MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcec9cf5b21a86b090a26ff26c1ee97f66ee181a6736d535ea8d30a770264aa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XTinyLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcec9cf5b21a86b090a26ff26c1ee97f66ee181a6736d535ea8d30a770264aa9
SHA3-384 hash: 9eca3f391e7bbbfca9bc7234e4f531f7d3cbac574a84a3f26143b55cffd605358f6a3952a0694f36b7fa172456b509d9
SHA1 hash: 3cc34316545a83d9550bf843955ff5a771ed9add
MD5 hash: 36d0d6155c3da691e1a517348675a170
humanhash: uniform-football-eight-finch
File name:bot.exe
Download: download sample
Signature XTinyLoader
Create hunting rule
File size:23'040 bytes
First seen:2025-08-14 13:18:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a99c8140b955e68a6f4e6b4c3fc8a6c6 (3 x XTinyLoader)
ssdeep 384:nfNLj6Adba5OoeQ1FbtM5bKd92NSSsM4kTKLahx7N4EoqCm0mjtbwH1cMiP91/w/:fNL+R9MbKdM5p4kOox7N4+zJ/i
TLSH T12FA2067E47D401FCEA9789B1C8B57613E772F1062EB2968F40B2C9928F12993DD1CB52
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe XTinyLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_fcec9cf5b21a86b090a26ff26c1ee97f66ee181a6736d535ea8d30a770264aa9.exe
Verdict:
Malicious activity
Analysis date:
2025-08-14 13:20:16 UTC
Tags:
loader xtinyloader auto-reg xor-url generic
Link:
https://app.any.run/tasks/f5c9e1fd-b33f-4723-a92c-f870b9860f85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21398/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689de25048c64d68735c6192
Tags:
ransomware downloader trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Creating a process from a recently created file
Sending an HTTP POST request to an infection source
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/689de2499ef4d2ff7cfcfcd0/reports/180f4521-0c6a-4e1d-99b3-5c85b33ab247/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/fcec9cf5b21a86b090a26ff26c1ee97f66ee181a6736d535ea8d30a770264aa9
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/beb8e81f-5bc7-4802-949d-d124c4d9e6d7
Result
Threat name:
Diamotrix Clipper, RedLine, SvcStealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1756984
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Diamotrix Clipper
Yara detected RedLine Stealer
Yara detected SvcStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1756984 Sample: bot.exe Startdate: 14/08/2025 Architecture: WINDOWS Score: 100 122 Suricata IDS alerts for network traffic 2->122 124 Found malware configuration 2->124 126 Malicious sample detected (through community Yara rule) 2->126 128 9 other signatures 2->128 10 bot.exe 1 4 2->10         started        14 ebecabcdbbbdc.exe 2->14         started        16 ebecabcdbbbdc.exe 2->16         started        18 ebecabcdbbbdc.exe 2->18         started        process3 file4 78 C:\ProgramData\bgupb.exe, PE32+ 10->78 dropped 80 C:\ProgramData\bgupb.exe:Zone.Identifier, ASCII 10->80 dropped 138 Found evasive API chain (may stop execution after checking mutex) 10->138 140 Creates multiple autostart registry keys 10->140 142 Found direct / indirect Syscall (likely to bypass EDR) 10->142 20 bgupb.exe 17 10->20         started        144 Multi AV Scanner detection for dropped file 14->144 25 schtasks.exe 1 14->25         started        signatures5 process6 dnsIp7 112 176.46.152.46, 1911, 49683, 49685 ESTPAKEE Iran (ISLAMIC Republic Of) 20->112 114 176.46.152.47, 49684, 49686, 49688 ESTPAKEE Iran (ISLAMIC Republic Of) 20->114 64 C:\ProgramData\vuuxq.exe, PE32+ 20->64 dropped 66 C:\ProgramData\umjsh.exe, PE32 20->66 dropped 68 C:\ProgramData\iwevj.exe, PE32+ 20->68 dropped 130 Multi AV Scanner detection for dropped file 20->130 132 Found direct / indirect Syscall (likely to bypass EDR) 20->132 27 vuuxq.exe 1 1 20->27         started        31 iwevj.exe 52 20->31         started        33 umjsh.exe 20->33         started        35 conhost.exe 25->35         started        file8 signatures9 process10 file11 82 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 27->82 dropped 146 Multi AV Scanner detection for dropped file 27->146 148 Found evasive API chain (may stop execution after checking mutex) 27->148 150 Injects code into the Windows Explorer (explorer.exe) 27->150 154 5 other signatures 27->154 37 explorer.exe 44 20 27->37 injected 42 schtasks.exe 1 27->42         started        84 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 31->84 dropped 86 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 31->86 dropped 88 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 31->88 dropped 90 47 other malicious files 31->90 dropped 44 iwevj.exe 31->44         started        152 Antivirus detection for dropped file 33->152 signatures12 process13 dnsIp14 116 77.90.153.62, 49689, 49701, 49702 RAPIDNET-DEHaunstetterStr19DE Germany 37->116 118 107.150.0.155 ASN-QUADRANET-GLOBALUS United States 37->118 120 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 37->120 70 C:\Users\user\AppData\Local\...