MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Tofsee

Vendor detections: 16

Intelligence 16 IOCs 1 YARA File information Comments

SHA256 hash:	0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
SHA3-384 hash:	6832bca89a56158860bb9c9d17ca1cde80c8edfb10ac0871268a09a9f4842bb4d081d597409bd5996173e6f7b765d6e9
SHA1 hash:	6836aa4bd01e4f303809573cd18ce4413ae1409c
MD5 hash:	d336c845a72545aaa9757225350301ab
humanhash:	april-hamper-batman-double
File name:	0CC82EBA0F92824807ACFEC362E96C2933CB894E9A220.exe
Download:	download sample
Signature	Tofsee Create hunting rule
File size:	4'860'372 bytes
First seen:	2022-10-26 00:00:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:JD2A81+n4kOkU7XN59PjXSEtnb03Q9VjZpRBozYBRqq2Y:JKv1+n4aUzFOEtwg9p1WY
TLSH	T15F26333C27E59E9DD1C50B76CC41C76AEAA2F03E5094C22992D42B24F9A58D2DC1F3F6
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe Tofsee

abuse_ch

Tofsee C2:
193.106.191.19:47242

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.19:47242	https://threatfox.abuse.ch/ioc/948768/

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

0CC82EBA0F92824807ACFEC362E96C2933CB894E9A220.exe

Verdict:

Malicious activity

Analysis date:

2022-10-26 00:04:35 UTC

Tags:

evasion raccoon trojan redline opendir socelars stealer rat vidar loader ficker miner

Link:

https://app.any.run/tasks/492141bf-b774-4c6c-8caa-744e582b6eb7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

onlyLogger Loader

Link:

https://www.capesandbox.com/analysis/324151/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Searching for the window

Running batch commands

Sending a custom TCP request

DNS request

Searching for synchronization primitives

Launching a process

Launching the default Windows debugger (dwwin.exe)

Creating a process with a hidden window

Creating a window

Unauthorized injection to a recently created process

Query of malicious DNS domain

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/45499/overview

Behaviour

MalwareBazaar

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Socelars

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/899551b2-5acf-406f-95ab-dac8f965eb9e

Result

Threat name:

Nymaim, Raccoon, RedLine, Socelars, only

Detection:

malicious

Classification:

spre.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1097958

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Creates HTML files with .exe extension (expired dropper behavior)

Detected VMProtect packer

Disable Windows Defender real time protection (registry)

Found C&C like URL pattern

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Obfuscated command line found

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Performs DNS queries to domains with low reputation

Sample uses process hollowing technique

Sigma detected: Copy itself to suspicious location via type command

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected Generic Downloader

Yara detected Nymaim

Yara detected onlyLogger

Yara detected Raccoon Stealer

Yara detected RedLine Stealer

Yara detected Socelars

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26/

Threat name:

Win32.Trojan.Privateloader

Status:

Suspicious

First seen:

2021-10-19 22:48:50 UTC

File Type:

PE (Exe)

Extracted files:

453

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=btec5oqpskbeqb5m73bwf2lmfez4xckotiradffd5ltcpzaap4ta._file

Verdict:

malicious

Label(s):

raccoon

Result

Malware family:

socelars

Score:

10/10

Tags:

family:nullmixer family:onlylogger family:privateloader family:raccoon family:redline family:smokeloader family:socelars botnet:2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 botnet:fucker2 botnet:media18 aspackv2 backdoor discovery dropper infostealer loader spyware stealer trojan

Link:

https://tria.ge/reports/221026-aawtaaecdq/

Behaviour

Checks SCSI registry key(s)

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

OnlyLogger payload

Detects Smokeloader packer

NullMixer

OnlyLogger

PrivateLoader

Raccoon

RedLine

RedLine payload

SmokeLoader

Socelars

Socelars payload

Malware Config

C2 Extraction:

http://mooorni.xyz/
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
91.121.67.60:2151
135.181.129.119:4805

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/26451d29-36c5-4b2d-a4d5-7a9c8ff7c6c4

Unpacked files

SH256 hash:

57357e1d304ed1c4db3d22dbbd6a01327237d1fad37437db58f0a7d97a3d7ba3

MD5 hash:

42c09e2ff1923e01e6b465436b1d176f

SHA1 hash:

6fc4b58ff71392865812ba14a6b469ddec5df7d4

Detections:

win_gcleaner_auto

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

Parent samples :

644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d

SH256 hash:

f60bd1658ad05f37e2777cb49ea63588ac24f6e18c3f631d7b11e7a6819e75ed

MD5 hash:

81760d3d0914159e7d6836166efce6bf

SHA1 hash:

15789eee76b780a0bde70071ecb0a738dea445b6

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339

MD5 hash:

ae22fdfdaf90dc3174ebe91333125e1e

SHA1 hash:

3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8

Detections:

win_smokeloader_a2

SmokeLoaderStage2

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

Parent samples :

40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d

SH256 hash:

03c7096f04ff5c60e9cc2f959fd2b412137ab04e131c54295edf86e6c73a9427

MD5 hash:

93477906b5ba6f5b376b21d4bf810752

SHA1 hash:

7dc227ed554b97276fd3385faa9f9af9cc9da18a

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

51a78b5f1799ffe27a1412e5eaa89e46dc32482e140c46ddafcd4c248e701b07

MD5 hash:

74c38bb6084f0c955a35c2355f6d9bc9

SHA1 hash:

ff3911cf479e9932acbb4148918b1e10e368b13a

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

aad495a72e96f5a551319845a7c49b09144d250528222617e793c18986365b3e

MD5 hash:

877bf51d0dc681ef39e31a6fc03e5fe1

SHA1 hash:

fd934fd0dd367c88e98b785e3d1d1ed712c84058

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

e7e5f8b44e8ca69294edf309b6e6330ccd5e8ec812e3d446058d669ed01e3d61

MD5 hash:

581a78ce2f5310961035a39f847b4d91

SHA1 hash:

f80674d6ab1c0badec27b0859104975465529f94

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128

MD5 hash:

de1b3c28ea026c0ede620dd78199ddc5

SHA1 hash:

ee402371a36bff44c765323ccd8c7e4a56bc8d12

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

d0c2d56e9165d4cf2652a024d6b26bb79529f1e386f1421f739ff8a1fd8407bc

MD5 hash:

2200aa6db56cd0f0dfe1c70947b0c7d9

SHA1 hash:

e71ed1b12e1ae01b70b2175f08719ca5297c51f6

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5

MD5 hash:

26278caf1df5ef5ea045185380a1d7c9

SHA1 hash:

df16e31d1dd45dc4440ec7052de2fc026071286c

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

9da9ff2d6a3df588ede6f3d8b1fa835157b9595021a1d1e1bb7ba8f16c7d7919

MD5 hash:

caca750b7aba4e2d1b8033eae137d3a5

SHA1 hash:

bbdda950acf6883c3ed40925a45aa9d700baee9e

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

87c46f3270f7cecb5b1d2ee881eba4654624e01c7504470c2edd8195ce996535

MD5 hash:

710d007acfefefac0654df0374e60c48

SHA1 hash:

834feacd6e422ae146f128eeb5e48a4aebc6472e

Detections:

PrivateLoader

win_privateloader_w0

win_privateloader_a0

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

4d7bf2038b241cc664c74c6e979f5fe95434613b0e1cfb6484417cb61793ffb9

MD5 hash:

3dab7aa5329772c930838683b5599fec

SHA1 hash:

6ef7d0cdedbd1520c1b346a9467aa5837eca679d

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

fa02543c043d0ca718baf3dfafb7f5d0c018d46ee6e0f0220095e5874f160752

MD5 hash:

0c4602580c43df3321e55647c7c7dfdb

SHA1 hash:

5e4c40d78db55305ac5a30f0e36a2e84f3849cd1

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

2fb5b9fec9447a0f16237dead4a722d211ee1dd479291fdc2451c5f159cf847b

MD5 hash:

167be1d5e310eb8e62c3b93a60ece9e0

SHA1 hash:

4622db8d4e94498ae1d0ad8a03d53f9ec2611cf1

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

174f4f8146a8998395b38774f52063130304ab214257d10badc37464578c8c1d

MD5 hash:

7dc5f09dde69421bd8581b40d994ccd7

SHA1 hash:

23788ae65ec05a9e542636c6c4e1d9d6be26d05c

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

31c5fbbf2c420eec04c859d1de4cc968a521042c89b37259d22860c1f06b82c3

MD5 hash:

3810282ac410423b0677032702a2dceb

SHA1 hash:

13ba7a447efe3900b02ecb2aa17ac23068a56a74

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

Parent samples :

c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26

SH256 hash:

f88e2926a7aff6788062ace2d4999d73a4de253d8758c262e7f674088ec4bbde

MD5 hash:

9c27633bcdf8507a59b7a283a3b2b490

SHA1 hash:

102ab66902788948457c3cd715fbd3a2650f1933

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052

MD5 hash:

6449aa2e023c5931ac91815ca54225ed

SHA1 hash:

65b5f4df2c28472469ddf924e6b0d0a61394c612

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

4aee8a5e848eed52dcb0be8873d404b46ebd2b2cc9ed7746d0c1f72fee7f000b

MD5 hash:

6eedd5552785a5762355d51dc82575b4

SHA1 hash:

d0fdd822453ef3c3250d9256193bfba6ee088389

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

7a98a843f6b9affbce7a5566025ada0c0b91d64a6608248d9bbfeb57a2b432d3

MD5 hash:

e2cb93e8d29a89d70a6e3a67363c0d71

SHA1 hash:

8cf0d828c662ad794d21c851f946f95ec8413e41

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

57534668000d43e68435904053ec12730d937bf42e8df9cb968d339f3c88bb08

MD5 hash:

d5b54054d62962607191306219bd6be8

SHA1 hash:

16a680192de42ab0e3c8233f434e772c0ee5f026

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

SH256 hash:

0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26

MD5 hash:

d336c845a72545aaa9757225350301ab

SHA1 hash:

6836aa4bd01e4f303809573cd18ce4413ae1409c

Link:

https://www.unpac.me/results/acd6fa4b-dd19-40e9-9c74-29b392d12aea/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/324151/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample