MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90f43bc5d73e312d03e295e766747937ffd2d12a76463f0cb56a43d3f1a1faed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90f43bc5d73e312d03e295e766747937ffd2d12a76463f0cb56a43d3f1a1faed
SHA3-384 hash: 07c2dce0921ed252b6979f9f6813fe02b75e55309f4d0df2c7dcf7ba83118f7a323da8336438dc9ed48ba4f06e82c309
SHA1 hash: de13fc370b743c3141a3981825289caaf8546e78
MD5 hash: 6609d74cf1e4b883933ca88c2c0cf797
humanhash: kansas-south-stream-arizona
File name:6609d74cf1e4b883933ca88c2c0cf797.exe
Download: download sample
Signature Tofsee
Create hunting rule
File size:7'163'040 bytes
First seen:2023-03-02 17:11:08 UTC
Last seen:2023-03-02 18:27:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20fcca9c4f6d6a96b55e9305c9ac59ff (3 x RedLineStealer, 2 x Tofsee, 2 x LaplasClipper)
ssdeep 196608:amFj8Pbci5pa9NhDG37K6TCKDVQDVkiR9:amFj8Pbhpa9A7KcsKa9
Threatray 12 similar samples on MalwareBazaar
TLSH T17F762332566D2109D1B28C3F8A33BDCAB1FA472797427C74B99E29D737B24E0E113646
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c0d8dcf0f0f0f070 (1 x Tofsee)
Reporter abuse_ch
Tags:exe signed Tofsee

Code Signing Certificate

Organisation:Samsung Q32R504FHI RC46R537FHIZCI
Issuer:Samsung Q32R504FHI RC46R537FHIZCI
Algorithm:sha1WithRSAEncryption
Valid from:2023-02-24T15:59:48Z
Valid to:2033-02-25T15:59:48Z
Serial number: 1dc5f6b74cde39ac43cb5430afd5b859
Thumbprint Algorithm:SHA256
Thumbprint: 6a97714cd91dfb61a56599e81b9deea6b22fb991a36c4d3086b01deced358a38
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Tofsee C2:
91.215.85.15:25916

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
6609d74cf1e4b883933ca88c2c0cf797.exe
Verdict:
Malicious activity
Analysis date:
2023-03-02 17:14:31 UTC
Tags:
evasion opendir loader rat redline stealer
Link:
https://app.any.run/tasks/4bdc086a-9617-4528-abaa-c0d4456909a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371257/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65679550.666.22516.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Sending an HTTP GET request
DNS request
Replacing files
Sending a custom TCP request
Launching a service
Launching a process
Reading critical registry keys
Sending a UDP request
Creating a file
Connecting to a non-recommended domain
Forced system process termination
Searching for synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Launching the process to change the firewall settings
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6400d8e378212a35b6f36572/reports/fcb75e94-413c-45fe-ace4-34934cae14d9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/90f43bc5d73e312d03e295e766747937ffd2d12a76463f0cb56a43d3f1a1faed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Tofsee
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d42c5928-b8c0-4f38-9c75-12cd68f9ad32
Result
Threat name:
ManusCrypt, PrivateLoader, RedLine, Smok
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1185972
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops executables to the windows directory (C:\Windows) and starts them
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected ManusCrypt
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 818842 Sample: 3h1sd4dAbn.exe Startdate: 02/03/2023 Architecture: WINDOWS Score: 100 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus detection for URL or domain 2->120 122 Antivirus detection for dropped file 2->122 124 20 other signatures 2->124 8 3h1sd4dAbn.exe 10 56 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 9 other processes 2->17 process3 dnsIp4 108 91.215.85.15 PINDC-ASRU Russian Federation 8->108 110 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->110 114 18 other IPs or domains 8->114 92 C:\Users\...\onsrt0N678kUHNQNywQigWtT.exe, PE32 8->92 dropped 94 C:\Users\...\oDxOnY191Z0t57rQpdkNEm74.exe, PE32 8->94 dropped 96 C:\Users\...\hcV_WOQBar5VR5TJtP_ItIZu.exe, PE32 8->96 dropped 98 23 other malicious files 8->98 dropped 146 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->146 148 Creates HTML files with .exe extension (expired dropper behavior) 8->148 150 Disables Windows Defender (deletes autostart) 8->150 168 2 other signatures 8->168 19 3n4W3buvfBSsoKlp1bgXhjCt.exe 8->19         started        22 oDxOnY191Z0t57rQpdkNEm74.exe 8->22         started        26 hcV_WOQBar5VR5TJtP_ItIZu.exe 8->26         started        34 12 other processes 8->34 28 is-5F280.tmp 13->28         started        152 Contains functionality to inject threads in other processes 15->152 154 Contains functionality to inject code into remote processes 15->154 156 Contains functionality to compare user and computer (likely to detect sandboxes) 15->156 158 Contains functionality to detect sleep reduction / modifications 15->158 112 51.104.136.2 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 17->112 160 Query firmware table information (likely to detect VMs) 17->160 162 Writes to foreign memory regions 17->162 164 Allocates memory in foreign processes 17->164 166 Injects a PE file into a foreign processes 17->166 30 MpCmdRun.exe 17->30         started        32 WerFault.exe 17->32         started        file5 signatures6 process7 dnsIp8 70 C:\Users\user\AppData\Local\...\Install.exe, PE32 19->70 dropped 36 Install.exe 19->36         started        100 188.114.96.3 CLOUDFLARENETUS European Union 22->100 82 5 other malicious files 22->82 dropped 130 Tries to steal Mail credentials (via file / registry access) 22->130 132 Tries to harvest and steal browser information (history, passwords, etc) 22->132 134 Writes to foreign memory regions 26->134 136 Allocates memory in foreign processes 26->136 138 Injects a PE file into a foreign processes 26->138 40 WerFault.exe 26->40         started        43 RegSvcs.exe 26->43         started        72 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->72 dropped 74 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 28->74 dropped 84 8 other files (6 malicious) 28->84 dropped 45 conhost.exe 30->45         started        102 149.154.167.99 TELEGRAMRU United Kingdom 34->102 104 23.254.227.202 HOSTWINDSUS United States 34->104 106 4 other IPs or domains 34->106 76 C:\Windows\Temp\321.exe, PE32 34->76 dropped 78 C:\Windows\Temp\123.exe, PE32 34->78 dropped 80 C:\Users\user\AppData\Local\...\zggklvfq.exe, PE32 34->80 dropped 86 3 other malicious files 34->86 dropped 47 cmd.exe 34->47         started        49 cmd.exe 34->49         started        51 sc.exe 34->51         started        53 6 other processes 34->53 file9 signatures10 process11 dnsIp12 88 C:\Users\user\AppData\Local\...\Install.exe, PE32 36->88 dropped 126 Multi AV Scanner detection for dropped file 36->126 128 Machine Learning detection for dropped file 36->128 55 Install.exe 36->55         started        116 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 40->116 90 C:\Windows\SysWOW64\...\zggklvfq.exe (copy), PE32 47->90 dropped 58 conhost.exe 47->58         started        60 conhost.exe 49->60         started        62 conhost.exe 51->62         started        64 conhost.exe 53->64         started        66 conhost.exe 53->66         started        68 conhost.exe 53->68         started        file13 signatures14 process15 signatures16 140 Antivirus detection for dropped file 55->140 142 Multi AV Scanner detection for dropped file 55->142 144 Machine Learning detection for dropped file 55->144
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90f43bc5d73e312d03e295e766747937ffd2d12a76463f0cb56a43d3f1a1faed/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-02-25 23:09:25 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
20 of 39 (51.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sd2dxroxhyys2a7csxtwm5dzg775fujkozdd6dfvnjb5h4nb7lwq._file
Verdict:
malicious
Similar samples:
147b5d6c844bd5f6962ca6ab96a0ce8103eac401ec77a61f3632e14757c199c2
Tofsee
3e8ac08892d633b002ebe862b10025b870e33a7a69435886c2203aa352fd2025
Tofsee
3f7646cd60e5f51c13eb35ef9f00d10c66fc309b486498a1978cccc2405d3373
Tofsee
49d4689b5641b161f0ab00aa490ea276fcab2128cb33d802fab9154b83516569
Tofsee
5ca0e870b471602e5a5fd8e99d7e1821f12bcdccbd86bfbb240627895ad36419
Tofsee
67a95e8478140adae734fd001ef1604be1370201df0c7897c42fae643730c7c3
Tofsee
c2051ed80860178c791220b7ab760d038e03091e4c02395a92eed4aea3872ae7
Tofsee
ca10c218c7ed12f56148c11d31a0698c8d232064faba12402c16b70f7e34bf55
Tofsee
d9138283041d58f85b1e3a19e450bd26e8dac1df4e1a5a9df44fd7b7ec9ac06a
Tofsee
+ 2 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/230302-vqtzvadh76/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Unpacked files
SH256 hash:
dedccbd61e8c0c3ac6b00ed475b893964584e3ec26683742517075a8e192078f
MD5 hash:
f6b04f208ed2ab79f03b5ea5ca80b771
SHA1 hash:
5d0b42e5873bf30f2133ae15eafc68ea3e213cb7
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/01e2e398-5b17-4d5b-8a1f-b1cf5ff3ddb0/
SH256 hash:
90f43bc5d73e312d03e295e766747937ffd2d12a76463f0cb56a43d3f1a1faed
MD5 hash:
6609d74cf1e4b883933ca88c2c0cf797
SHA1 hash:
de13fc370b743c3141a3981825289caaf8546e78
Link:
https://www.unpac.me/results/01e2e398-5b17-4d5b-8a1f-b1cf5ff3ddb0/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90f43bc5d73e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90f43bc5d73e312d03e295e766747937ffd2d12a76463f0cb56a43d3f1a1faed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371257/

Comments