.113.115.149, 49751, 80 SELECTELRU Russian Federation 14->77 79 185.81.68.156, 49699, 49742, 49757 KLNOPT-ASFI Finland 14->79 69 C:\Users\user\AppData\Local\...\9D79.tmp.exe, PE32+ 14->69 dropped 71 C:\Users\user\AppData\Local\...\77C8.tmp.exe, PE32+ 14->71 dropped 73 C:\Users\user\AppData\Local\...\zx[1].exe, PE32+ 14->73 dropped 81 System process connects to network (likely due to code injection or exploit) 14->81 83 Benign windows process drops PE files 14->83 85 Creates autostart registry keys with suspicious names 14->85 87 4 other signatures 14->87 19 77C8.tmp.exe 73 14->19         started        23 9D79.tmp.exe 52 14->23         started        25 ebecabcdbbbdc.exe 14->25         started        27 4 other processes 14->27 file9 signatures10 process11 file12 41 C:\Users\user\AppData\...\temp_20049.exe, PE32+ 19->41 dropped 43 C:\Users\user\AppData\...\temp_20045.exe, PE32 19->43 dropped 45 C:\Users\user\AppData\...\temp_20029.exe, PE32+ 19->45 dropped 53 3 other malicious files 19->53 dropped 105 Multi AV Scanner detection for dropped file 19->105 107 Machine Learning detection for dropped file 19->107 109 Tries to harvest and steal browser information (history, passwords, etc) 19->109 111 Tries to steal Crypto Currency Wallets 19->111 29 temp_20029.exe 52 19->29         started        32 temp_20045.exe 1 2 19->32         started        35 temp_20049.exe 19->35         started        47 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 23->47 dropped 49 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 23->49 dropped 51 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 23->51 dropped 55 47 other malicious files 23->55 dropped 37 9D79.tmp.exe 23->37         started        113 Found evasive API chain (may stop execution after checking mutex) 25->113 115 Contains functionality to inject threads in other processes 25->115 signatures13 process14 file15 59 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 29->59 dropped 61 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 29->61 dropped 63 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 29->63 dropped 67 47 other malicious files 29->67 dropped 39 temp_20029.exe 29->39         started        65 C:\ProgramData\Winsrv\winsvc.exe, PE32 32->65 dropped 89 Found evasive API chain (may stop execution after checking mutex) 32->89 91 Found API chain indicative of debugger detection 32->91 93 Creates multiple autostart registry keys 32->93 95 Contains functionality to inject threads in other processes 35->95 signatures16 process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c401be0d8b68307e031118653a860760842713ca9763ec55050d61a2d839fca4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c401be0d8b68307e031118653a860760842713ca9763ec55050d61a2d839fca4/
Threat name:
Win64.Trojan.NukeBot
Create hunting rule
Status:
Malicious
First seen:
2025-02-07 16:30:15 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yqa34dmlnayh4ayrdbstvbqhmcccoe6ks5r6yvifbvq2fwbz7ssa._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/250207-tzyhysymcz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Adds Run key to start application
Verdict:
Malicious
Tags:
Win.Malware.Tinukebot-10040717-0
YARA:
n/a
Link:
https://app.threat.zone/submission/0b6b5620-1085-40f3-98f8-e5018469ede5
Unpacked files
SH256 hash:
c401be0d8b68307e031118653a860760842713ca9763ec55050d61a2d839fca4
MD5 hash:
a6b4918f763f99f90f595c201f50239f
SHA1 hash:
fd21888af91e7b4207c2ecfe45292e057219621a
Detections:
win_tinynuke_g0
Create hunting rule
Link:
https://www.unpac.me/results/f385f563-a43d-454f-bd5e-795d72349556/
SH256 hash:
7257c49b8c08814adbbce0d7c0d38ad00507bca0d2e7fa9cfd1a3bd8746ff9f0
MD5 hash:
91e7fb796d38fa7a8c66f8c64d2af2d6
SHA1 hash:
92d4b5084c13a44ba519474e46aab47069dd250f
Detections:
ReflectiveLoader
Create hunting rule
INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Link:
https://www.unpac.me/results/f385f563-a43d-454f-bd5e-795d72349556/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c401be0d8b68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c401be0d8b68307e031118653a860760842713ca9763ec55050d61a2d839fca4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:Detects Reflective DLL injection artifacts
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TinyNuke

Executable exe c401be0d8b68307e031118653a860760842713ca9763ec55050d61a2d839fca4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3431114/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetSidSubAuthorityCount
ADVAPI32.dll::GetSidSubAuthority
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIntdll.dll::NtQueryInformationProcess
ntdll.dll::NtQueryInformationThread
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetTempFileNameA
KERNEL32.dll::GetTempPathA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExW
ADVAPI32.dll::RegSetValueExA

Comments