\C901.tmp.exe, PE32+ 37->70 dropped 72 C:\Users\user\AppData\Local\...\AC7D.tmp.exe, PE32+ 37->72 dropped 74 C:\Users\user\AppData\Local\...\7432.tmp.exe, PE32 37->74 dropped 76 8 other malicious files 37->76 dropped 134 System process connects to network (likely due to code injection or exploit) 37->134 136 Benign windows process drops PE files 37->136 46 39CC.tmp.exe 37->46         started        50 6077.tmp.exe 37->50         started        52 C901.tmp.exe 37->52         started        56 8 other processes 37->56 54 conhost.exe 42->54         started        file15 signatures16 process17 file18 94 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 46->94 dropped 96 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 46->96 dropped 98 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 46->98 dropped 108 47 other malicious files 46->108 dropped 164 Multi AV Scanner detection for dropped file 46->164 58 39CC.tmp.exe 46->58         started        100 C:\ProgramData\systemdrv.exe, PE32+ 50->100 dropped 166 Antivirus detection for dropped file 50->166 168 Found evasive API chain (may stop execution after checking mutex) 50->168 170 Creates multiple autostart registry keys 50->170 172 Contains functionality to inject code into remote processes 50->172 60 systemdrv.exe 50->60         started        102 C:\ProgramData\...\RAYHIWGKDI.docx, ASCII 52->102 dropped 104 C:\ProgramData\...\RAYHIWGKDI.docx, ASCII 52->104 dropped 106 C:\ProgramData\...\RAYHIWGKDI.pdf, ASCII 52->106 dropped 110 2 other malicious files 52->110 dropped 174 Found many strings related to Crypto-Wallets (likely being stolen) 52->174 176 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 52->176 178 Tries to harvest and steal browser information (history, passwords, etc) 52->178 180 Modifies existing user documents (likely ransomware behavior) 52->180 182 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->182 184 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 56->184 186 Tries to steal Crypto Currency Wallets 56->186 188 Found direct / indirect Syscall (likely to bypass EDR) 56->188 signatures19 process20 file21 92 C:\ProgramData\dll_2B7DDEA9.dll, PE32+ 60->92 dropped 156 Antivirus detection for dropped file 60->156 158 Multi AV Scanner detection for dropped file 60->158 160 Found evasive API chain (may stop execution after checking mutex) 60->160 162 5 other signatures 60->162 signatures22
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fcec9cf5b21a86b090a26ff26c1ee97f66ee181a6736d535ea8d30a770264aa9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/36d0d6155c3da691e1a517348675a170
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcec9cf5b21a86b090a26ff26c1ee97f66ee181a6736d535ea8d30a770264aa9/
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.ClipBanker
Link:
https://tip.neiki.dev/file/fcec9cf5b21a86b090a26ff26c1ee97f66ee181a6736d535ea8d30a770264aa9
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-08-14 00:23:59 UTC
File Type:
PE+ (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7twjz5nsdkdlbefcn7zgyhxjp5to4ga2m43nknpkruyko4bgjkuq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence pyinstaller
Link:
https://tria.ge/reports/250814-qkqm1shk4t/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a3af2ba7-865c-4f78-b478-52397b2ff1a7
Unpacked files
SH256 hash:
fcec9cf5b21a86b090a26ff26c1ee97f66ee181a6736d535ea8d30a770264aa9
MD5 hash:
36d0d6155c3da691e1a517348675a170
SHA1 hash:
3cc34316545a83d9550bf843955ff5a771ed9add
Link:
https://www.unpac.me/results/ce8b7e2a-9f43-4f9d-8306-dbe407bf2db5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcec9cf5b21a86b090a26ff26c1ee97f66ee181a6736d535ea8d30a770264aa9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XTinyLoader

Executable exe fcec9cf5b21a86b090a26ff26c1ee97f66ee181a6736d535ea8d30a770264aa9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3600164/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/21398/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileW
KERNEL32.dll::GetSystemDirectoryW

Comments