MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15aadadd6926270308e61f0e6c1d3a5d92a9fdba60d82936d2bac2bbfe3f301e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 17


Intelligence 17 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15aadadd6926270308e61f0e6c1d3a5d92a9fdba60d82936d2bac2bbfe3f301e
SHA3-384 hash: 183764f4e0a1eaba37831d2cb4cb09777bc454f4c237bf043bbdde89bbe542e38d64c01418d42ba6153801b19b7d30c0
SHA1 hash: 2a73e25d7321538ece7f8ef821823744080b1495
MD5 hash: fbe5b0d472a7f6409c145e2c4aa18112
humanhash: stairway-utah-tennessee-zebra
File name:2025-03-29_fbe5b0d472a7f6409c145e2c4aa18112_amadey_rhadamanthys_smoke-loader.exe
Download: download sample
Signature Tofsee
Create hunting rule
File size:13'183'943 bytes
First seen:2025-03-29 12:52:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 01c37f0b32a7e29c7991e81cd1eb432d (1 x Tofsee)
ssdeep 3072:e9x1GKheCvFRd3t4Zi/4fCcw6B0VzBNUlK59KDt7HiF+E9/E9/E9/E9/E9/E9/ET:sx1GKFNRd32ZRf/aDtKp0D
Threatray 21 similar samples on MalwareBazaar
TLSH T1F5D62CBB886660F1D3B4117C255C3FA381BC67E7D0857AF640A9F9E4A97213CF894623
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 2ede3e76f6d2d0d1 (2 x Tofsee)
Reporter zhuzhu0009
Tags:exe Tofsee

Intelligence

File Origin
# of uploads :
1
# of downloads :
386
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
tofsee
Create hunting rule
ID:
1
File name:
2025-03-29_fbe5b0d472a7f6409c145e2c4aa18112_amadey_rhadamanthys_smoke-loader
Verdict:
Malicious activity
Analysis date:
2025-03-29 11:12:41 UTC
Tags:
tofsee
Link:
https://app.any.run/tasks/4503a292-30ce-4e92-8386-276510c99b53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Tofsee-7413745-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e7d5a6cfd0a37f83096f9a
Tags:
phishing tofsee emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the Windows subdirectory
Creating a service
Launching the process to change the firewall settings
Launching a service
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Enabling autorun for a service
Connection attempt to an infection source
Unauthorized injection to a system process
Adding exclusions to Windows Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint microsoft_visual_cc overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/67e7ed37f274bf2d8e28716e/reports/86c0396e-9a11-4c3a-8dc4-704eee59d1c0/overview
Verdict:
Malicious
Labled as:
Trojan.Kryptik
Link:
https://www.hybrid-analysis.com/sample/15aadadd6926270308e61f0e6c1d3a5d92a9fdba60d82936d2bac2bbfe3f301e
Malware family:
Tofsee
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/893df305-796a-416f-afd9-0f01fd7848f2
Result
Threat name:
Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1651702
