MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a0413cd0a25ed760cf3e17c60ce915b28c0472a658ba910d76435c19213dfac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Tofsee

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	7a0413cd0a25ed760cf3e17c60ce915b28c0472a658ba910d76435c19213dfac
SHA3-384 hash:	168026fa47c2246ba0b82eaae0199100ad98675cb70df26e5b2d20896a9e31eaa1ebb9c8a48fcfb74725e11b2e71784b
SHA1 hash:	d9d8cbb7e646d492aaff3280898b79bb764eabf9
MD5 hash:	2cbfec5cd3f0662c2715c07cb5137bc9
humanhash:	berlin-apart-spring-quebec
File name:	2cbfec5cd3f0662c2715c07cb5137bc9.exe
Download:	download sample
Signature	Tofsee Create hunting rule
File size:	142'848 bytes
First seen:	2021-08-29 08:46:07 UTC
Last seen:	2021-08-29 10:19:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	aa21a6d00a5d2896042e00aa2e960393 (11 x RaccoonStealer, 1 x Tofsee, 1 x DanaBot)
ssdeep	3072:V6KlvSCxX0l80EbYh+0t01jsI5/DuT61m:V0EqLET0tQjsI5/
Threatray	3'759 similar samples on MalwareBazaar
TLSH	T1DCD3BED03670C477C5C60973C459AEA16A2FB9316B74D98B3B58176F3E722C086AE363
dhash icon	4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Tofsee

abuse_ch

Tofsee C2:
http://84.246.85.16/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://84.246.85.16/	https://threatfox.abuse.ch/ioc/201706/

Intelligence

File Origin

# of uploads :

# of downloads :

614

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2cbfec5cd3f0662c2715c07cb5137bc9.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-29 08:48:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ddd77314-a389-404e-adf4-b59b82a8ff85

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/183225/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.9293.22727.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Sending a custom TCP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Connection attempt

Creating a process from a recently created file

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Moving a file to the Windows subdirectory

Launching a process

Creating a service

Launching the default Windows debugger (dwwin.exe)

Launching a service

Deleting a recently created file

Connection attempt to an infection source

Launching the process to change the firewall settings

Creating a file

Creating a file in the Windows subdirectories

Sending a TCP request to an infection source

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun for a service

Query of malicious DNS domain

Deleting of the original file

Enabling autorun by creating a file

Unauthorized injection to a system process

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f2a41d44-ef9a-4ac6-a2c2-f6c834807925

Result

Threat name:

Raccoon RedLine SmokeLoader Tofsee Xmrig

Detection:

malicious

Classification:

troj.spyw.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/841001

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

Changes security center settings (notifications, updates, antivirus, firewall)

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject threads in other processes

Contains functionality to steal Internet Explorer form passwords

Creates a thread in another existing process (thread injection)

Creates files in alternative data streams (ADS)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files with benign system names

Found strings related to Crypto-Mining

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Modifies the windows firewall

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Performs DNS queries to domains with low reputation

Query firmware table information (likely to detect VMs)

Sigma detected: Copying Sensitive Files with Credential Data

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to resolve many domain names, but no domain seems valid

Tries to steal Mail credentials (via file access)

Uses known network protocols on non-standard ports

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected Raccoon Stealer

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Tofsee

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7a0413cd0a25ed760cf3e17c60ce915b28c0472a658ba910d76435c19213dfac/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-29 08:47:03 UTC

AV detection:

17 of 43 (39.53%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=picbhtikexwxmdht4f6gbturlmumarzkmwf2segxmq24deqt36wa._file

Verdict:

suspicious

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:buran family:raccoon family:smokeloader family:tofsee family:xmrig botnet:d02c5d65069fc7ce1993e7c52edf0c9c4c195c81 botnet:fe582536ec580228180f270f7cb80a867860e010 backdoor discovery evasion miner persistence ransomware spyware stealer themida trojan

Link:

https://tria.ge/reports/210829-zvd681c3a2/

Behaviour

Checks SCSI registry key(s)

Interacts with shadow copies

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Launches sc.exe

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Themida packer

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

Deletes shadow copies

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner Payload

Buran

Raccoon

SmokeLoader

Tofsee

Windows security bypass

xmrig

Malware Config

C2 Extraction:

http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/