MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6f7844862855bcff0732306a30c1ed572f2500d7c6ccec66f0320e06d2b6fdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6f7844862855bcff0732306a30c1ed572f2500d7c6ccec66f0320e06d2b6fdd
SHA3-384 hash: e8c7ac570aeb8286bc0853723f432b28868ffb25e434f2b1296a52a9e1da8a586cdb653a378ae56bad90ae0bd7d95fb4
SHA1 hash: 96279e984407eb9657dc9d12a616f6a03581d8f5
MD5 hash: d26ad29cff85ddb8e10475f68fd1f9f4
humanhash: north-seven-sierra-hamper
File name:EUNIQ[1].exe
Download: download sample
Signature Tofsee
Create hunting rule
File size:5'963'928 bytes
First seen:2025-09-05 18:22:09 UTC
Last seen:2025-09-11 18:43:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 49152:QwREDPXxS6RJ+F4RkbMh5JDhIi/VO03e+IlVhG9y4eML2MAHyvJ+oDR:QwREbXsuMwhLdnO03glVhG9jtqMo4DR
Threatray 580 similar samples on MalwareBazaar
TLSH T18E56CF12B3A7DC3DF0CA4B3215A2905454F3EA2164E2EE62D6EC5468CF351621FFE25B
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter aachum
Tags:dropped-by-gcleaner exe signed Tofsee ZhGTud

Code Signing Certificate

Organisation:www.microsoft.com
Issuer:Microsoft Azure RSA TLS Issuing CA 04
Algorithm:sha256WithRSAEncryption
Valid from:2025-07-21T18:25:48Z
Valid to:2026-07-16T18:25:48Z
Serial number: 33027d83eb297b23e5b0e505af0000027d83eb
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f2483cd72170f8dbecd1a07b5d2977cc7223ae8a8eb3928ac67f0a0070101a89
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Soft.exe
Verdict:
Malicious activity
Analysis date:
2025-09-05 17:59:40 UTC
Tags:
lumma stealer gcleaner loader autoit auto-startup inno installer delphi
Link:
https://app.any.run/tasks/a8a40151-d13b-431c-beeb-f0bd9676f902

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25898/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bb2a663e988eb6ab83d98c
Tags:
vmdetect dropper extens virus
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi expand fingerprint installer lolbin masquerade obfuscated overlay overlay packed signed zero
Link:
https://www.filescan.io/uploads/68bb2a60a64010de766e5e15/reports/c63d5eef-dd0b-482f-b69f-ddb20fa29b7c/overview
Verdict:
Malicious
Labled as:
VHO:TrojanDrop.Convagent.gen
Link:
https://www.hybrid-analysis.com/sample/d6f7844862855bcff0732306a30c1ed572f2500d7c6ccec66f0320e06d2b6fdd
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-04T12:09:00Z UTC
Last seen:
2025-09-04T12:09:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/d6f7844862855bcff0732306a30c1ed572f2500d7c6ccec66f0320e06d2b6fdd/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/295056a7-9fe7-4acd-ada4-4ab92bbfe635
Result
Threat name:
Tofsee, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1772019
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to identify kernel process list (PsInitialSystemProcess)
Creates / moves files in alternative data streams (ADS)
Drops PE files to the user root directory
Found malware configuration
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Opens the same file many times (likely Sandbox evasion)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Tofsee
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1772019 Sample: EUNIQ[1].exe Startdate: 05/09/2025 Architecture: WINDOWS Score: 100 71 209.227.96.191.in-addr.arpa 2->71 73 yahoo.com 2->73 75 12 other IPs or domains 2->75 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 8 other signatures 2->85 12 EUNIQ[1].exe 2 2->12         started        15 regsvr32.exe 2->15         started        18 svchost.exe 2->18         started        21 regsvr32.exe 2->21         started        signatures3 process4 dnsIp5 55 C:\Users\user\AppData\Local\...UNIQ[1].tmp, PE32 12->55 dropped 23 EUNIQ[1].tmp 3 5 12->23         started        99 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->99 77 127.0.0.1 unknown unknown 18->77 file6 signatures7 process8 file9 49 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 23->49 dropped 51 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 23->51 dropped 26 EUNIQ[1].exe 2 23->26         started        process10 file11 53 C:\Users\user\AppData\Local\...UNIQ[1].tmp, PE32 26->53 dropped 29 EUNIQ[1].tmp 3 5 26->29         started        process12 file13 57 C:\Users\user\is-IM0F5.tmp, PE32 29->57 dropped 59 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 29->59 dropped 61 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 29->61 dropped 63 C:\Users\user\9LightCyan.dat (copy), PE32 29->63 dropped 97 Drops PE files to the user root directory 29->97 33 regsvr32.exe 2 1 29->33         started        signatures14 process15 dnsIp16 65 www.google.com 33->65 67 smtp.google.com 33->67 69 25 other IPs or domains 33->69 47 C:\Users\user:.repos, data 33->47 dropped 87 System process connects to network (likely due to code injection or exploit) 33->87 89 Suspicious powershell command line found 33->89 91 Creates / moves files in alternative data streams (ADS) 33->91 93 3 other signatures 33->93 38 powershell.exe 37 33->38         started        41 powershell.exe 33->41         started        file17 signatures18 process19 signatures20 95 Loading BitLocker PowerShell Module 38->95 43 conhost.exe 38->43         started        45 conhost.exe 41->45         started        process21
Score:
72%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d6f7844862855bcff0732306a30c1ed572f2500d7c6ccec66f0320e06d2b6fdd
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/d26ad29cff85ddb8e10475f68fd1f9f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6f7844862855bcff0732306a30c1ed572f2500d7c6ccec66f0320e06d2b6fdd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-05 18:23:23 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=233yisdcqvn474dtemdkgda62vzpeuanprwm5rtpamqoa3jln7oq._file
Verdict:
malicious
Label(s):
tofsee
Create hunting rule
Similar samples:
04d4f8ae74c16f3f48cf09862339ccb915bbd8906d11b5f718abfb4ad3b21137
Tofsee
06f6724f13a99d43350b8c3239a574cb6d9bf07b9cb882f8670669da22568ac0
Tofsee
0d40a18d67005a5ade12b5593df3cf9e7ae996bebedacad64de81de3ffb9821a
Tofsee
39551715b734f4a331dd0b39a953a79567f642dc38bfa173f9849a4dbdd7d34e
Tofsee
b0410c03a893377b1726c7d31fed5796ae24c8ba55061aa7a02f04fd96a32af5
Tofsee
error
Tofsee
+ 570 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250905-wz4q3s1r15/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fa08b254-57fc-44c2-aed6-855a36d9647c
Unpacked files
SH256 hash:
d6f7844862855bcff0732306a30c1ed572f2500d7c6ccec66f0320e06d2b6fdd
MD5 hash:
d26ad29cff85ddb8e10475f68fd1f9f4
SHA1 hash:
96279e984407eb9657dc9d12a616f6a03581d8f5
Link:
https://www.unpac.me/results/c5b0bce9-41e0-4d05-98db-631059f16ede/
SH256 hash:
9d22c6165575e47c9c3ff1e79b6a812798cc5250bcc52e9d07e3a89174baf9ad
MD5 hash:
b02377ecc0ef017977439e96a4de14eb
SHA1 hash:
a6c6cc319bbe256e6833b86f1d96251fad47d26e
Link:
https://www.unpac.me/results/c5b0bce9-41e0-4d05-98db-631059f16ede/
SH256 hash:
ad52e5b2d0b1b65293d176475f983d84a59880f08a651a5073dfb6c32505ae01
MD5 hash:
13bd6acefb142dbc5778cb86fdd42887
SHA1 hash:
b4b78257a9d4e235cfc8327482c1d54b2516d98f
Link:
https://www.unpac.me/results/c5b0bce9-41e0-4d05-98db-631059f16ede/
Malware family:
Tofsee
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d6f784486285/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6f7844862855bcff0732306a30c1ed572f2500d7c6ccec66f0320e06d2b6fdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Tofsee

Executable exe d6f7844862855bcff0732306a30c1ed572f2500d7c6ccec66f0320e06d2b6fdd

(this sample)

  
Link
https://tria.ge/250905-wv4waagk5x/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/25898/

Comments