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1651702 Sample: t8IxQLJH6h.exe Startdate: 29/03/2025 Architecture: WINDOWS Score: 100 57 yahoo.com 2->57 59 smtp.google.com 2->59 61 5 other IPs or domains 2->61 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for dropped file 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 6 other signatures 2->77 8 pxmqdbkk.exe 2->8         started        11 t8IxQLJH6h.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        signatures3 process4 file5 79 Detected unpacking (changes PE section rights) 8->79 81 Detected unpacking (overwrites its own PE header) 8->81 83 Writes to foreign memory regions 8->83 89 2 other signatures 8->89 16 svchost.exe 1 8->16         started        20 WerFault.exe 2 8->20         started        49 C:\Users\user\AppData\Local\...\pxmqdbkk.exe, PE32 11->49 dropped 85 Uses netsh to modify the Windows network and firewall settings 11->85 87 Modifies the windows firewall 11->87 22 cmd.exe 1 11->22         started        25 netsh.exe 2 11->25         started        27 cmd.exe 2 11->27         started        33 4 other processes 11->33 29 WerFault.exe 2 14->29         started        31 WerFault.exe 2 14->31         started        signatures6 process7 dnsIp8 51 43.231.4.7, 443, 49699, 49704 GIGABIT-MYGigabitHostingSdnBhdMY Malaysia 16->51 53 mta5.am0.yahoodns.net 67.195.228.111, 25 YAHOO-GQ1US United States 16->53 55 3 other IPs or domains 16->55 63 System process connects to network (likely due to code injection or exploit) 16->63 65 Found API chain indicative of debugger detection 16->65 67 Deletes itself after installation 16->67 69 Adds extensions / path to Windows Defender exclusion list (Registry) 16->69 47 C:\Windows\SysWOW64\...\pxmqdbkk.exe (copy), PE32 22->47 dropped 35 conhost.exe 22->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/15aadadd6926270308e61f0e6c1d3a5d92a9fdba60d82936d2bac2bbfe3f301e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15aadadd6926270308e61f0e6c1d3a5d92a9fdba60d82936d2bac2bbfe3f301e/
Threat name:
Win32.Trojan.BrsecmonE
Create hunting rule
Status:
Malicious
First seen:
2025-03-27 01:46:34 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cwvnvxljeytqgchgd4hgyhj2lwjkt7n2mdmcsnwsxlblx7r7gapa._file
Verdict:
malicious
Label(s):
shellcode_loader_002
Create hunting rule
tofsee
Create hunting rule
Similar samples:
00ea7604f15f2e8669b46970802b58f738b45e16e16572b404847d9eed5e0750
Tofsee
15aadadd6926270308e61f0e6c1d3a5d92a9fdba60d82936d2bac2bbfe3f301e
Tofsee
3fbcf2c933319cf24163ff269de32f931f2fc2614212dd28dc9e48d1c07e73dc
Tofsee
79767847a6ce916ffc23081831dd82b423ab7a2375c7e259e0938bf1272b4f47
Tofsee
c9210e5069031d55b571815950ad69a0f3534121882667bc65a8e02c29124e5f
Tofsee
d62abd683105757b72ad6b2293fab03a0ca02f8bfb5a4a9525e8e2356b66231f
Tofsee
error
Tofsee
+ 11 additional samples on MalwareBazaar
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:tofsee defense_evasion discovery execution persistence privilege_escalation trojan
Link:
https://tria.ge/reports/250329-p4pz6avns8/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
Launches sc.exe
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Executes dropped EXE
Creates new service(s)
Modifies Windows Firewall
Sets service image path in registry
Tofsee
Tofsee family
Windows security bypass
Malware Config
C2 Extraction:
43.231.4.7
lazystax.ru
Verdict:
Malicious
Tags:
Win.Packed.Tofsee-7413745-0
YARA:
n/a
Link:
https://app.threat.zone/submission/6820bd59-498d-4ee8-84d8-2156c484af80
Unpacked files
SH256 hash:
15aadadd6926270308e61f0e6c1d3a5d92a9fdba60d82936d2bac2bbfe3f301e
MD5 hash:
fbe5b0d472a7f6409c145e2c4aa18112
SHA1 hash:
2a73e25d7321538ece7f8ef821823744080b1495
Link:
https://www.unpac.me/results/93b9a812-3aec-4bf7-a756-262a4cba81db/
SH256 hash:
a4a10c2ce4f2edb368c8a23e0d29deb6a1c943920da32bd0ba7a9097778145a6
MD5 hash:
764afcd2883ce9fa65be47acb8bf1451
SHA1 hash:
9d1ae8af9a8524c385a0aa41fb5bcdf047569f6c
Detections:
win_tofsee_w0
Create hunting rule
Tofsee
Create hunting rule
Detect_Tofsee
Create hunting rule
MALWARE_Win_Tofsee
Create hunting rule
MALWARE_Win_Grum
Create hunting rule
Link:
https://www.unpac.me/results/93b9a812-3aec-4bf7-a756-262a4cba81db/
Parent samples :
f5c60cf3334fc3093cb2b7b6bcfa480bf87a74b4edd8830b97c1ee3b3e66cefd
ddf751ed7cff04b7465f697b5c2a29e9947d85dc55c0055c9a667893aed47afc
4349c85cf8276a9facdb2316238d19c7db7b40d9965af6fb95379438552d1edb
9924e45ef39b7d68e152fcd1f9ea0b205c5853f3a35c33a80b5ca04396fd5639
f27498658bb1c380ad6868f939d2174233d1d6e64fb2b40a700443dfb0bb852d
b2e68303121f3356974845580f00b466e61c31ddd4de4efab05a77d14c9992a9
8d7e2059c0a3a35187d8724cd75ecc3bf5ac26887b57b704ffdd68afcf6c45b0
8d495468581e53be9ac36c0a4936a697fcb61bb9a5fa1738ef773b8ac660c66b
c4c142543bdbbb13d752b2a502d5cfef7d5746c45cff596da655d05ce74c1d50
65e9d90e44c5d020eae4bfdb1eac4d5224bcd8df6237cd62027f9801e44c8725
fb654a85f221b044cdd3fded748de1c6aee78e527355e2924c48ca61b8445947
f35b1ae58cab71aad27d04030391cbe9f1976faba35f409bf9d72898b317521a
39813609a8866b4a586bad519afba79f18ff6690c276ed2d1a00d5cc71a26ee6
9c0ae55a71d6cd7cc60595ed57939c4666c39038543d16cc0de4f0d193a383af
e36bc8a1397519e2d55b4447a23fcb370a8ddab68020ac749d5da78e56b99c25
a68e088478ebe23db2b8e474e29be64aa668fa79b061c51bf93cde1e1cf22aff
44d8e9e3b7958ea0f3e14f4055a3710761392d5490271b24515b85c14b2493aa
2ab2539335592a9b5e58f6b999a04e57122a698df07900d844040c14bfc360c6
e22627dbc832621377c4ff779cfe06c788b1276310876961a1ce0aacb3bad65c
81cc56811591b4320e5f7d3c13b695b8a5a08b48a5df393abdc86144e4ec6a2a
bce40b7e6c9a582d1ae97115c2724ea0e57963c8caf9976cc7c300a71751967f
3a8a5548a7aaf2c3bf03f6c22f7c4fe60377a6a01300fe1d64d5c4e38f4198a2
9a5e7d0a59c08811bf54e84458f8a1f8ab777e918af692b255d3e6e3dca9cb0f
b0690d4ded020c3a0738824438f771a70bda368e1c1dba4582b79f4d60dadb71
3718fb53830aa223450196ba873b533cf05aa1450b50757c0951f9a7ddfc2316
e305c66abec06a855140a62e41520f750e8c910ba32916bae09555fd6e977200
1e871a50a13d97eb062e95c68fcf760664d20f26c967732ddf247eb8e042ba0c
a2e240cd5c31c15efaabd049a2b17462e57eb5a2b0e089bc6ed3f7aaf40f3b0d
7abcbb1660e7155eb4f550b83c1cb5a40c829068dded1d286e85ceead8cb4105
3e84979fd3da15f14658ed577a2dab59b59d6a3e90244b4bfedf61cbca7b66f6
8344ee2c0af10240ffb393a3f17f7900ba200960edd1f58e0fe9afaa5ab0a9a3
9341095a4ba398b1a7a7082d6a3b84e7a16ab3bf1ff426d21bdea2b9446c97d9
e7fd571eecc11677d75fac661dc0fb92bf69c39c7cf2113f344830af2ed06edb
cb008352ea9fc410546980de36ef69362d29bf3ace45cb0e02bab2c7f24a77d1
da05031908a749564ca1fb0a6fa34c7e88dc53ec56ca5823f541ccbf9e74ba57
905c5408796de1d1f45ed4cd32db2f847e394708ba47833b63fadb1373e45a8f
90ab735f3e99db675bbc2913b1f34ef7bd72636222ae8b2a2b5e4de01c2e2dea
59c50a429ba27538378b98c12fc53f34883c9a10c01329d07c3a56de11f09e46
17831d6b96a1d60752b7031cf6307eb2ce6db23204991b7c6411f50f0ee99621
cc48789091b1449f3af4b04028abe61de204e9185fb6c84aada319dc5a6105a0
1246f985decb86014d2654d4debbf8f52f945a748b66d0a637494600b9bd2710
ef16f2e43569d5896e88ea225fec9ec83cf952bab53df7a4206eda0f0a8d4977
d75741013d7ee0596d2fc4d94087a29fe6b8da3700318f011fb6b7e1615eef21
7acd5433727ae9ca0e7a0ca24f70c1d15d354d8162485ad2f0a3f3e76f311914
d13202920f956a34bc253b56cc4279ef965d6a7ef223a0ab1157941b32cfb060
681ace91036e5c283011d1fc2fac228a266adcb1470262ceb72fda78cf6f95fd
ca1a4c8a164422ed34687440e215828aac50681c7f9da29ff95d42a28b6af762
6d7f90ab0751ac12808dc446a210f76712bb0ab2e3673b8d41ce91f8e69f2dba
5810bcea219cf9b1b1d99ad8a98604cdb521f0b867509ea2eb8b675da51b923d
a7140b3e60a88cb88b6a242bad9e4b75bd15154ea1b49a372acf35edc12b640e
63908d6321170bf93263954e17be0978b2e9a430f82f84742ec3755385854b5f
599c523ef424c44d3d8c2e914545a482f7763478cc84fabfb16ab1630b00fba0
8ced4709f5ad59a6e7ed3a5ab239b923cb04994f5bbae3b86af76a9e5459531c
1871587dfeba4fe175b8b51e8f9fc27c1df99fef0a16f09da1594542ee8ee1cb
575a4ea0536e74d52c4dbd55a5f55563cf04e9f553d9a433caf0dc651800d022
3a8d8102f2e26112e04173c85b83cf5977e7da32ac224fbfda668bf066c50df3
c596fb06c6f9b34382b2261d72af9b0b115302bb5fe05195d9eacdf959fcacb7
075cd3a54a392266904da82ce77ad7f5f33c84e55357a1c6d9d35aadeed88132
dd6e9c87b9bd8749f642b5063107a9f9b4b3690ac13f9d418a839618bae04452
43306fcf11172441b6482b338dd1fd959bf475ed7308a203910bac739592fe2e
9f56c20c9e85e52caef88d85d06709be578f2901777988790c51d4c9ca69cf57
142e511e48d143633a5f4ab5ae5e1761b3912f5b3202e79ce8c3df71a930f62a
0a0dc8e6004d159572c02527695cbcecf1b195e47337fd4940e5f26f8eddd095
ec026105f3a276efc877a94b232a8ba83eee9be51457296d2f5c6bd5f62583f7
1036e55bae6a12d05677589f661b60d4c46fa92b814b4610ccc4a85eb30bb0e4
83b3c155c6fec8e8392581627d8e81b43fc14306f6b1f5ee31854e2b7ff27da2
d258c27fa03a9cfe58f8a12eb0aad68ec6eb35c3abc4f31ef149975b698f4efb
9bc4930ba11187c65a1bb1b492be01807f6b6036f695f54118261b87486c14e2
12f77445534c0ca6b609d04dc9a542c86ea3183007f13feb47539e59d3552ebc
dfe85720796d869885ee29553e26b56aea7a35b48f7d71692fb830c04c86f1e0
38ff1ccc229dd0ee592d9bd47c4ec4fbcc418fb385d7dea4bd72d1120651cb7d
1f92b792448fbe1599d12140acc3b3c95147e13874b1d1f97d04999c43b0593c
2f9cac9ba8ff5c2387cb510b7e578b3b5c08dc0a73fb36876a8a6e57a7446af2
6d8377fe5f324cd744ce2e2a3502a6d3dd53ac18c1033aad6282c90625e68687
334e2c58d06b78d7b91da6ee8a89f352ae717e240efe3058a5f8c170fbf4d6bd
1b82008da20a9e8c297105f54ad7c3b7cc14c23ec30fa6cbc511592163377986
37c299d611357bf95d7675af730b3865817a61c6b550d3a058227f6d97c21ff4
d8400d21a95b4a7346e7e414d76caf1479a655fe3b8505a4c411f7bad7675f93
0d3ce00823f9490ec470493500673f945da375ea1dd622e86783829addddf8ad
f432d10722a919cc0054d2036ca3869473d30ff1bea118a5951e1d0f9b312683
3cd0bc7a69c84a22f42ca365160e26145e615019385d76226a2f58beb8400576
3cd22875973acede14a7dd16dfb502bccaf4f158cfbacac6d490bdb9ea19bbe1
a4d942bd54a97981d76625bacd12ca4d425873dbee13ec29c4efc851fadfd62c
76234531c8865cfff48784ac941047ad6452f70868e0d088daae7f93dd4e26b4
533d5e5caeee77956209f5be7d2ff661afb1cb5e5282dd2828b17120c8f94c24
63b79b71cb84b6ebe5708776b4834ce9e103f24f58f9f1c7f867c60be020a676
a378856fef318e7f930ea9df6188019c72c86ce5f9a289ebb499932ea2aea27f
a2a4f8e26d4c880ba8584c22ae531a07842fec20c72295cb8e6eaa7d507ef7f7
1328fc9c3a927663a3b997929d8974662548047dce6007de68edbc4d55f37bb9
73b0253705c67bb95b5290a9e682b96eff9f4585f9d867f791f8f6886c58c1a9
d02ec1a9a978fb26895deffbb33df86266ba4730c81379e7a76cbeb15030add6
a6ad919dee5ccc304bdad28e6f2833724b91427f6e1bfc22781cfb4a733cc7e9
4e6e0bffa3feed749295145cfc2b06af64a2debf32a4e308b7985ff629c872d2
64cb316a2068ee5a2295e96e2ffbb9b5341535de3e911465a5e8e9b796ee440c
b0016d1310baded342528275cc776bcbb79098988b01d93eaa5e64fcbd911334
08304fe1beab272404d9e7441613eeedf83e7e1a3f11118ae8c51065f1b0493e
c1567cb139d3b8cff3f496db92e0fcb186408e940d51c8cc975d939f1212d5f6
e013a3489975a5882a5850a9456cdeeaa7cc6dddd8b9de6345e8415d85d2a150
966a87d872917014c21b46edb1333db28917aee49590a0352bd013d8d92399eb
e19af916ee2e230b6beafbb6d5c84354947cb03a0aa08754f1d43edb2f88cf08
470a40e61c858d626d6c310cf1afc03fbddbd080831148acf351e07ded01d965
1bdb4819172e65beea035ec2c1793ff8b2d7405e8ced227f84a6296f692e0453
b841bd4a306696cdccf3cbbc45c167216b926a6a5412acb6aa6886e243d0b5cf
30cbb111d49d3cb57b681bc2d1a9d51f3bb5a5c6aa3fc7ac9f0a76cbe34403d0
2c186a17b4e8362e5ddd55713ff2a680c08792c6a6f84f7cc468db7e843535e1
1b0010a96b91f0095afecaa9b873255808297d7e5a156773f69136a12138639a
2faab8b22d14dd97d72730e486c036743b1cd987146438dbc6e32ecfddd84a68
019ca851845e5184039f1dc885e00a5358663bb32439d539a51d57911529764b
fa44c3d74032d310e5eb90bc9ae06088231806a236b67d1e85e3300423822608
e1263c15ae020ed8462ae7a66eb43ac1a6f610e1789539538dbb6181a0ff695f
18661d2789da0d3f419d56ee265a29da03d6e46d510ce43d95c4e142dae1ef66
59f6b2eeed22a0fe48983639b2fc1db135a09f095b5fd3f5e5268d2633536251
8b1b9c7f469633319ad8e5d68ed8151c6c49a6fd7ba76d2a80beb3ce1674068c
7914e269d4b5bbc6d0f7b195e319de2467219b58334e4637aa06b6176afea206
9d71a3a135f9e3b9de7024d85f1c59f809796db6114974236462740f262c6c83
ad9ce19f929060111a396c41e8b4f5b3a74f590815c22878c13a2c4964556ad5
c8d33cf31021c28eb3fcd93f3d33137a962732be0c434cbfdef8d4744a8ba97e
a6b9d69d0bb922889aa28c227508f806754cc9e675e976982878b2c7dc152015
6e325e8c95c86d290e1672117dd49a13f26d00efea9eba81979000d9478c66ef
f836f31e2b4b471fbd6d28871bf6727e7e49897b8dd1c762b326b7fa7869f3bb
ae2c937460a090cc96c03513b85741d33e5063f0e849fb33c704a533ac67d65c
51e7b3301864e6a997351fb47b74cd7fb02f358c9be56974e44a3953b97eb2a3
9ff7e399bf5a316f777f1cc8768b562d0f7750efa0de95c49a4d7a952fc3be00
bad03e1414994e84b5d40da85892e7779fe70c66c28e993c6790101978d0bc00
2f751a5bba9c0f0761b8bd724cc0dbfb70dc4725e3a7d862da9f2cb837953f40
0d9ed7e134a13d48c88c27f062d0c45e1db82972206821229a22eace941eb806
91568fbf16eb6e6c8e6e633163ef0ff94ca4956195438c61d1023614d6f18fa5
f4cf0f0987a9ede49bd9de65d7b30a72a232856e1cb7c47d287ca8ba980d43ce
92430a767afd2c33e7d5999d3238c03206bafde5b3e5f22b2bb53b7c6e1f659f
b94c5e2f0895241a0e9d81d6d8e2e4a0a24e248455cfb7b3d6566315359ea536
a8fd30b03500b24c3f28f24919bbad05355c837271fb4c49f6fc495afe11b9b1
e0904761480b0a783e66899686933e0655c44a1ac5f8490065026c7ae21e8e35
63e2b9f70ab647bca0ebfd7a1a7c6fb47728feaf8b5d2f9c41570376e122c578
c813876b18b228b3b769cafa1177cb7d1099e7cff5a7a4ccb7dedad5827c5945
c9210e5069031d55b571815950ad69a0f3534121882667bc65a8e02c29124e5f
7fdf038fc97de0efeee6dc40fecfbebbc871f65024db58fc34d2ded35a5be33f
d62abd683105757b72ad6b2293fab03a0ca02f8bfb5a4a9525e8e2356b66231f
3fbcf2c933319cf24163ff269de32f931f2fc2614212dd28dc9e48d1c07e73dc
a33c096ea109147d6d3f6d77e38d74f44a0acce6ea7232875b715828221ad692
464729309976de84a098b301212f1ae996d5edcc8a5994c00268ff518990cfe8
79767847a6ce916ffc23081831dd82b423ab7a2375c7e259e0938bf1272b4f47
31896ed7645f25dda7bf11e4521d4d82161fcdbc4498b31bd212b480c6363a59
00ea7604f15f2e8669b46970802b58f738b45e16e16572b404847d9eed5e0750
38cb9ccd0d1ebdbeefc8b749d285f68922c8f6add48ab3b24a50058479de4c90
557d2f8ee8bae2cec25f37370b40b8f7eecfe9a3d0cf56dc24241762ca88d23a
9b76c4dc2f6afbdad8e990fb84c93a93a5056a155cd7a872e309398ed344fad3
776b31d3ea29546d22dbea996ab8a98f85ad434035cb537edff19130943204a4
b38f34f13ad9e31fbfa2d9b1a4661c09554704662667d33c791fbf6563818e3f
c7b4e926452909b6c47421979a1540f0729809aaa92b689f6ca6a079e8d45057
b29440df0c1185696983be405d42cc1b0d8750ae200454b24f01c2c2bbb3062a
e25ca02b9ad09d908bf8d88588b9afcb9cbe0fc1cbaf9d09698b267ef793095a
15aadadd6926270308e61f0e6c1d3a5d92a9fdba60d82936d2bac2bbfe3f301e
e9bf2461555de015b2a5059c25462b2a357814aba152522f36f0366ccbe114c6
dc5af93785beff1439ac59b0e73ef027ca7c59d11bdbb83a90f24695b7bef2a0
f4914b30a566fb21bc22ae0a805ac281e6373058028dabf40b08ba325eff5cee
184cb122818171443361404c820e041af2f439e5fc499d4205f8ed07a8c390ef
f33a6fdb8508f646674ccc47eb4a28c52da2decf574e7650374046529cde8356
b173709c92f8293f43b7a5c53b06f1780483576d80db130f2eddad00c633a2fd
fb4652b4b12016753fb965af867e7a2c699424661f1bf166debb2e35735df730
eaf3c9f5dd185d9e0c7fc0e26de546467be234bd97b1b5a7c57ddf6e4c8547bc
57f8af366ba6100676300d5df21b9e0deefdc08a8f84fc8ed1834a048a4b0766
2041d84f515f5c3c90f584ee8436f16bbfe637dab148e3a423c4f027bc19c300
0babda382950e18ac902dc475770049e3c8c4146381031ee4e1695054d542569
4c23450338219408fa510b4ea9976863fa36c65155f1c55f046c98d38083dcc9
7aab5d6762abbc221a079b5319fb96d0e85e99ccdac39d19671ae2e26ace3a65
2b2c6a582e49ccda5b449b6b77c7957d237f5159937a5a35bef712e7a8696948
07cdead8ffc7fa1898e033476c60933d26037a9b74d4f4b87a6f0dc4163093cc
5e8ff4dc203fec704edf7a5e301dd5f8b98cf3babdf10bc76946e695fe91c8a6
1394265a1d0f19d1ef756911db1cbca0d5aff14ed698e1d77b39770bb47c4ee6
4dc8fc79671f148bb9201750895477045ab7b8b634ce82cba665885e89a9e0a7
51a60b22c8514fe9e6dd0f53170895529b7b143d9788e882a5909a17fb5f4f89
9e4d11c0dc43f4998da4c55c3334406891a9e02e140b22e0a837f73386a25409
25483a117132455c15d61a827deb8d7a025d0a4444da7c7e644e63f3ad6cd7f2
fe6b4e1ce87aa4c011d4334b5178f08859ee6b6b458e9dc0c694b12bf28e0bf0
d6216a9d53808e99c34c4554c28912f9ace9c26f121fe4020d0884ee3c6e68de
745d83598ad32b67ba0633edd95e082bd7dcb507fbfd01f94bf4ecf4e1c3d2f7
12146edc738a9485002927cbbe61818a166da36ad52c69e41184b9542beca259
cbcec0d3e8f866366c001b3e6a67b418cd4292a5e69cba7047a653a67bbf31c5
f50f834ca697e5b088201054e661a79c0673ad31dc0224150782e53bde3eadfa
3b346e4f9e8fbb49b31cd23216a341ed2ce0216ef95553909b4b85ca1a2b0783
413e20e617b5f35e8243c9c006319b982fba83593b09db1acd6d155094f19305
94d692b88cb12358d95a0553f1730f57ced4e5962c6c1f00fdebd1875d921546
721525f94521878719d0e984003a46e7835c405e7d221c8240449190fe941249
87d9a5270b9aac5570870db7ced2ab8e6b73663704c8ff165a0c4b0022a7c9a5
31c23262b1ec9996b2850e5b24faa6c0ad3a7527f0cf2d619a1ad80c1ebc3bc5
b8c1783731e284473998048e3b2db3d6a55e255c8b8c62b7d576839836da390e
7c65389ff1839357be9d22c36349496d20a99c80b54077e47e3106996056cfcd
0ce163e97fc96c8a958dade52283fa39b89ab469722905b2fdcf54e7a7167126
41d436a3ce7e0ab617299661f87aba5af8c0926154fe62cf5c0ac973d192ff4d
c16332271e35dfc0a06f4da3f9dece112dac04eff4b5247d437c1dc073986c6d
b25260caa728e6028ee56f7c9f6aa17e473560d0ef63e7760372e99e2499f8a8
c208aa96487a4158ca31f00b00642a34e18c0e1b4139b7310f05f6d6d9be721e
5deea52309fe7f1b3562bd2a514122127af9232bba8e24a227434ac92e4a24a4
6e9d1aaa82a604fa54a8604e3d23e23694bab546e4d7cd9cb1ce2afbf098f183
f0586977190ce63cfa0e636693e761850181453ab811473d48bb38e241236e20
1c47c273d61b2f64cac5af0020eb9cd93ebf2447e649f6c0d099991813f65c2f
008866b90399e49e3d2e8fa51e7eb7822e0de1cf2a0f2e7ebff3e326c50b155b
1e1314b5677081182655f1728f58244997f45179d011f27a2ab3b699d68714d0
d9ba24425ba621aeb2a4fdf613ef1506c22572291a394e58d08f5f3bdc1f708d
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15aadadd6926/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15aadadd6926270308e61f0e6c1d3a5d92a9fdba60d82936d2bac2bbfe3f301e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Tofsee
Create hunting rule
Author:@malgamy12
Description:Detect_Tofsee
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_Grum
Create hunting rule
Author:ditekSHen
Description:Detect Grum spam bot
Rule name:MALWARE_Win_Tofsee
Create hunting rule
Author:ditekSHen
Description:Detects Tofsee
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:tofsee_yhub
Create hunting rule
Author:Billy Austin
Description:Detects Tofsee botnet, also known as Gheg
Rule name:Windows_Trojan_Tofsee_26124fe4
Create hunting rule
Author:Elastic Security
Rule name:win_tofsee_bot
Create hunting rule
Author:akrasuski1
Description:Tofsee malware
Rule name:win_tofsee_w0
Create hunting rule
Author:akrasuski1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/4503a292-30ce-4e92-8386-276510c99b53

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::MapGenericMask
ADVAPI32.dll::IsValidSecurityDescriptor
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetKernelObjectSecurity
ADVAPI32.dll::GetPrivateObjectSecurity
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenThreadToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::ReplaceFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::DnsHostnameToComputerNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegQueryInfoKeyW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::OpenServiceW

Comments