MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2221c20900d9aebbd0d19bf17ad41483e7453ad190d07b4f6d5b9dc213d3224. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TinyNuke


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2221c20900d9aebbd0d19bf17ad41483e7453ad190d07b4f6d5b9dc213d3224
SHA3-384 hash: 3b82db163ccf2af2823540465780dd02f1d45d1ea0f4393dfe90971994707e74a454fc39b57e154a95a2c0f864346ffa
SHA1 hash: 0dcda234dd568a4080322ed10a36b5c0af8a8827
MD5 hash: c20b29f54755d2bc04e44baa800b9a7d
humanhash: cardinal-orange-beer-four
File name:d2221c20900d9aebbd0d19bf17ad41483e7453ad190d07b4f6d5b9dc213d3224
Download: download sample
Signature TinyNuke
Create hunting rule
File size:599'768 bytes
First seen:2022-06-24 14:32:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2045401ad0fd7c66443a576d0a4f920d (2 x TinyNuke)
ssdeep 6144:jE2w7X7Z6T9xmIdKLlxS+Gc5jMrHl/6mAoa4GAwb7UEAFm3fAYhWDpWqI:jJw7LZ6T9gIILlx55w5mZNhAWqI
Threatray 1 similar samples on MalwareBazaar
TLSH T1FDD45BE1694608B8D871CD3870075B70C7BE6C79815CE4C66ABE363EC57BC9289378AD
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f8dc9c9cdcccb2b2 (2 x TinyNuke)
Reporter Finch39487976
Tags:exe MikuBot TinyNuke

Intelligence

File Origin
# of uploads :
1
# of downloads :
376
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283077/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Sending an HTTP POST request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22739/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed tinynuke virus
Link:
https://www.filescan.io/uploads/62b5cb5c7e9a4f0a86dd137d/reports/27df5dfa-1eae-4d9c-a0f7-b5499d17879b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Kpot stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b12ed643-c546-46c9-a926-540bd613f621
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1019390
Signature
Encrypted powershell cmdline option found
Found C&C like URL pattern
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Potentially malicious time measurement code found
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 651886 Sample: X98rpH2H4B Startdate: 24/06/2022 Architecture: WINDOWS Score: 92 71 Snort IDS alert for network traffic 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Sigma detected: Drops script at startup location 2->75 77 2 other signatures 2->77 9 X98rpH2H4B.exe 2->9         started        12 70BA7D73FAFB2610666395.exe 2->12         started        14 70BA7D73FAFB2610666395.exe 2->14         started        process3 signatures4 79 Potentially malicious time measurement code found 9->79 16 X98rpH2H4B.exe 4 9->16         started        19 conhost.exe 9->19         started        21 70BA7D73FAFB2610666395.exe 12->21         started        process5 file6 61 C:\Users\user\...\70BA7D73FAFB2610666395.exe, PE32 16->61 dropped 63 70BA7D73FAFB261066...exe:Zone.Identifier, ASCII 16->63 dropped 23 70BA7D73FAFB2610666395.exe 3 16->23         started        28 cmd.exe 1 16->28         started        process7 dnsIp8 67 136.144.41.244, 49745, 49746, 49747 WORLDSTREAMNL Netherlands 23->67 69 192.168.2.1 unknown unknown 23->69 65 C:\Users\user\...\70BA7D73FAFB2610666395.url, data 23->65 dropped 81 Multi AV Scanner detection for dropped file 23->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 23->83 30 cmd.exe 1 23->30         started        33 cmd.exe 23->33         started        35 schtasks.exe 1 23->35         started        41 13 other processes 23->41 85 Encrypted powershell cmdline option found 28->85 37 powershell.exe 25 28->37         started        39 conhost.exe 28->39         started        file9 signatures10 process11 signatures12 87 Encrypted powershell cmdline option found 30->87 43 powershell.exe 22 30->43         started        45 conhost.exe 30->45         started        47 conhost.exe 33->47         started        49 powershell.exe 33->49         started        51 conhost.exe 35->51         started        53 conhost.exe 41->53         started        55 conhost.exe 41->55         started        57 conhost.exe 41->57         started        59 8 other processes 41->59 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2221c20900d9aebbd0d19bf17ad41483e7453ad190d07b4f6d5b9dc213d3224/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-06-16 17:00:00 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2irbyieqbwnoxpindg7rplkbja7hiu5ndegqpnhw2w45yij5gisa._file
Verdict:
malicious
Similar samples:
9d98af7edc7ef9cc5dfc258f11b1795b3ecb74aa613cc14212102d75bbdc8c44
TinyNuke
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata upx
Link:
https://tria.ge/reports/220624-rwva1schck/
Behaviour
Suspicious use of UnmapMainImage
Enumerates physical storage devices
Drops startup file
UPX packed file
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Unpacked files
SH256 hash:
d2221c20900d9aebbd0d19bf17ad41483e7453ad190d07b4f6d5b9dc213d3224
MD5 hash:
c20b29f54755d2bc04e44baa800b9a7d
SHA1 hash:
0dcda234dd568a4080322ed10a36b5c0af8a8827
Link:
https://www.unpac.me/results/d52891b2-2dcb-4dc5-b8f1-f0cf7469dea4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d2221c20900d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d2221c20900d9aebbd0d19bf17ad41483e7453ad190d07b4f6d5b9dc213d3224

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283077/

Comments