MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d22d60c754eb0bd1625d28dd7efaf4ca85fc034132831e9ece586f6c67bb5989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TinyNuke

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 28 File information Comments

SHA256 hash:	d22d60c754eb0bd1625d28dd7efaf4ca85fc034132831e9ece586f6c67bb5989
SHA3-384 hash:	c44e63f38237c6ea47cfbd528d6bb47bf29ab88a2df07b40bb3e5a4f1b02c0678f81d40e905fdd41b4ab56933eda9fc5
SHA1 hash:	9fc1c04a996c7f7bbc8aeebf8fdc8971d1aead2e
MD5 hash:	7ca2e5f229fcbfe99ae59c0ea55e95c3
humanhash:	eleven-kentucky-artist-network
File name:	file
Download:	download sample
Signature	TinyNuke Create hunting rule
File size:	32'768 bytes
First seen:	2026-01-23 17:44:23 UTC
Last seen:	2026-01-24 02:40:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	16dd26b41c61918a10215696235d9e9f (2 x TinyNuke)
ssdeep	384:a8Uv1sfdj0W0Cy471+GWxktv+DqrKMp0i5u/Gkr8iH7gUutz7jBus6QosqSwGiD1:a8CCBTMvdUzu/GkYikT5lp0SwZ/tOZg
TLSH	T172E2385F5DD0D8A9C8C346F96D0C672CDF9AAA7725D0932B8F6012A4E365266EC1C0CF
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey e3db0b exe TinyNuke

Bitsight

url: http://45.93.20.151/Bot.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://196.251.107.23/04ca1421433e0038.php	https://threatfox.abuse.ch/ioc/1736007/

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

tinynuke

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-01-23 17:47:14 UTC

Tags:

auto-reg stealer stealc tinynuke

Link:

https://app.any.run/tasks/a79802ab-5ede-4a79-9acf-b1cc52321131

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/49916/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.51879795.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6973b37dbcad3327ec080990

Tags:

trojan extens remo

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypt microsoft_visual_cc nukebot packed xpack

Link:

https://www.filescan.io/uploads/6973b37c55805a763ff2fd0b/reports/cdd3bba8-c90f-4eaa-93c4-ac2d4fb189af/overview

Verdict:

Malicious

Labled as:

Dump:Generic.Tinukebot.1

Link:

https://www.hybrid-analysis.com/sample/d22d60c754eb0bd1625d28dd7efaf4ca85fc034132831e9ece586f6c67bb5989

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-23T14:55:00Z UTC

Last seen:

2026-01-24T14:40:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Zonidel.sb Trojan-PSW.Win32.Lumma.aaln HEUR:Backdoor.Win32.Agent.gen Trojan.Win32.Agent.xccfjq VHO:Trojan-PSW.Win32.Convagent.gen PDM:Trojan.Win32.Generic Trojan-Spy.Stealer.TCP.ServerRequest Trojan.Win32.Mansabo.sb Trojan-Banker.Win32.ClipBanker.sb HEUR:Trojan-Banker.Win32.TinyNuke.gen Trojan-Spy.Stealer.HTTP.C&C Trojan.Win32.RokRat.sb Backdoor.Win32.Androm Trojan-PSW.MSIL.Reline.sb Trojan.MSIL.Crypt.sb Trojan-Dropper.Win32.Injector.sb Trojan-Banker.Win32.TinyNuke.sb Trojan.Win32.AntiAV.sb Trojan-Dropper.Win32.Dapato.sb Trojan-Banker.TinyNuke.HTTP.C&C Trojan.Win32.Shellcode.sb Trojan-PSW.MSIL.Reline.aarh Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Trojan-PSW.Win64.StealC.sb Trojan-PSW.Lumma.HTTP.C&C Trojan-Spy.Stealer.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Gatak.sb

Link:

https://opentip.kaspersky.com/d22d60c754eb0bd1625d28dd7efaf4ca85fc034132831e9ece586f6c67bb5989/results?tab=lookup

Malware family:

Buer Loader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2bac431b-94ab-45d3-9a34-f1643a4976b9

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d22d60c754eb0bd1625d28dd7efaf4ca85fc034132831e9ece586f6c67bb5989

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/7ca2e5f229fcbfe99ae59c0ea55e95c3

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/d22d60c754eb0bd1625d28dd7efaf4ca85fc034132831e9ece586f6c67bb5989/

Verdict:

Malicious

Threat:

Family.ASYNCRAT

Link:

https://tip.neiki.dev/file/d22d60c754eb0bd1625d28dd7efaf4ca85fc034132831e9ece586f6c67bb5989

Threat name:

Win32.Trojan.NukeBot

Status:

Malicious

First seen:

2026-01-23 17:45:47 UTC

File Type:

PE (Exe)

AV detection:

24 of 36 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2iwwbr2u5mf5cys5fdox56xuzkc7ya2bgkbr5hwolbxwyz53lgeq._file

Result

Malware family:

stealc

Score:

10/10

Tags:

family:asyncrat family:redline family:stealc botnet:crypted botnet:default botnet:loaded adware discovery execution infostealer installer persistence pyinstaller rat spyware stealer upx

Link:

https://tria.ge/reports/260123-wbd6hscw4d/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies Internet Explorer Protected Mode

Modifies Internet Explorer Protected Mode Banner

Modifies Internet Explorer settings

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Inno Setup is an open-source installation builder for Windows applications.

Detects Pyinstaller

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Drops file in System32 directory

Suspicious use of SetThreadContext

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Async RAT payload

AsyncRat

Asyncrat family

RedLine

RedLine payload

Redline family

Stealc

Stealc family

Malware Config

C2 Extraction:

http://196.251.107.23
196.251.107.104:6606
196.251.107.104:7707
196.251.107.104:8808
196.251.107.104:1912

Unpacked files

SH256 hash:

d22d60c754eb0bd1625d28dd7efaf4ca85fc034132831e9ece586f6c67bb5989

MD5 hash:

7ca2e5f229fcbfe99ae59c0ea55e95c3

SHA1 hash:

9fc1c04a996c7f7bbc8aeebf8fdc8971d1aead2e

Link:

https://www.unpac.me/results/15311dd6-4101-4f13-81ae-1c6ac7cd7cdf/

SH256 hash:

7a4481d3a196b7596a02b9078019fa60cf7bb7b605c3136186094b40e7cc2986

MD5 hash:

d4fd1b46b456d753a8442ff2be408d23

SHA1 hash:

55228c59fa94ce847bb4de854a08d59c93972861

Link:

https://www.unpac.me/results/15311dd6-4101-4f13-81ae-1c6ac7cd7cdf/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d22d60c754eb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

XBot POS

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/d22d60c754eb0bd1625d28dd7efaf4ca85fc034132831e9ece586f6c67bb5989

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	GenericRedLineLike Create hunting rule
Author:	Still
Description:	Matches RedLine-like stealer; may match its variants.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	MALWARE_Win_MetaStealer Create hunting rule
Author:	ditekSHen
Description:	Detects MetaStealer infostealer

Rule name:	MAL_packer_lb_was_detected Create hunting rule
Author:	0x0d4y
Description:	Detect the packer used by Lockbit4.0

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	RedLine_Stealer_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Detecting unpacked Redline

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Generic_Threat_c9003b7b Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Generic_Threat_efdb9e81 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Generic_40899c85 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_6dfafd7b Create hunting rule
Author:	Elastic Security

Rule name:	win_redline_stealer_generic Create hunting rule
Author:	dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TinyNuke

exe d22d60c754eb0bd1625d28dd7efaf4ca85fc034132831e9ece586f6c67bb5989

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/49916/

URLhaus

https://urlhaus.abuse.ch/url/3762692/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample