MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dff3831f6b85bd3309c4dbe0f23b92c3ad93a9104cfdde2632f13f3f9c206d11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TORNADO

Vendor detections: 16

Intelligence 16 IOCs YARA 19 File information Comments

SHA256 hash:	dff3831f6b85bd3309c4dbe0f23b92c3ad93a9104cfdde2632f13f3f9c206d11
SHA3-384 hash:	08290c0b94d8a7aeccad0c39a3fd9641b209b5be5ae8c8dd6438ebf7d6d6295f90c7231e9f3dda2ba967ac927b52ea37
SHA1 hash:	fb2c5786a8d4d858e48ec1e6a008309fdfc8b9be
MD5 hash:	24214894b2278512efa024d3c6c40935
humanhash:	spaghetti-jupiter-solar-alaska
File name:	arce.exe
Download:	download sample
Signature	TORNADO Create hunting rule
File size:	2'358'816 bytes
First seen:	2025-12-14 11:41:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	49152:j7WYXK6vn+lvxjPHaooPCX0jB4cqVqggH6:j7WYhvnIxeo79c/Ja
Threatray	12 similar samples on MalwareBazaar
TLSH	T14FB5BE4173E89EEDE5B6163A98B6351097B3F866EB35C38F13540A2E3CA3B406D51336
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe TORNADO

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

meterpreter

ID:

File name:

2to1ep.exe

Verdict:

Malicious activity

Analysis date:

2025-12-14 02:38:27 UTC

Tags:

arch-exec auto metasploit framework github python powershell stealc stealer fileshare anti-evasion backdoor meterpreter payload loader amadey botnet pastebin purelogs phishing generic svc evasion clickfix agenttesla susp-lnk possible-phishing clipper diamotrix purecrypter offloader tool xenorat rat cobaltstrike njrat miner wannacry ransomware tinynuke koiloader havoc socks5systemz proxybot powershellempire donutloader guloader networm amus pushware adware ghostsocks proxyware cryptowall xworm bdaejec koistealer credentialflusher cryptolocker discord exfiltration svitstealer bladabindi mimikatz xmrig screenconnect rmm-tool rdp gh0st coinminer putty formbook lumma xred masslogger smb azorult bruteratel iobit whitesnakestealer rhadamanthys stealerium snake keylogger redline asyncrat pyinstaller remcos quasar nanocore muckstealer vipkeylogger scan smbscan darktortilla crypter arechclient2 dcrat rustystealer susp-powershell hijackloader delphi api-base64 neshta worm jigsaw lokibot whitesnake noescape wiper pythonstealer braodo remote vidar crypto-regex

Link:

https://app.any.run/tasks/cfbc336c-461d-46fd-bcb7-f6b3ee462539

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44611/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693ea29a838ad7e4853925a8

Tags:

vmdetect

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm base64 byteguard obfuscated overlay packed packed privilege reconnaissance xerinfuscator

Link:

https://www.filescan.io/uploads/693ea29564bd958a5211225a/reports/06ccd38c-85ab-4615-947c-edbc030a9282/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/dff3831f6b85bd3309c4dbe0f23b92c3ad93a9104cfdde2632f13f3f9c206d11

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-13T06:05:00Z UTC

Last seen:

2025-12-15T14:53:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb HEUR:Trojan-PSW.MSIL.Coins.gen

Link:

https://opentip.kaspersky.com/dff3831f6b85bd3309c4dbe0f23b92c3ad93a9104cfdde2632f13f3f9c206d11/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b9eb50af-06f5-40e1-83a6-9a661b2ae148

Result

Threat name:

TORNADO Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1832402

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Capture Wi-Fi password

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Uses netsh to modify the Windows network and firewall settings

Yara detected TORNADO Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/dff3831f6b85bd3309c4dbe0f23b92c3ad93a9104cfdde2632f13f3f9c206d11

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.73 Win 32 Exe x86

Link:

https://app.malva.re/file/24214894b2278512efa024d3c6c40935

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/dff3831f6b85bd3309c4dbe0f23b92c3ad93a9104cfdde2632f13f3f9c206d11/

Verdict:

Malicious

Threat:

Trojan-PSW.Win32.Coins

Link:

https://tip.neiki.dev/file/dff3831f6b85bd3309c4dbe0f23b92c3ad93a9104cfdde2632f13f3f9c206d11

Threat name:

Win32.Infostealer.Tinba

Status:

Malicious

First seen:

2025-12-13 13:14:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 37 (62.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=37zygh3lqw6tgcoe3pqpeo4syowzhkiqjt654jrs6e7t7hbanuiq._file

Verdict:

malicious

Label(s):

tornadostealer

TORNADO

24616a11af126a9d80991d575949abcef8b0e30b816a1ddc3e1d0f63fe380e89

TORNADO

50615b10fef0b49b05d8b465b71d96623cdc0cd79214a102bb268381c466e4f5

TORNADO

9d1fb38e9bf927463638cb8ddbf053ae9f8c4d7f6aa7e741b5ef06cccad167ff

TORNADO

c1aa2ba105b38478e089d1cd18c4f7bc91249fd98483a08a80fd84e14af9d811

TORNADO

dff3831f6b85bd3309c4dbe0f23b92c3ad93a9104cfdde2632f13f3f9c206d11

TORNADO

error

TORNADO

f14d95afa835bd5afc5821eb262b45f596a4d6ed3326a9a7c4838cc0b50b40eb

TORNADO

+ 2 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/251214-nt3mtsfj4t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks for VirtualBox DLLs, possible anti-VM trick

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2ebad01b-37c6-48f3-b376-f03035d28825

Unpacked files

SH256 hash:

dff3831f6b85bd3309c4dbe0f23b92c3ad93a9104cfdde2632f13f3f9c206d11

MD5 hash:

24214894b2278512efa024d3c6c40935

SHA1 hash:

fb2c5786a8d4d858e48ec1e6a008309fdfc8b9be

Link:

https://www.unpac.me/results/d1dfa40c-0877-42b4-97ff-bc7d529c0c98/

SH256 hash:

96d0e7ee34fcc56ea1911a572988d052f34b887fcc7563471c91eb7e0e150e7e

MD5 hash:

8b3812c8302329480bc72dad94217d5d

SHA1 hash:

b1bfd8d29fe19da4053b85182f92068c7ac587fe

Link:

https://www.unpac.me/results/d1dfa40c-0877-42b4-97ff-bc7d529c0c98/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dff3831f6b85bd3309c4dbe0f23b92c3ad93a9104cfdde2632f13f3f9c206d11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing combination of virtualization drivers

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)