MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2cbb1cf3dc6fbbefec090e40d8ee0eae32d7ebc552b69623aa87dae22527791. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Tofsee

Vendor detections: 16

Intelligence 16 IOCs YARA 16 File information Comments

SHA256 hash:	a2cbb1cf3dc6fbbefec090e40d8ee0eae32d7ebc552b69623aa87dae22527791
SHA3-384 hash:	097d060152d456b78faceb88078125eafa882b1a72c275ea90133890a88182b39f348c5bbdf0439e3e40185d590ae3c2
SHA1 hash:	691a283d26b0d9ac16294360c20120d363cf4445
MD5 hash:	3791849ba6e7479300eaa58f7c600971
humanhash:	oven-seventeen-lima-sweet
File name:	file
Download:	download sample
Signature	Tofsee Create hunting rule
File size:	192'512 bytes
First seen:	2023-03-14 18:29:17 UTC
Last seen:	2023-03-14 20:29:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	11d51d37617e55d90ea2ab5d83a2aa08 (4 x Smoke Loader, 3 x LaplasClipper, 2 x RedLineStealer)
ssdeep	3072:hU3EE00g/0hhsqx0JomJjri7oHhBLUm81i:mEFr0hOCTmJjr/Hv
Threatray	20 similar samples on MalwareBazaar
TLSH	T17B145C1392A07F51E5214B728E2FC6F9360DF951DE18FF7A2218AA1F05B03A1E672753
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	916a6e6a6a6a6a60 (15 x RedLineStealer, 14 x Smoke Loader, 5 x RecordBreaker)
Reporter	andretavare5
Tags:	exe Tofsee

andretavare5

Sample downloaded from http://176.113.115.239:8080/4.php

Intelligence

File Origin

# of uploads :

# of downloads :

218

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

tofsee

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-03-14 18:33:07 UTC

Tags:

tofsee trojan miner

Link:

https://app.any.run/tasks/77f3efff-34cd-496d-8f1a-f2b341de0aeb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Tofsee

Link:

https://www.capesandbox.com/analysis/374340/

Detection(s):

SecuriteInfo.com.Win32.RansomX-gen.14045.10029.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Moving a file to the Windows subdirectory

Creating a service

Launching the process to change the firewall settings

Launching a service

Launching the default Windows debugger (dwwin.exe)

Creating a process from a recently created file

Searching for synchronization primitives

Forced system process termination

DNS request

Sending a custom TCP request

Creating a file in the Windows subdirectories

Possible injection to a system process

Enabling autorun for a service

Unauthorized injection to a system process

Adding exclusions to Windows Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lockbit packed tofsee

Link:

https://www.filescan.io/uploads/6410bd2c06c49bd8b6b5c2e2/reports/ed1c403c-6e9d-43d1-9f37-f0fd78f9ca3e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/a2cbb1cf3dc6fbbefec090e40d8ee0eae32d7ebc552b69623aa87dae22527791

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Tofsee

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/caa3a3c5-24b9-45c8-ae52-f8e86e6a9d8e

Result

Threat name:

Tofsee

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1193587

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops executables to the windows directory (C:\Windows) and starts them

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the windows firewall

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected Tofsee

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a2cbb1cf3dc6fbbefec090e40d8ee0eae32d7ebc552b69623aa87dae22527791/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-03-14 18:18:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ulf3dtz5y35357wasdsa3dxa5lrs27v4kuvwsyr2vb624isso6iq._file

Verdict:

malicious

Tofsee

4fb79897fd57ac7d1724c92ef26e493e15d974f83c2c7f6e72af4f6e8084ff20

Tofsee

5b6e9f80c787e237f396735f48b3a2ccaeabe6e5c596693a34e7cb7a7bb4d123

Tofsee

7872562982688229ba9bcf6b09cd7282229da0b0690aec62c163e43fcb305631

Tofsee

8c505862e16dd60fe08e63fd75b3460f21201f77c19d0c4793a68a7b35f5f2e5

Tofsee

eeafd9d6aa2607575e05d0753c2ecc37710a9164fc5af4c9afa28c2d546e470b

Tofsee

f57855bf23ce70fccbad6dec4c7d9e97710f222f98dfa0141762d66e56b6192d

Tofsee

+ 10 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:tofsee family:xmrig evasion miner persistence trojan

