MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed86fd8c901282c02a5075911f24cbb2983a907cd0e5068cc3ae6d3ed2f78d9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XTinyLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed86fd8c901282c02a5075911f24cbb2983a907cd0e5068cc3ae6d3ed2f78d9b
SHA3-384 hash: c912a46bcf71b5f67904a4efd00f14bdd8c07cce9014b6e7350d30c3535fc74793a60a581afc69ada24a7aa68e1b5ba3
SHA1 hash: 33100fc917f75fcb05c9a1d8f951ec7769d84003
MD5 hash: 7a2e26326e31dc7350e4f41c4b9bc26f
humanhash: ten-tennis-washington-august
File name:7a2e26326e31dc7350e4f41c4b9bc26f.exe
Download: download sample
Signature XTinyLoader
Create hunting rule
File size:16'896 bytes
First seen:2025-07-31 12:49:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d21c4bba2e4623145b475c957df80f42 (19 x XTinyLoader, 1 x RedLineStealer, 1 x PythonStealer)
ssdeep 384:iUk8UjsZY5GxE5Iu2bPQUd1sRwH324IMR8:ihee5GxEKbPQUdmU2w
TLSH T18872F946BC5AD13ECC445CF52E7272B6F7EF9286DD628097EC009908A934E994F3818F
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe XTinyLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
27
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
9a06648f23491abc4e115f114cfc4ac38e532592c7fd5fd9a61df026d8205363
Verdict:
Malicious activity
Analysis date:
2025-07-31 12:21:34 UTC
Tags:
stealer metastealer redline loader python
Link:
https://app.any.run/tasks/e144c5fc-f90d-4f01-ba3a-05d3fd17c5a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18094/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688b669e0b4775fb2133fddb
Tags:
ransomware small hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Creating a process from a recently created file
Connection attempt
Sending an HTTP POST request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/688b66df73b8ef6f4af74edd/reports/200cd452-fd76-4300-b7c4-4ded508e6e73/overview
Verdict:
Malicious
Labled as:
Trojan.Heur.Generic
Link:
https://www.hybrid-analysis.com/sample/ed86fd8c901282c02a5075911f24cbb2983a907cd0e5068cc3ae6d3ed2f78d9b
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05190b71-e367-4315-8c66-7a6d11633a4d
Result
Threat name:
Diamotrix Clipper, RedLine
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1747827
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Diamotrix Clipper
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1747827 Sample: yBpIgrdjOl.exe Startdate: 31/07/2025 Architecture: WINDOWS Score: 100 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 8 other signatures 2->87 10 yBpIgrdjOl.exe 1 4 2->10         started        14 bwncg.exe 2->14         started        process3 file4 63 C:\ProgramData\bwncg.exe, PE32 10->63 dropped 65 C:\ProgramData\bwncg.exe:Zone.Identifier, ASCII 10->65 dropped 115 Found evasive API chain (may stop execution after checking mutex) 10->115 117 Creates multiple autostart registry keys 10->117 16 bwncg.exe 17 10->16         started        signatures5 process6 dnsIp7 67 176.46.152.46, 1911, 49691, 49693 ESTPAKEE Iran (ISLAMIC Republic Of) 16->67 69 176.46.152.47, 49692, 49694, 80 ESTPAKEE Iran (ISLAMIC Republic Of) 16->69 47 C:\ProgramData\pdrvc.exe, PE32+ 16->47 dropped 49 C:\ProgramData\huvlu.exe, PE32+ 16->49 dropped 51 C:\ProgramData\cikfu.exe, PE32 16->51 dropped 89 Antivirus detection for dropped file 16->89 91 Multi AV Scanner detection for dropped file 16->91 21 pdrvc.exe 52 16->21         started        24 huvlu.exe 1 2 16->24         started        27 cikfu.exe 10 4 16->27         started        file8 signatures9 process10 file11 53 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->53 dropped 55 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 21->55 dropped 57 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 21->57 dropped 61 47 other malicious files 21->61 dropped 29 pdrvc.exe 21->29         started        59 C:\ProgramData\systemdrv.exe, PE32+ 24->59 dropped 99 Antivirus detection for dropped file 24->99 101 Multi AV Scanner detection for dropped file 24->101 103 Found evasive API chain (may stop execution after checking mutex) 24->103 113 2 other signatures 24->113 31 systemdrv.exe 7 24->31         started        105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->105 107 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->107 109 Tries to harvest and steal browser information (history, passwords, etc) 27->109 111 Tries to steal Crypto Currency Wallets 27->111 signatures12 process13 dnsIp14 71 77.90.153.62, 49699, 80 RAPIDNET-DEHaunstetterStr19DE Germany 31->71 45 C:\ProgramData\dll_2B7DDEA9.dll, PE32+ 31->45 dropped 73 Antivirus detection for dropped file 31->73 75 Multi AV Scanner detection for dropped file 31->75 77 Found evasive API chain (may stop execution after checking mutex) 31->77 79 5 other signatures 31->79 36 explorer.exe 31->36 injected file15 signatures16 process17 signatures18 93 Found API chain indicative of debugger detection 36->93 95 Checks if browser processes are running 36->95 97 Contains functionality to compare user and computer (likely to detect sandboxes) 36->97 39 systemdrv.exe 36->39         started        41 bwncg.exe 36->41         started        43 systemdrv.exe 36->43         started        process19
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ed86fd8c901282c02a5075911f24cbb2983a907cd0e5068cc3ae6d3ed2f78d9b
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/7a2e26326e31dc7350e4f41c4b9bc26f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed86fd8c901282c02a5075911f24cbb2983a907cd0e5068cc3ae6d3ed2f78d9b/
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2025-07-31 14:53:02 UTC
File Type:
PE (Exe)
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5wdp3deqckbmaksqowir6jglwkmdved42dsqndgdvzwt5uxxrwnq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/250731-p26j5aaj7w/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/31a39797-a4bc-4d2d-bcb3-b34c6f3b915b
Unpacked files
SH256 hash:
ed86fd8c901282c02a5075911f24cbb2983a907cd0e5068cc3ae6d3ed2f78d9b
MD5 hash:
7a2e26326e31dc7350e4f41c4b9bc26f
SHA1 hash:
33100fc917f75fcb05c9a1d8f951ec7769d84003
Link:
https://www.unpac.me/results/26df5bd1-27d8-47dc-a2b0-4f62707b6f7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed86fd8c901282c02a5075911f24cbb2983a907cd0e5068cc3ae6d3ed2f78d9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XTinyLoader

Executable exe ed86fd8c901282c02a5075911f24cbb2983a907cd0e5068cc3ae6d3ed2f78d9b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/18094/
  
URLhaus
https://urlhaus.abuse.ch/url/3590323/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetCommandLineW

Comments