MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 12


Intelligence 12 IOCs 5 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e
SHA3-384 hash: 456e105547dfa1652064ca643d1c02ae135323c8c0b0a31e337c2e8edc129c83c5ea5838aec57e66523fa932240b0d28
SHA1 hash: 209544d75ca8a4a7f3bfa424960ff789bb3d4d29
MD5 hash: 9c287453cdeefc0effea16c5c1890edf
humanhash: high-vermont-nuts-oranges
File name:A297BC0C90017B32DD1636F86F068B0B6C21C6E1EB1EA.exe
Download: download sample
Signature Tofsee
Create hunting rule
File size:210'944 bytes
First seen:2022-04-07 20:31:35 UTC
Last seen:2022-04-07 21:47:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 35cc2ab6d0964b2714ef2cb777d98843 (1 x RedLineStealer, 1 x Tofsee)
ssdeep 6144:kkMdX/slrLG0btM7yxIJFw0zGuwM9WH1IQ5:khGG0S77FUuwM9e5
TLSH T1EF244B39B350F426E0E20039A4DF87F654397A302B55D9EFB7954F2A6A705C29630F2B
File icon (PE):PE icon
dhash icon b2e8e8f0b2e8d6be (2 x RedLineStealer, 1 x Arechclient2, 1 x Stop)
Reporter abuse_ch
Tags:exe Tofsee


Avatar
abuse_ch
Tofsee C2:
45.9.20.72:23196

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.72:23196 https://threatfox.abuse.ch/ioc/517362/
92.255.104.230:17599 https://threatfox.abuse.ch/ioc/517363/
45.9.88.246:34342 https://threatfox.abuse.ch/ioc/517364/
109.107.185.40:34492 https://threatfox.abuse.ch/ioc/517365/
45.10.42.220:42069 https://threatfox.abuse.ch/ioc/517366/

Intelligence

File Origin
# of uploads :
2
# of downloads :
593
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A297BC0C90017B32DD1636F86F068B0B6C21C6E1EB1EA.exe
Verdict:
No threats detected
Analysis date:
2022-04-07 20:35:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bcbfda44-7880-4961-a0bf-03c12f2647a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261799/
Detection(s):
SecuriteInfo.com.Variant.Zusy.414917.19979.7056.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a window
Searching for analyzing tools
Launching a process
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13026/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware zusy
Link:
https://www.filescan.io/uploads/624f4a44d53a7479dad28aff/reports/350c3cfa-cd03-474e-87ec-37b5dc13b3e7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Zapchast
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6325d1e-a3d3-4f6b-8ddd-e085cfe8bb5c
Result
Threat name:
PCHunter tool DanaBot RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/972723
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Yara detected Generic Downloader
Yara detected PCHunter tool
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 605210 Sample: A297BC0C90017B32DD1636F86F0... Startdate: 07/04/2022 Architecture: WINDOWS Score: 100 47 188.72.236.239 WEBZILLANL Netherlands 2->47 49 95.213.216.212 SELECTELRU Russian Federation 2->49 51 8 other IPs or domains 2->51 69 Multi AV Scanner detection for domain / URL 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 19 other signatures 2->75 7 A297BC0C90017B32DD1636F86F068B0B6C21C6E1EB1EA.exe 5 98 2->7         started        signatures3 process4 dnsIp5 53 185.233.185.134 YURTEH-ASUA Russian Federation 7->53 55 50.87.194.40 UNIFIEDLAYER-AS-1US United States 7->55 57 14 other IPs or domains 7->57 23 C:\Users\...\tKzTZnqKire6eTYOdYksTmdF.exe, PE32 7->23 dropped 25 C:\Users\...\pIHcMAghPFcTVuxYtINT9IXw.exe, PE32 7->25 dropped 27 C:\Users\...\nONPbqVCAg3TolWSQLSrw9J4.exe, PE32 7->27 dropped 29 33 other files (16 malicious) 7->29 dropped 77 Creates HTML files with .exe extension (expired dropper behavior) 7->77 79 Disable Windows Defender real time protection (registry) 7->79 12 V_4s9NGqx6A9JacueYWqkFyd.exe 7->12         started        17 cdhA0LxE_tkmmvjaQev4kusA.exe 17 7->17         started        19 tKzTZnqKire6eTYOdYksTmdF.exe 2 7->19         started        21 4 other processes 7->21 file6 signatures7 process8 dnsIp9 59 162.159.134.233 CLOUDFLARENETUS United States 12->59 61 31.31.196.98 AS-REGRU Russian Federation 12->61 31 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->31 dropped 33 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 12->33 dropped 35 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 12->35 dropped 45 4 other files (none is malicious) 12->45 dropped 81 Tries to steal Mail credentials (via file / registry access) 12->81 83 Tries to harvest and steal browser information (history, passwords, etc) 12->83 63 149.154.167.99 TELEGRAMRU United Kingdom 17->63 37 C:\Users\...\Fx4tPfVXXJYr2fyqgtnxCSfx.exe, PE32 17->37 dropped 39 C:\...\PowerControl_Svc.exe, PE32 17->39 dropped 41 C:\Users\user\AppData\Local\...\WW14[1].bmp, PE32 17->41 dropped 85 Hides threads from debuggers 19->85 65 50.87.142.220 UNIFIEDLAYER-AS-1US United States 21->65 67 188.114.97.7 CLOUDFLARENETUS European Union 21->67 43 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 21->43 dropped file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 11:46:11 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
29 of 42 (69.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ukl3ydeqaf5tfxiwg34g6bulbnwcdrxb5mpk3ewch3wewamvc57a._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:0704 botnet:ruzki botnet:tx_oplatil_pizzy evasion infostealer spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220407-za9gtahcbp/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
Vidar
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
45.10.42.220:42069
65.108.101.231:14648
94.23.1.92:12857
91.243.59.131:7171
Unpacked files
SH256 hash:
a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e
MD5 hash:
9c287453cdeefc0effea16c5c1890edf
SHA1 hash:
209544d75ca8a4a7f3bfa424960ff789bb3d4d29
Link:
https://www.unpac.me/results/aad38f59-901c-4eb7-b3fc-16e2a058e073/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/261799/

Comments