MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 302ca1dafea52c0039cbc171712eef95339daf45d441e669c18d629826343638. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 302ca1dafea52c0039cbc171712eef95339daf45d441e669c18d629826343638
SHA3-384 hash: 7557d3b3700b3088bec1d9e3a512bd755199d26115f5ce888b778e55736e28b847443fca746268dcdcd0e07f6252ef01
SHA1 hash: e3ca0a89c87395ce6f3e34add16effad74830a2d
MD5 hash: cbfb38108965fc180773854a4e8adbff
humanhash: bacon-island-hot-oxygen
File name:file
Download: download sample
Signature Tofsee
Create hunting rule
File size:285'696 bytes
First seen:2022-08-29 12:57:12 UTC
Last seen:2022-09-08 09:28:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 05c33101aaeec891beca386c38cc85fb (1 x RedLineStealer, 1 x Smoke Loader, 1 x Tofsee)
ssdeep 3072:PXhR6Jc57EO47qq9ZaUtquOHrzquoN0alnRWzd0:/+c57t4X9ZaFvfq50aNRWzd0
TLSH T18F54E0127283C471C4A752719470C7A19ABF58F1563804EB2BB526AE1FF33E08BB6F56
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 480c1c4c4f590b14 (113 x Smoke Loader, 92 x RedLineStealer, 83 x Amadey)
Reporter andretavare5
Tags:exe Tofsee


Avatar
andretavare5
Sample downloaded from http://176.113.115.153:9080/13.php

Intelligence

File Origin
# of uploads :
10
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
tofsee
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-08-29 12:58:33 UTC
Tags:
tofsee
Link:
https://app.any.run/tasks/743f285a-38a5-4921-95ff-155345142cc1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/302235/
Detection(s):
SecuriteInfo.com.Variant.Babar.97334.4482.13290.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30746/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/630cb7fbe87b88e71be2efcd/reports/2343bdd4-2de7-460a-8633-1eeb6c32c22c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Tofsee
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/180e45b0-7cab-42b6-b953-32febc130904
Result
Threat name:
Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1059853
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 692370 Sample: file.exe Startdate: 29/08/2022 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 7 file.exe 2 2->7         started        11 svchost.exe 1 2->11         started        13 svchost.exe 1 2->13         started        15 4 other processes 2->15 process3 file4 40 C:\Users\user\AppData\Local\...\hphrgrzu.exe, PE32 7->40 dropped 50 Detected unpacking (changes PE section rights) 7->50 52 Detected unpacking (overwrites its own PE header) 7->52 54 Uses netsh to modify the Windows network and firewall settings 7->54 56 Modifies the windows firewall 7->56 17 cmd.exe 1 7->17         started        20 netsh.exe 3 7->20         started        22 cmd.exe 2 7->22         started        24 3 other processes 7->24 signatures5 process6 file7 38 C:\Windows\SysWOW64\...\hphrgrzu.exe (copy), PE32 17->38 dropped 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        process8
Detection:
tofsee
Create hunting rule
Link:
https://mwdb.cert.pl/sample/302ca1dafea52c0039cbc171712eef95339daf45d441e669c18d629826343638/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2022-08-29 12:58:09 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gawkdwx6uuwaaoolyfyxclxpsuzz3l2f2ra6m2obrvrjqjrugy4a._file
Verdict:
malicious
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:tofsee evasion persistence trojan
Link:
https://tria.ge/reports/220829-p7g4qahebl/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Creates new service(s)
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Tofsee
Windows security bypass
Malware Config
C2 Extraction:
svartalfheim.top
jotunheim.name
Unpacked files
SH256 hash:
021eb36d244d1bc60f8d87e2704a86738c54e1dcca10c98af6c1497eac2439cf
MD5 hash:
c24255b81c1afcc45e6cd15047c29285
SHA1 hash:
6a171c1e3ed5f05673ea9cb965eb6353a8ed891d
Detections:
win_tofsee_w0
Create hunting rule
Link:
https://www.unpac.me/results/19a31d12-0dbd-447d-ba8c-2f5990c1ae61/
Parent samples :
29aecf60d2b78688a409dd254eba6414e13fded9ebca1ac8beb624e252ae2f0c
7e65e3688f22f5c687cfb448d30d95b8a472d72891249e0a0b5cf2782fee6dde
00bb3c3bae3ddeb2fa90763d702fac2b04f28a6d34afdf814a7523076dc8c42a
69096338094a7462d1f10afd0bb926c797775a177082ad4961a7adc46f83fd40
f2c04ea60f51bf6eed94986ae6e211fc2c9c5386ed83877d7b9b934ad6484503
e687feecb21bcbd4d4337842b7917d1db503dce7c75d6e7f12a8878a412e809d
a30ba96e21a5300a5e4ab1a098e78f955fe8683338392b5e78b97d49f7470189
a3f9e37db86f9f1e0d9c58246cb3b75af495b6681e596d1a2c05920b56c39eb0
a96edd53cb70eb51f8bb9fbd0b9d0777e6b65c5203fb3b73229431b49da155e4
56cfd5956db2c918d9808739ee0529d998fdf99d7d80a3ea6200cef62fd2400e
7e57e1bdfbf07f24fa398b4f067fcf3f7147146c5627a6419e8c006e89d564f2
22179b5cece54e42dbc249c5112994e0e760c2435f3547579d04d19882b79b03
9ff3eb5bac86aef0116488ac380f9d7ea15d27f9d580462fcf3612293525f50f
2f5b289a8dcb26ed9389a49687e513f162ed3145469a5cb90f0aab45c699c3d9
3c38e00f572800dfdcf676a141e4b98903977368f8870cd29221b3320b640ed4
e64afadba25eededfb3259f10671cf5551e53341e13702489a7c334fcf6514b0
f16238cbe16b93a141e4e8f026b9ce3ca393f63d78c1b7b6ff2e0ed19f240f5e
904c06ae973af0c95dd7f7c3e40bf34abd58e0b0b727f23759cc0191b95d9b54
71441d638739eed387dff61d6192e9c816f06adaf89e95b611623de941543563
6b87c8fec9f33fcbacec5de7ce2754938101a0a6e8fbc67660a36002b74f99a8
5147b407e645d2368df9611d558d61050948dc5b2f9efb260980e66e59e80d38
9f123edca333046dafbc552d2dd3fe9a2089511e3f8e27e8ccebc255ac35f9b8
fc8cb7b0ff0270e5cdb051d6955cdea1d3e2cbc455cbb613c0be9f35b677d6e7
aab8db9599eb5be0582cca71e217d64e595e8e85f9b2e28e91e90fabc113b3d2
061a213194d01b8fffbd56195179fa66aab073dc42cb11525226ad58e05131fc
4956127bebe58360b8094d4be53319577fe21dd4e6c0b7336f7eea24d3ed2039
79758df111ebfe294d934d23457f0092d22288f992a72e7af299a4557d69a43c
595982459a97cabf6595a5f82c48792597daf94200017847e3604aabfc39800e
64c39375b6832a6624ad00765b813c738b57e6f0d7dd23fee3d6cb4d8a4052a3
7de37231a94f222b1a252cca37125b8f344c8f81bb8e5ba3208b8a4f60bda1d9
652fae58f7ac9de569b984e21793446e89f97792ebfbc0e3fd49a7586a927d06
86c2c4d7f6bc4b3b16cfee988ca8f399a2b9c5fda10e07e3e6eedb6b468ba41c
17ad52b21df06be54ed710b3499238384b01daa7e5cfe2150c3259bf859114ad
69b5522d7ce56c945a05bbd0ebc86c699cabf3c38eade40787f74e08e938f3c4
302ca1dafea52c0039cbc171712eef95339daf45d441e669c18d629826343638
26694aa9bf49d5a0b4dd89b6c6cafabde3abb674ee302f5c35e6362ea6af9312
afa216fa5a5f2a4fcf32d1ff932166afe668941d0f9625bb11f80fde6a693bd1
cceb2387a21b76c6d768aa09c1106291b737c9e873e814e9cd6006a7ed37f63e
f456da0a6b3237fc4f0cd0c2ccc440acd6fb56377dab0d37b86f777f4fe1bd7f
02674a2f99ffa9649e3fa9b67d06138abb0fa6651a4f0a96c24a3575fa9075fd
429223f2374f630c661714caef8e3247bbb6cfd6b0354bf4529233a66f46c228
ff81ffadca4321934eb5717361e5c696a2dd939dbb92a004d8b3efeb7cc6dc3b
eade9b26302f962ba5ef6595af726808d6454e2b058ebc144dec23f36ae57fef
0ae55be26ceb1a1b09b3504a77e8d7df5c1293c3ea7af3c1dcb88ae8a645c4fd
f0b94dac29d072d1b6473f80fa74c4f9b0831b9439f8670721c6c5b5a93c6c3f
b0d7350fff8d8dfefd45647f096e893bbdf9e66f63ed78d93db443206169a8f3
768e84be2f71c0f64a4f935f7233b47125fc4bc2c34fd53b15729dca3bb43761
0fa1dab738e99ada3602bac2e6c7001d7d91be46285cf8348a993a83e0ec0bb0
5f7cd645aa2b53bc87040c514e6693e917837a8ebd0780c8d1a2bd75349a0893
0425d6d3ad13fd174b5acd57591d7c5af543d0ec87a5ba4edb1ac7684d39dd9e
SH256 hash:
302ca1dafea52c0039cbc171712eef95339daf45d441e669c18d629826343638
MD5 hash:
cbfb38108965fc180773854a4e8adbff
SHA1 hash:
e3ca0a89c87395ce6f3e34add16effad74830a2d
Link:
https://www.unpac.me/results/19a31d12-0dbd-447d-ba8c-2f5990c1ae61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/302ca1dafea52c0039cbc171712eef95339daf45d441e669c18d629826343638

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Tofsee
Create hunting rule
Author:ditekSHen
Description:Detects Tofsee
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_tofsee_w0
Create hunting rule
Author:akrasuski1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2275563/
Cape
Cape
https://www.capesandbox.com/analysis/302235/

Comments