MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dd979c20bd6d843da8f29afc35c0ec2a79bcb5f5100a0d70103509e58c1c5f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Tofsee

Vendor detections: 15

Intelligence 15 IOCs YARA 9 File information Comments

SHA256 hash:	9dd979c20bd6d843da8f29afc35c0ec2a79bcb5f5100a0d70103509e58c1c5f5
SHA3-384 hash:	399c8508af5b1fd66678ff2432195b6b738a019adfbbab67c7d43228036f71837e00b9cb2d89cbddfa1cecc346a87bd3
SHA1 hash:	3b205c2e5066e422702151b5eaa00ec444543874
MD5 hash:	684d5c62ffa1b2e8024c9ec17482d058
humanhash:	river-magnesium-missouri-ink
File name:	684d5c62ffa1b2e8024c9ec17482d058.exe
Download:	download sample
Signature	Tofsee Create hunting rule
File size:	341'504 bytes
First seen:	2022-01-27 07:36:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	747024b1d04ad78d24e3aa224d333747 (5 x RedLineStealer, 2 x Smoke Loader, 1 x RaccoonStealer)
ssdeep	6144:KFCl0zz2bxiP4G9jx1CZCKJCGjLud//Qrqe0EIrYB1t//JFmqSSD:KFgTi9jjCAiCGjLM/8FIMNoS
Threatray	202 similar samples on MalwareBazaar
TLSH	T18A747C00B7A0C435F6B715F809B993BCA93E7AE25B2451CB53D52AEE5A346E0DC3131B
File icon (PE):
dhash icon	2dac1378399b9b91 (35 x Smoke Loader, 34 x RedLineStealer, 18 x Amadey)
Reporter	abuse_ch
Tags:	exe Tofsee

Intelligence

File Origin

# of uploads :

# of downloads :

677

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

684d5c62ffa1b2e8024c9ec17482d058.exe

Verdict:

Malicious activity

Analysis date:

2022-01-27 07:45:47 UTC

Tags:

miner trojan tofsee

Link:

https://app.any.run/tasks/1590744a-c439-4d2d-bb25-eb3b86afafd8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Tofsee

Link:

https://www.capesandbox.com/analysis/224117/

Detection(s):

Win.Dropper.Mikey-9917324-0

Win.Packed.Tofsee-9937387-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Moving a file to the Windows subdirectory

Creating a service

Launching the process to change the firewall settings

Launching a service

Creating a process from a recently created file

Launching the default Windows debugger (dwwin.exe)

Searching for synchronization primitives

Forced system process termination

DNS request

Sending a custom TCP request

Creating a file in the Windows subdirectories

Connecting to a cryptocurrency mining pool

Sending an HTTP GET request

Possible injection to a system process

Enabling autorun for a service

Query of malicious DNS domain

Unauthorized injection to a system process

Adding exclusions to Windows Defender

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5287/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware mikey packed tofsee

Link:

https://www.filescan.io/uploads/61f24ba659d130b02a56faab/reports/6927d324-1505-4de0-b580-9951bc808f08/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Tofsee

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bf2f1994-eb9f-4da8-bf0a-4dcdb4b9b9f4

Result

Threat name:

Tofsee

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/928888

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9dd979c20bd6d843da8f29afc35c0ec2a79bcb5f5100a0d70103509e58c1c5f5/

Threat name:

Win32.Backdoor.Tofsee

Status:

Malicious

First seen:

2022-01-27 05:08:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=txmxtqql23mehwupfgx4gxaoyktzxs27keakbvybanij4wgbyx2q._file

Verdict:

malicious

Tofsee

45fced29713e8dc96972faeab4f21ec670543c252ed824b358294e9b8270e496

Tofsee

4fb79897fd57ac7d1724c92ef26e493e15d974f83c2c7f6e72af4f6e8084ff20

Tofsee

8c505862e16dd60fe08e63fd75b3460f21201f77c19d0c4793a68a7b35f5f2e5

Tofsee

925c11560a88096bc28480d802d69da132ff883236e0d8dfaf9a367fa07cc245

Tofsee

e142b01c4b04ddca2ffded33fa5e8e3accf2b305021efd57b485cb06f072e84e

Tofsee

ee87fd0a4b66479135cb2342baaa9fbf54e7dfa4ea65a13a35661a8a2f144663

Tofsee

f57855bf23ce70fccbad6dec4c7d9e97710f222f98dfa0141762d66e56b6192d

Tofsee

+ 192 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:tofsee family:xmrig evasion miner persistence trojan

Link:

https://tria.ge/reports/220127-jfvb3shdgk/

Behaviour

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Deletes itself

Creates new service(s)

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

XMRig Miner Payload

Tofsee

Windows security bypass

xmrig

Malware Config

C2 Extraction:

patmushta.info
ovicrush.cn

Unpacked files

SH256 hash:

e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494

MD5 hash:

337e0e16dfcab6a2059cdbf81932e973

SHA1 hash:

c2ab7a92b8e07750f9f82f438291564bf5def67a

Detections:

win_tofsee_w0

Link:

https://www.unpac.me/results/cddcd5d6-08c0-4301-98a7-fe468264c217/

Parent samples :

9dd979c20bd6d843da8f29afc35c0ec2a79bcb5f5100a0d70103509e58c1c5f5
9cab0c7efdafdcab54b20bf295f36ecb1cc35cdad27dddb7b568a637263e8003
f6ca96e0301249fbada0e52bcd3c9b2b6ee0cec95f13e8984ef747d513651fc9
f7024727c4d979b2b200345c3785945aa7c125670fb7ad570f3cf0b45273d966
5d84be18669beb78b0993523cbaf3e66f352ce34888a6f63245290ca02436785
fed7c4e47ea734756b34a457fbb402ce63624e1c8bbe48441a9634f4130e022c
3db9a9633bb3097ee7f34cd85bbc168ed3a59496c0c407cf1d22087d58fa2763
5a7e30f8306b5487f44f8418f635fb52b5d239690342e1c2983f3aceb74f8b50
84cc4707c97905c1082d9eb31dd7d995e04955506b9275b6c4bfd19683150430
de5704d6579398a4b51f7458c105759c46096567661a26bffe1159ef11a16eb8

SH256 hash:

9dd979c20bd6d843da8f29afc35c0ec2a79bcb5f5100a0d70103509e58c1c5f5

MD5 hash:

684d5c62ffa1b2e8024c9ec17482d058

SHA1 hash:

3b205c2e5066e422702151b5eaa00ec444543874

Link:

https://www.unpac.me/results/cddcd5d6-08c0-4301-98a7-fe468264c217/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9dd979c20bd6d843da8f29afc35c0ec2a79bcb5f5100a0d70103509e58c1c5f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CoinMiner_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects mining pool protocol string in Executable
Reference:	https://minergate.com/faq/what-pool-address

Rule name:	MALWARE_Win_Tofsee Create hunting rule
Author:	ditekSHen
Description:	Detects Tofsee

Rule name:	MAL_XMR_Miner_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MAL_XMR_Miner_May19_1_RID2E1B Create hunting rule
Author:	Florian Roth
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MINER_monero_mining_detection Create hunting rule
Author:	Christiaan Beek \| McAfee ATR Team
Description:	Monero mining software

Rule name:	PUA_Crypto_Mining_CommandLine_Indicators_Oct21 Create hunting rule
Author:	Florian Roth
Description:	Detects command line parameters often used by crypto mining software
Reference:	https://www.poolwatch.io/coin/monero

Rule name:	win_tofsee_w0 Create hunting rule
Author:	akrasuski1

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases

Rule name:	XMRIG_Monero_Miner_RID2DC1 Create hunting rule
Author:	Florian Roth
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/224117/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample