MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3
SHA3-384 hash: f0591e79a184fc6f1601d5b3ccfdfa58a711fb7162b1626cc230e04975ac4e90a5fa89a82edec4db84a1661a055ed94c
SHA1 hash: ebd346f79e25eecdb7d7bd6ce1380b5081307239
MD5 hash: c3f7833a682befd9001ab30d6de7d134
humanhash: london-crazy-early-bluebird
File name:001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3.exe
Download: download sample
Signature Tofsee
Create hunting rule
File size:4'227'775 bytes
First seen:2025-07-10 11:50:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc758c921c6e0fda5a933c5b8a3c02e9 (2 x LummaStealer, 1 x RaspberryRobin, 1 x AsyncRAT)
ssdeep 98304:eh551Kmk/IlltcP5O6Q1USMFMlxDUEc1LcfDfaS:eh551K+/cBeRcuaS
Threatray 14 similar samples on MalwareBazaar
TLSH T198162349E3E819F8E4A3C935C8A60A57F6317C521731539F67A442AB6F133E1CA3E712
TrID 87.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
5.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.4% (.EXE) Win64 Executable (generic) (10522/11/4)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter aachum
Tags:exe HIjackLoader IDATLoader Tofsee


Avatar
iamaachum
Tofsee C2:
vanaheim.cn
jotunheim.name

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
CZ CZ
Vendor Threat Intelligence
Malware family:
tofsee
Create hunting rule
ID:
1
File name:
001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3.exe
Verdict:
Malicious activity
Analysis date:
2025-07-09 00:02:04 UTC
Tags:
tofsee advancedinstaller
Link:
https://app.any.run/tasks/a2f198ac-b4e6-4409-b80a-39a0f9416d59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13784/
Detection(s):
SecuriteInfo.com.FileRepMalware.16692.2934.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686db17b900df8e7f868baaa
Tags:
autorun dropper virus overt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Creating a file
Unauthorized injection to a recently created process
Launching a process
Launching a service
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/43e3f570-e376-4562-82e9-a54367e1dcac
Result
Threat name:
HijackLoader, Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1732751
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected HijackLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1732751 Sample: XFNVA2slEs.exe Startdate: 10/07/2025 Architecture: WINDOWS Score: 100 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for dropped file 2->80 82 5 other signatures 2->82 10 XFNVA2slEs.exe 15 2->10         started        13 msn.exe 1 2->13         started        16 msn.exe 1 2->16         started        process3 file4 68 C:\Users\user\AppData\Local\...\msvcr80.dll, PE32 10->68 dropped 70 C:\Users\user\AppData\Local\...\msncore.dll, PE32 10->70 dropped 72 C:\Users\user\AppData\Local\Temp\...\msn.exe, PE32 10->72 dropped 74 2 other malicious files 10->74 dropped 18 msn.exe 8 10->18         started        102 Maps a DLL or memory area into another process 13->102 104 Found direct / indirect Syscall (likely to bypass EDR) 13->104 22 cmd.exe 2 13->22         started        24 cmd.exe 2 16->24         started        signatures5 process6 file7 52 C:\Users\user\AppData\Roaming\...\msvcr80.dll, PE32 18->52 dropped 54 C:\Users\user\AppData\Roaming\...\msncore.dll, PE32 18->54 dropped 56 C:\Users\user\AppData\Roaming\...\msn.exe, PE32 18->56 dropped 62 2 other malicious files 18->62 dropped 84 Switches to a custom stack to bypass stack traces 18->84 26 msn.exe 1 18->26         started        58 C:\Users\user\AppData\Local\Temp\lptovt, PE32 22->58 dropped 29 cgmon_v2.exe 22->29         started        31 conhost.exe 22->31         started        60 C:\Users\user\AppData\...\mvfhihixbrrinr, PE32 24->60 dropped 86 Writes to foreign memory regions 24->86 88 Maps a DLL or memory area into another process 24->88 33 cgmon_v2.exe 24->33         started        35 conhost.exe 24->35         started        signatures8 process9 signatures10 96 Maps a DLL or memory area into another process 26->96 98 Switches to a custom stack to bypass stack traces 26->98 100 Found direct / indirect Syscall (likely to bypass EDR) 26->100 37 cmd.exe 4 26->37         started        41 WerFault.exe 16 29->41         started        43 WerFault.exe 21 33->43         started        process11 file12 64 C:\Users\user\AppData\Local\...\wtrxdgkuaahdj, PE32 37->64 dropped 66 C:\Users\user\AppData\Local\...\cgmon_v2.exe, PE32 37->66 dropped 90 Writes to foreign memory regions 37->90 92 Found hidden mapped module (file has been removed from disk) 37->92 94 Switches to a custom stack to bypass stack traces 37->94 45 cgmon_v2.exe 37->45         started        48 conhost.exe 37->48         started        signatures13 process14 signatures15 106 Switches to a custom stack to bypass stack traces 45->106 108 Found direct / indirect Syscall (likely to bypass EDR) 45->108 50 WerFault.exe 19 16 45->50         started        process16
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/c3f7833a682befd9001ab30d6de7d134
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3/
Threat name:
Win64.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-01-10 02:51:37 UTC
File Type:
PE+ (Exe)
Extracted files:
61
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aapnfc5rs62ktlq5ce674rgt3mqvdddbbmmcfgsjww553csz6orq._file
Verdict:
malicious
Label(s):
tofsee
Create hunting rule
Similar samples:
001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3
Tofsee
2e8ac3980feb2ed56f39fac3763eed0fba77740a7b5cd74bccd8b7d59223c79d
Tofsee
5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19
Tofsee
d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
Tofsee
error
Tofsee
+ 4 additional samples on MalwareBazaar
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:tofsee defense_evasion discovery loader trojan
Link:
https://tria.ge/reports/250710-nztl4sfn61/
Behaviour
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Tofsee
Tofsee family
Malware Config
C2 Extraction:
vanaheim.cn
jotunheim.name
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6b34dd6a-6842-473f-b3cf-4c3a1c8a6971
Unpacked files
SH256 hash:
001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3
MD5 hash:
c3f7833a682befd9001ab30d6de7d134
SHA1 hash:
ebd346f79e25eecdb7d7bd6ce1380b5081307239
Link:
https://www.unpac.me/results/91b2baf7-d59a-4176-9dfb-8504827ac159/
SH256 hash:
0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd
MD5 hash:
54ee6a204238313dc6aca21c7e036c17
SHA1 hash:
531fd1c18e2e4984c72334eb56af78a1048da6c7
Link:
https://www.unpac.me/results/91b2baf7-d59a-4176-9dfb-8504827ac159/
SH256 hash:
257e6489f5b733f2822f0689295a9f47873be3cec5f4a135cd847a2f2c82a575
MD5 hash:
ef66829b99bbfc465b05dc7411b0dcfa
SHA1 hash:
c6f6275f92053b4b9fa8f2738ed3e84f45261503
Link:
https://www.unpac.me/results/91b2baf7-d59a-4176-9dfb-8504827ac159/
SH256 hash:
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74
MD5 hash:
537915708fe4e81e18e99d5104b353ed
SHA1 hash:
128ddb7096e5b748c72dc13f55b593d8d20aa3fb
Detections:
win_isfb_a5
Create hunting rule
Link:
https://www.unpac.me/results/91b2baf7-d59a-4176-9dfb-8504827ac159/
Parent samples :
d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19
001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3
SH256 hash:
cad91db77a9398695fdbf2fca9b67dc8032de5ba712b17a029c928b60b13a805
MD5 hash:
fe4af613cc77f1fc3b2120da1ce21f51
SHA1 hash:
8d4ea750b30b75e57ab2859369b9ac6dab2e8412
Link:
https://www.unpac.me/results/91b2baf7-d59a-4176-9dfb-8504827ac159/
SH256 hash:
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03
MD5 hash:
43143abb001d4211fab627c136124a44
SHA1 hash:
edb99760ae04bfe68aaacf34eb0287a3c10ec885
Link:
https://www.unpac.me/results/91b2baf7-d59a-4176-9dfb-8504827ac159/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Tofsee

Executable exe 001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3

(this sample)

DLL dll cad91db77a9398695fdbf2fca9b67dc8032de5ba712b17a029c928b60b13a805

  
Link
https://tria.ge/250709-abfhpa1nv8
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/13784/
  
Dropping
SHA256 cad91db77a9398695fdbf2fca9b67dc8032de5ba712b17a029c928b60b13a805
  
Dropping
MD5 fe4af613cc77f1fc3b2120da1ce21f51

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments