MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19
SHA3-384 hash: 3390fc6a77a318300d603b3f18728232c68ba4273d908ce7d4398a553d63fb981c0b129157eae11c127a15d87aa48e01
SHA1 hash: b8c6f548d350d7a53bda376f317a5557275886c7
MD5 hash: 808a1e4b004ad48ca5e96aece8c64133
humanhash: echo-johnny-eighteen-kilo
File name:xmsn.exe1
Download: download sample
Signature Tofsee
Create hunting rule
File size:5'905'699 bytes
First seen:2025-03-22 16:14:25 UTC
Last seen:2025-03-24 07:26:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 07c4dc6e132c507bcef10998173e3c81 (3 x DanaBot, 2 x LummaStealer, 1 x Rhadamanthys)
ssdeep 98304:0K/Zoaq4Ru7bUlDPn9STPKEszwSE+nIFYpeefZrxjRXOnrUB3MShVUDvw2v8g:f/uT4RuXqD/P7E6I6/Zj+jSx2v8g
Threatray 3 similar samples on MalwareBazaar
TLSH T1F556127677E824FAC4BA4376D6808135FF75B14D332195AECAA4962C2F3B96420BF305
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon b2e1b496a6cada72 (13 x LummaStealer, 12 x AsyncRAT, 8 x Rhadamanthys)
Reporter KatzenTech
Tags:176-113-115-7 exe Tofsee

Intelligence

File Origin
# of uploads :
2
# of downloads :
391
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-03-22 13:59:38 UTC
Tags:
opendir loader amadey botnet stealer lumma stealc credentialflusher auto generic tofsee themida rdp
Link:
https://app.any.run/tasks/98bc0bde-5714-44a8-b552-bd3c6120da63

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dee21dc8a812f780e81551
Tags:
autorun spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Creating a file
Unauthorized injection to a recently created process
Launching a process
Launching a service
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-vm anti-vm CAB crypto crypto evasive expand expired-cert expired-cert explorer fingerprint fingerprint installer keylogger lolbin masquerade microsoft_visual_cc overlay packed packed packer_detected rat remote runonce zusy
Link:
https://www.filescan.io/uploads/67dee217195c2ecf47ef5bcf/reports/6b4d8717-820c-42f4-9154-fe812623ab7f/overview
Verdict:
Malicious
Labled as:
Trojan.Penguish
Link:
https://www.hybrid-analysis.com/sample/5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/04a4e55b-fd4d-4c71-a8ad-dab9c3f021bd
Result
Threat name:
Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1645823
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1645823 Sample: xmsn.exe1.exe Startdate: 22/03/2025 Architecture: WINDOWS Score: 100 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for dropped file 2->87 89 5 other signatures 2->89 11 xmsn.exe1.exe 8 2->11         started        14 msn.exe 1 2->14         started        17 msn.exe 1 2->17         started        process3 file4 69 C:\Windows\Temp\...\xmsn.exe1.exe, PE32+ 11->69 dropped 19 xmsn.exe1.exe 18 11->19         started        111 Maps a DLL or memory area into another process 14->111 113 Found direct / indirect Syscall (likely to bypass EDR) 14->113 23 cmd.exe 2 14->23         started        25 cmd.exe 2 17->25         started        signatures5 process6 file7 57 C:\Windows\Temp\...\msvcr80.dll, PE32 19->57 dropped 59 C:\Windows\Temp\...\msncore.dll, PE32 19->59 dropped 61 C:\Windows\Temp\...\msn.exe, PE32 19->61 dropped 67 3 other malicious files 19->67 dropped 95 Multi AV Scanner detection for dropped file 19->95 27 msn.exe 8 19->27         started        63 C:\Users\user\AppData\Local\Temp\eukwjc, PE32 23->63 dropped 97 Writes to foreign memory regions 23->97 99 Maps a DLL or memory area into another process 23->99 31 cgmon_v2.exe 23->31         started        33 conhost.exe 23->33         started        65 C:\Users\user\AppData\Local\...\piopaknglvqyk, PE32 25->65 dropped 35 cgmon_v2.exe 25->35         started        37 conhost.exe 25->37         started        signatures8 process9 file10 71 C:\Users\user\AppData\Roaming\...\msvcr80.dll, PE32 27->71 dropped 73 C:\Users\user\AppData\Roaming\...\msncore.dll, PE32 27->73 dropped 75 C:\Users\user\AppData\Roaming\...\msn.exe, PE32 27->75 dropped 77 2 other malicious files 27->77 dropped 107 Switches to a custom stack to bypass stack traces 27->107 39 msn.exe 1 27->39         started        109 Found direct / indirect Syscall (likely to bypass EDR) 31->109 42 WerFault.exe 21 31->42         started        44 WerFault.exe 2 16 35->44         started        signatures11 process12 signatures13 101 Maps a DLL or memory area into another process 39->101 103 Switches to a custom stack to bypass stack traces 39->103 105 Found direct / indirect Syscall (likely to bypass EDR) 39->105 46 cmd.exe 4 39->46         started        process14 file15 79 C:\Users\user\AppData\Local\Temp\efwbybd, PE32 46->79 dropped 81 C:\Users\user\AppData\Local\...\cgmon_v2.exe, PE32 46->81 dropped 115 Writes to foreign memory regions 46->115 117 Found hidden mapped module (file has been removed from disk) 46->117 119 Maps a DLL or memory area into another process 46->119 121 Switches to a custom stack to bypass stack traces 46->121 50 cgmon_v2.exe 46->50         started        53 conhost.exe 46->53         started        signatures16 process17 signatures18 91 Switches to a custom stack to bypass stack traces 50->91 93 Found direct / indirect Syscall (likely to bypass EDR) 50->93 55 WerFault.exe 22 16 50->55         started        process19
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19/
Threat name:
Win32.Backdoor.Tofsee
Create hunting rule
Status:
Malicious
First seen:
2025-03-22 12:42:25 UTC
File Type:
PE+ (Exe)
Extracted files:
158
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3yrn5mkusv7atcr7uap5lvbpljraf2wkmpneii6q4fwswutlimq._file
Verdict:
malicious
Label(s):
tofsee
Create hunting rule
Similar samples:
12df5f413434f02531f88b0727b96ae8d4ed3c278fc81583dbfd4c0145b43e74
Tofsee
5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19
Tofsee
d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
Tofsee
error
Tofsee
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:tofsee discovery phishing trojan
Link:
https://tria.ge/reports/250322-tp9hgawxb1/
Behaviour
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
A potential corporate email address has been identified in the URL: dongls3000@qq.com
Executes dropped EXE
Loads dropped DLL
Tofsee
Tofsee family
Malware Config
C2 Extraction:
vanaheim.cn
jotunheim.name
Gathering data
Unpacked files
SH256 hash:
5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19
MD5 hash:
808a1e4b004ad48ca5e96aece8c64133
SHA1 hash:
b8c6f548d350d7a53bda376f317a5557275886c7
Link:
https://www.unpac.me/results/78eca4ca-db25-473f-9310-3528dd8443cd/
SH256 hash:
0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd
MD5 hash:
54ee6a204238313dc6aca21c7e036c17
SHA1 hash:
531fd1c18e2e4984c72334eb56af78a1048da6c7
Link:
https://www.unpac.me/results/78eca4ca-db25-473f-9310-3528dd8443cd/
SH256 hash:
257e6489f5b733f2822f0689295a9f47873be3cec5f4a135cd847a2f2c82a575
MD5 hash:
ef66829b99bbfc465b05dc7411b0dcfa
SHA1 hash:
c6f6275f92053b4b9fa8f2738ed3e84f45261503
Link:
https://www.unpac.me/results/78eca4ca-db25-473f-9310-3528dd8443cd/
SH256 hash:
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74
MD5 hash:
537915708fe4e81e18e99d5104b353ed
SHA1 hash:
128ddb7096e5b748c72dc13f55b593d8d20aa3fb
Detections:
win_isfb_a5
Create hunting rule
Link:
https://www.unpac.me/results/78eca4ca-db25-473f-9310-3528dd8443cd/
Parent samples :
d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19
001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3
SH256 hash:
cad91db77a9398695fdbf2fca9b67dc8032de5ba712b17a029c928b60b13a805
MD5 hash:
fe4af613cc77f1fc3b2120da1ce21f51
SHA1 hash:
8d4ea750b30b75e57ab2859369b9ac6dab2e8412
Link:
https://www.unpac.me/results/78eca4ca-db25-473f-9310-3528dd8443cd/
SH256 hash:
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03
MD5 hash:
43143abb001d4211fab627c136124a44
SHA1 hash:
edb99760ae04bfe68aaacf34eb0287a3c10ec885
Link:
https://www.unpac.me/results/78eca4ca-db25-473f-9310-3528dd8443cd/
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ef116f58aa4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Tofsee_26124fe4
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
ADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::SetEntriesInAclW
ADVAPI32.dll::SetEntriesInAclA
ADVAPI32.dll::SetNamedSecurityInfoW
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::IsWellKnownSid
ADVAPI32.dll::SetSecurityDescriptorDacl
ADVAPI32.dll::SetSecurityDescriptorGroup
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt FilesADVAPI32.dll::DecryptFileW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptCreateHash
ADVAPI32.dll::CryptGetHashParam
ADVAPI32.dll::CryptHashData
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::ControlService
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
ADVAPI32.dll::QueryServiceStatus
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments