MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 402ecc21f8e334df94f3998769071d4aa93c2119295200d4c16aa874ea8ebbaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 10


Intelligence 10 IOCs 4 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 402ecc21f8e334df94f3998769071d4aa93c2119295200d4c16aa874ea8ebbaf
SHA3-384 hash: 0310ee741da371ce07552b20aa83f686c6ac3766a378104acb70fd21050176ef3a17f19776486c0be1a610dff2fc71b8
SHA1 hash: 9530279479083fae4b66607de36f88e405df6688
MD5 hash: 276d91edc7aad0cceeb9c0e1dd5fd387
humanhash: kitten-equal-alanine-april
File name:276d91edc7aad0cceeb9c0e1dd5fd387.exe
Download: download sample
Signature Tofsee
Create hunting rule
File size:292'352 bytes
First seen:2021-09-24 00:50:57 UTC
Last seen:2021-09-24 01:55:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 110da1023e5bbd9b585d5ac7f21f7aaf (4 x RedLineStealer, 2 x RaccoonStealer, 2 x Tofsee)
ssdeep 6144:Kgp0ECMozQb0ZyE4xRCof9a7CkNvZaO4hGkRYL:Kgp0ECMozQb7x3rkNvZaO4hGkO
Threatray 4'404 similar samples on MalwareBazaar
TLSH T124549D1077E0C034F2B712FA89BA93A8B52E7DB16B68C5CF62D41AEA56746D0DC30357
File icon (PE):PE icon
dhash icon ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter abuse_ch
Tags:exe Tofsee


Avatar
abuse_ch
Tofsee C2:
http://194.180.174.112/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.112/ https://threatfox.abuse.ch/ioc/225891/
135.181.142.223:30397 https://threatfox.abuse.ch/ioc/226444/
178.132.3.103:80 https://threatfox.abuse.ch/ioc/226445/
65.21.231.57:60751 https://threatfox.abuse.ch/ioc/226446/

Intelligence

File Origin
# of uploads :
2
# of downloads :
713
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
276d91edc7aad0cceeb9c0e1dd5fd387.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-24 00:52:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fd752297-c4c2-420f-8e9e-d60b666a4c43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190917/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.24807.4248.696.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/858270a5-387a-43d7-a9e6-d65ff829def5
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857010
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489436 Sample: 4LNn5bQH1r.exe Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 118 microsoft-com.mail.protection.outlook.com 2->118 120 ip-api.com 2->120 122 api.ip.sb 2->122 170 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->170 172 Multi AV Scanner detection for dropped file 2->172 174 Multi AV Scanner detection for submitted file 2->174 176 20 other signatures 2->176 11 4LNn5bQH1r.exe 2->11         started        14 twpxvxfp.exe 2->14         started        16 diffifv 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 208 Detected unpacking (changes PE section rights) 11->208 210 Contains functionality to inject code into remote processes 11->210 212 Injects a PE file into a foreign processes 11->212 21 4LNn5bQH1r.exe 11->21         started        214 Detected unpacking (overwrites its own PE header) 14->214 216 Writes to foreign memory regions 14->216 218 Allocates memory in foreign processes 14->218 24 svchost.exe 14->24         started        27 diffifv 16->27         started        124 192.168.2.1 unknown unknown 18->124 29 WerFault.exe 18->29         started        signatures6 process7 dnsIp8 178 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->178 180 Maps a DLL or memory area into another process 21->180 182 Checks if the current machine is a virtual machine (disk enumeration) 21->182 184 Creates a thread in another existing process (thread injection) 21->184 31 explorer.exe 14 21->31 injected 136 microsoft-com.mail.protection.outlook.com 40.93.212.0, 25, 49811, 49864 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->136 138 defeatwax.ru 193.56.146.188, 443, 49821, 49855 LVLT-10753US unknown 24->138 186 System process connects to network (likely due to code injection or exploit) 24->186 signatures9 process10 dnsIp11 140 193.56.146.41, 49782, 9080 LVLT-10753US unknown 31->140 142 216.128.137.31, 80 AS-CHOOPAUS United States 31->142 144 2 other IPs or domains 31->144 86 C:\Users\user\AppData\Roaming\diffifv, PE32 31->86 dropped 88 C:\Users\user\AppData\Local\Temp\7557.exe, PE32 31->88 dropped 90 C:\Users\user\AppData\Local\Temp\4A2E.exe, PE32 31->90 dropped 92 5 other files (4 malicious) 31->92 dropped 162 System process connects to network (likely due to code injection or exploit) 31->162 164 Benign windows process drops PE files 31->164 166 Deletes itself after installation 31->166 168 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->168 36 64BC.exe 31->36         started        39 7557.exe 31->39         started        43 4A2E.exe 2 31->43         started        45 5 other processes 31->45 file12 signatures13 process14 dnsIp15 94 C:\ProgramData\installzgd.exe, PE32 36->94 dropped 96 C:\ProgramData\grfdg.exe, PE32 36->96 dropped 47 grfdg.exe 36->47         started        51 installzgd.exe 36->51         started        132 194.180.174.112, 49835, 80 MIVOCLOUDMD unknown 39->132 134 t.me 149.154.167.99, 443, 49829 TELEGRAMRU United Kingdom 39->134 98 C:\Users\user\AppData\...\vcruntime140.dll, PE32 39->98 dropped 100 C:\Users\user\AppData\...\ucrtbase.dll, PE32 39->100 dropped 102 C:\Users\user\AppData\...\softokn3.dll, PE32 39->102 dropped 106 56 other files (none is malicious) 39->106 dropped 188 Detected unpacking (changes PE section rights) 39->188 190 Detected unpacking (overwrites its own PE header) 39->190 192 Tries to steal Mail credentials (via file access) 39->192 194 Tries to harvest and steal browser information (history, passwords, etc) 39->194 104 C:\Users\user\AppData\Local\...\twpxvxfp.exe, PE32 43->104 dropped 196 Uses netsh to modify the Windows network and firewall settings 43->196 198 Modifies the windows firewall 43->198 54 cmd.exe 43->54         started        56 cmd.exe 43->56         started        64 4 other processes 43->64 200 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 45->200 202 Writes to foreign memory regions 45->202 204 Allocates memory in foreign processes 45->204 206 2 other signatures 45->206 58 2B43.exe 45->58         started        60 RegSvcs.exe 15 5 45->60         started        62 3249.exe 45->62         started        66 3 other processes 45->66 file16 signatures17 process18 dnsIp19 108 C:\Users\RuntimeBroker.exe, PE32 47->108 dropped 110 C:\ProgramData\grfdg\grfdg.exe, PE32 47->110 dropped 112 C:\...\SknVZyeagvIRXaYOkZO.exe, PE32 47->112 dropped 116 2 other files (none is malicious) 47->116 dropped 146 Multi AV Scanner detection for dropped file 47->146 148 Creates an undocumented autostart registry key 47->148 150 Machine Learning detection for dropped file 47->150 160 4 other signatures 47->160 126 94.26.249.88, 23619, 49860 PTC-YEMENNETYE Russian Federation 51->126 68 conhost.exe 51->68         started        114 C:\Windows\SysWOW64\...\twpxvxfp.exe (copy), PE32 54->114 dropped 70 conhost.exe 54->70         started        72 conhost.exe 56->72         started        152 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 58->152 154 Maps a DLL or memory area into another process 58->154 156 Checks if the current machine is a virtual machine (disk enumeration) 58->156 158 Creates a thread in another existing process (thread injection) 58->158 128 185.230.143.48, 14462, 49837 HostingvpsvilleruRU Russian Federation 60->128 130 api.ip.sb 60->130 74 conhost.exe 60->74         started        76 WerFault.exe 62->76         started        78 conhost.exe 64->78         started        80 conhost.exe 64->80         started        82 conhost.exe 64->82         started        84 conhost.exe 64->84         started        file20 signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/402ecc21f8e334df94f3998769071d4aa93c2119295200d4c16aa874ea8ebbaf/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 00:01:37 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iaxmyipy4m2n7fhttgdwsby5jkutyiizffjabvgbnkuhj2uoxoxq._file
Verdict:
malicious
Similar samples:
2fa3311a001cd0ded00b1bf34f8d64979cefb8903c69a3519da777bb43037539
Tofsee
3c2e9b1a771dee5ace5a9228f516695d486f274e82341da3666ab62a50473cca
Tofsee
47ecf9882778e09cd99f29b89aa75d4396e783c1ef5c8e931601d6c1957fb3e5
Tofsee
4ce736beca7ebfdae1fca1c504ef9482ada58dbf573fd57434aef6de2b36c9d6
Tofsee
6232bd70528f163b7aa8e8d76f6c4e63a0660eb112eabf2cc1859cc9e83ca755
Tofsee
73d3930011ac4fb1ac1ec5b4d339c001a9892c152fbc8be47b81d8ff559018ca
Tofsee
79df67c7efab39b9b413c0844b58b8597c32ff7870225bbc1d2e300416ec5b4e
Tofsee
9664922ce8e322f3e2902a458b8a00f19515d2cd9c5802482e4e2d40fce8b861
Tofsee
a98b37b337927ef6cea8a053a4ea676646de4dfbf6ce9619593246a1ecc362b6
Tofsee
fe7e25d0fd410494f9d8299439faf7d89edb627b494c882d2b33c94625c7c35c
Tofsee
+ 4'394 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:tofsee family:xmrig botnet:@rarenut0 botnet:qq backdoor discovery evasion infostealer miner persistence spyware stealer trojan
Link:
https://tria.ge/reports/210924-a7hb6afdfn/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Deletes itself
Loads dropped DLL
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
XMRig Miner Payload
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://hamilaharr6.top/
http://bartanayane7.top/
http://zesiahavie8.top/
http://hancarlenei9.top/
http://samillavakiv10.top/
http://feryleromand11.top/
http://ubrianella12.top/
http://hepryceeaaa13.top/
http://viahalexandy14.top/
http://wenataliana15.top/
135.181.142.223:30397
185.230.143.48:14462
Unpacked files
SH256 hash:
14cd529ab1a67eeed2fdf0fe71a08b9dc8ecf61384072f676b4ff9ec3ef8fe74
MD5 hash:
125ecb7456bb5a2c5c724c2eca56f87e
SHA1 hash:
982aaa66cda8c0500e0811aa9e447cba4f0752ff
Link:
https://www.unpac.me/results/2c367fb4-9772-4d66-9efa-4a5274528860/
SH256 hash:
402ecc21f8e334df94f3998769071d4aa93c2119295200d4c16aa874ea8ebbaf
MD5 hash:
276d91edc7aad0cceeb9c0e1dd5fd387
SHA1 hash:
9530279479083fae4b66607de36f88e405df6688
Link:
https://www.unpac.me/results/2c367fb4-9772-4d66-9efa-4a5274528860/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/402ecc21f8e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/402ecc21f8e334df94f3998769071d4aa93c2119295200d4c16aa874ea8ebbaf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Tofsee

Executable exe 402ecc21f8e334df94f3998769071d4aa93c2119295200d4c16aa874ea8ebbaf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1639930/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190917/

Comments