Link:

https://tria.ge/reports/230314-w5ghqsba5w/

Behaviour

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks computer location settings

Deletes itself

Executes dropped EXE

Creates new service(s)

Modifies Windows Firewall

Sets service image path in registry

XMRig Miner payload

Tofsee

Windows security bypass

xmrig

Malware Config

C2 Extraction:

nidavellir.top
jotunheim.name

Unpacked files

SH256 hash:

bfb026214b0a65f3363a1b88e1d5025b03dc8c0f5c11286b36ff724e38919a43

MD5 hash:

48504b19943816579be4a8784aac08d1

SHA1 hash:

56bd46c9efb18f8b4748dee08d85251e647a2a16

Detections:

Tofsee

win_tofsee_w0

Link:

https://www.unpac.me/results/f06f52b1-22b4-48f8-bc11-f53a8e7d1a6f/

Parent samples :

cad1a1f826af74ab5fe83fe89ae39874b8443b7a85f6eaa6afe3d8c8cde80428
4f8f35335dce9870e601b44c6d38a83cd2feaa081d7ae1b16c91258674e02630
1f6a2ebd5e58a939503b1b51a6e22090e80bc39099f715852cb3719b32e4a7d1
adfb07f6f0a466bfa3ec21c93e946566fd52885319c318e7327cb10b20ba7cbb
2279dc10a3db2ec68f0040c03f81998168d0cd770340b0d49b5bfed5a92e634a
2ee64e188677e6544342a29562d04bcab608c528f91df42e09a6fb5c8a63b8ce
a2cbb1cf3dc6fbbefec090e40d8ee0eae32d7ebc552b69623aa87dae22527791

SH256 hash:

a2cbb1cf3dc6fbbefec090e40d8ee0eae32d7ebc552b69623aa87dae22527791

MD5 hash:

3791849ba6e7479300eaa58f7c600971

SHA1 hash:

691a283d26b0d9ac16294360c20120d363cf4445

Link:

https://www.unpac.me/results/f06f52b1-22b4-48f8-bc11-f53a8e7d1a6f/

Malware family:

XMRig

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a2cbb1cf3dc6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a2cbb1cf3dc6fbbefec090e40d8ee0eae32d7ebc552b69623aa87dae22527791

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CoinMiner_Strings Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects mining pool protocol string in Executable
Reference:	https://minergate.com/faq/what-pool-address

Rule name:	Detect_Tofsee Create hunting rule
Author:	@malgamy12
Description:	Detect_Tofsee

Rule name:	MacOS_Cryptominer_Generic_333129b7 Create hunting rule
Author:	Elastic Security

Rule name:	MALWARE_Win_Tofsee Create hunting rule
Author:	ditekSHen
Description:	Detects Tofsee

Rule name:	MAL_XMR_Miner_May19_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MAL_XMR_Miner_May19_1_RID2E1B Create hunting rule
Author:	Florian Roth
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MINER_monero_mining_detection Create hunting rule
Author:	Trellix ATR team
Description:	Monero mining software

Rule name:	PUA_Crypto_Mining_CommandLine_Indicators_Oct21 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects command line parameters often used by crypto mining software
Reference:	https://www.poolwatch.io/coin/monero

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	tofsee_yhub Create hunting rule
Author:	Billy Austin
Description:	Detects Tofsee botnet, also known as Gheg

Rule name:	Windows_Trojan_Tofsee_26124fe4 Create hunting rule
Author:	Elastic Security

Rule name:	win_tofsee_w0 Create hunting rule
Author:	akrasuski1

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases

Rule name:	XMRIG_Monero_Miner_RID2DC1 Create hunting rule
Author:	Florian Roth
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases

Rule name:	yara_template Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/374340/

URLhaus

https://urlhaus.abuse.ch/url/2513471/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample