MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2e7294a6fee9ef6372897f3bebffb0d17bc31b9cf8c663181e192a608057061. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 15


Intelligence 15 IOCs 3 YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2e7294a6fee9ef6372897f3bebffb0d17bc31b9cf8c663181e192a608057061
SHA3-384 hash: 09f2a82434ccddaabd4b18768c4ccedfdd2dd5a4574c08cc0a0b947217c61be7ff9bb53c2531d705d8cc3c1cec91e676
SHA1 hash: d8ca1f407d519dbcc3d212bc5f3926172ceedc08
MD5 hash: 181c934f98c03d7017764daa0ddbcba2
humanhash: mobile-mirror-earth-fix
File name:E2E7294A6FEE9EF6372897F3BEBFFB0D17BC31B9CF8C6.exe
Download: download sample
Signature Tofsee
Create hunting rule
File size:3'736'065 bytes
First seen:2022-05-07 06:31:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:PbkM9bR/DpjdXApg4nexS4Y3hq4t7Lo44/woPD3ic:PYM9bRJhXSH5JLo44//ec
TLSH T1720633537FC1A576E6310C364979BB24673DBC219BE4C75B27C00A2AAA31DC0E631B67
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0cccacaece4e0f0 (12 x RedLineStealer, 2 x GCleaner, 2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe Tofsee


Avatar
abuse_ch
Tofsee C2:
185.45.192.228:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.45.192.228:81 https://threatfox.abuse.ch/ioc/548657/
89.22.234.161:36760 https://threatfox.abuse.ch/ioc/548658/
http://ugll.org/test3/get.php https://threatfox.abuse.ch/ioc/548659/

Intelligence

File Origin
# of uploads :
1
# of downloads :
513
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
E2E7294A6FEE9EF6372897F3BEBFFB0D17BC31B9CF8C6.exe
Verdict:
Malicious activity
Analysis date:
2022-05-07 06:33:03 UTC
Tags:
evasion redline
Link:
https://app.any.run/tasks/54a39c53-abb9-4b63-ab3d-05ecdb6b087c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269221/
Detection(s):
Win.Malware.Clipbanker-9873068-0
Create hunting rule

Win.Malware.Generic-9873526-0
Create hunting rule

Win.Malware.Clipbanker-9874840-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Sending a custom TCP request
DNS request
Creating a file in the %temp% subdirectories
Sending an HTTP GET request
Searching for the browser window
Creating a process with a hidden window
Reading critical registry keys
Using the Windows Management Instrumentation requests
Changing a file
Moving a recently created file
Running batch commands
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Blocking the User Account Control
Stealing user critical data
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16599/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker mikey scar
Link:
https://www.filescan.io/uploads/6276127dbd5c76586e1a104f/reports/da11ed0a-05bb-4557-bb06-88959d2ccc95/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b368c476-b20c-4d3b-8781-364a24c89ec7
Result
Threat name:
RedLine SmokeLoader Socelars Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/989427
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Tofsee
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 621920 Sample: E2E7294A6FEE9EF6372897F3BEB... Startdate: 07/05/2022 Architecture: WINDOWS Score: 100 55 208.95.112.1 TUT-ASUS United States 2->55 57 149.154.167.99 TELEGRAMRU United Kingdom 2->57 59 3 other IPs or domains 2->59 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for URL or domain 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 19 other signatures 2->87 8 E2E7294A6FEE9EF6372897F3BEBFFB0D17BC31B9CF8C6.exe 1 28 2->8         started        signatures3 process4 file5 37 C:\Users\user\Desktop\askinstall492.exe, PE32 8->37 dropped 39 C:\Users\user\Desktop\Folder.exe, PE32 8->39 dropped 41 C:\Users\user\Desktop\Files.exe, PE32+ 8->41 dropped 43 4 other files (1 malicious) 8->43 dropped 11 File.exe 8->11         started        16 Process.exe 10 8->16         started        18 Folder.exe 1 8->18         started        20 5 other processes 8->20 process6 dnsIp7 69 94.103.85.170 VDSINA-ASRU Russian Federation 11->69 71 162.241.224.113 UNIFIEDLAYER-AS-1US United States 11->71 77 13 other IPs or domains 11->77 45 C:\Users\user\AppData\...\ZZbtHof[1].exe, PE32 11->45 dropped 47 C:\Users\user\AppData\...\SetupMEXX[1].exe, PE32 11->47 dropped 49 C:\Users\user\AppData\...\Service[1].bmp, PE32 11->49 dropped 53 27 other files (1 malicious) 11->53 dropped 95 Tries to harvest and steal browser information (history, passwords, etc) 11->95 97 Disable Windows Defender real time protection (registry) 11->97 51 C:\Users\user\AppData\Local\...\Processes.exe, PE32 16->51 dropped 22 Processes.exe 16->22         started        99 Creates processes via WMI 18->99 26 Folder.exe 18->26         started        73 45.9.20.253 DEDIPATH-LLCUS Russian Federation 20->73 75 188.114.96.10 CLOUDFLARENETUS European Union 20->75 79 4 other IPs or domains 20->79 101 Tries to evade debugger and weak emulator (self modifying code) 20->101 29 chrome.exe 14 20->29         started        31 chrome.exe 20->31         started        file8 signatures9 process10 dnsIp11 33 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 22->33 dropped 35 3b5c378ddb0e4fec9b...11b8698f.tmp (copy), PE32 22->35 dropped 89 Creates an autostart registry key pointing to binary in C:\Windows 22->89 91 Adds a directory exclusion to Windows Defender 22->91 93 Drops PE files with benign system names 22->93 61 172.67.143.210 CLOUDFLARENETUS United States 26->61 63 148.251.234.83 HETZNER-ASDE Germany 29->63 65 142.250.203.109 GOOGLEUS United States 29->65 67 8 other IPs or domains 29->67 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2e7294a6fee9ef6372897f3bebffb0d17bc31b9cf8c663181e192a608057061/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-05-05 23:31:00 UTC
File Type:
PE (Exe)
Extracted files:
174
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ltssstp52ppmnzis7z35p73bul3ymnzz6ggmmmb4gjkmcafobqq._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars botnet:faker botnet:pablicher discovery evasion infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220507-halmbaegfq/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
UAC bypass
Windows security bypass
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Malware Config
C2 Extraction:
45.9.20.253:11452
http://www.yarchworkshop.com/
51.79.188.112:7110
Unpacked files
SH256 hash:
b4636c390edc6fff40e135bbea2c94e36e81fc1546926d532bd92044883a9ef2
MD5 hash:
2609c7bf613525bfd6563de63664e48e
SHA1 hash:
aca5b9b98ccc293827c895a0b2d1b4c8826e6c85
Link:
https://www.unpac.me/results/012e708a-fc1a-4ee5-84c8-07b4e669f3d3/
SH256 hash:
8546adb8f0557dc67a8d5d4fdeb75084682a6e5fb575f40095cfea21600f965e
MD5 hash:
b85f5748e16bf1010adefe82907b2a3b
SHA1 hash:
8f5c2cebc365d3a4ff515c412c34c8ab9babbfbb
Link:
https://www.unpac.me/results/012e708a-fc1a-4ee5-84c8-07b4e669f3d3/
SH256 hash:
91df0d77d4d0028bd5930c8550a8b330a355f3fa524c254226377efd1e884f40
MD5 hash:
71573520048ef86308ebf0bd87855553
SHA1 hash:
b8cfd64d323899a304d43ae80374fc918e7d279e
Link:
https://www.unpac.me/results/012e708a-fc1a-4ee5-84c8-07b4e669f3d3/
SH256 hash:
ab2f03de3a4a257cde902b65bab2d1f2c04b6763b4d6c1cd2de4ba1e851a630a
MD5 hash:
a51c444d143628a09cd132f0fc8f7f57
SHA1 hash:
b6863aaf9bd2db22e51330b259f540f82c4c4cae
Link:
https://www.unpac.me/results/012e708a-fc1a-4ee5-84c8-07b4e669f3d3/
SH256 hash:
b696a116f1955982df56a4ac4eed6c91fe6839742eade0805733cf94022a62ca
MD5 hash:
fff2a80da07d1ec6891f8ecca7616369
SHA1 hash:
15263b4c110a01297d9d8523a3e5320f8eb75f5f
Link:
https://www.unpac.me/results/012e708a-fc1a-4ee5-84c8-07b4e669f3d3/
SH256 hash:
94e6ffdf2e0d927ff97a12d932b9cba38fc6bf66025a37764ec3be932bd45dae
MD5 hash:
25afbb6c116e0d8400345ab0baefd459
SHA1 hash:
40159fd1695ae50e31b5bd2fb1c728b0bc5f72d1
Link:
https://www.unpac.me/results/012e708a-fc1a-4ee5-84c8-07b4e669f3d3/
SH256 hash:
0a171a5922b856ead165ce5ee4da7be0e345c04ad5e0d7e8f1b461d6abdbf40b
MD5 hash:
93613173ea9923741121de33a85f9de6
SHA1 hash:
d39f946b44269c39326a0bfe839869c6d8080e37
Link:
https://www.unpac.me/results/012e708a-fc1a-4ee5-84c8-07b4e669f3d3/
SH256 hash:
0558d1be3ddc6f7df97cc8ac9c489c9db9bad8605f9158bd1b9d71d282c331e8
MD5 hash:
5463a44330247da71da8fb7acf726394
SHA1 hash:
91d47124406f33116c288d5c70bfd130754ae6e2
Link:
https://www.unpac.me/results/012e708a-fc1a-4ee5-84c8-07b4e669f3d3/
SH256 hash:
d6152e7130cf97fadc14da7ea88f7af4b23308000db15dd440d799813db7cd5b
MD5 hash:
79e750fc1c2dcb7f36d0ab69ecde5b74
SHA1 hash:
41a8a6fa135a6c57dfb7c07667769b113b2d3549
Link:
https://www.unpac.me/results/012e708a-fc1a-4ee5-84c8-07b4e669f3d3/
SH256 hash:
e2e7294a6fee9ef6372897f3bebffb0d17bc31b9cf8c663181e192a608057061
MD5 hash:
181c934f98c03d7017764daa0ddbcba2
SHA1 hash:
d8ca1f407d519dbcc3d212bc5f3926172ceedc08
Link:
https://www.unpac.me/results/012e708a-fc1a-4ee5-84c8-07b4e669f3d3/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2e7294a6fee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2e7294a6fee9ef6372897f3bebffb0d17bc31b9cf8c663181e192a608057061

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CoinMiner_Strings
Create hunting rule
Author:Florian Roth
Description:Detects mining pool protocol string in Executable
Reference:https://minergate.com/faq/what-pool-address
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MALWARE_Win_Tofsee
Create hunting rule
Author:ditekSHen
Description:Detects Tofsee
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MINER_monero_mining_detection
Create hunting rule
Author:Trellix ATR team
Description:Monero mining software
Rule name:pe_imphash
Create hunting rule
Rule name:PUA_Crypto_Mining_CommandLine_Indicators_Oct21
Create hunting rule
Author:Florian Roth
Description:Detects command line parameters often used by crypto mining software
Reference:https://www.poolwatch.io/coin/monero
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:win_tofsee_w0
Create hunting rule
Author:akrasuski1
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases
Rule name:XMRIG_Monero_Miner_RID2DC1
Create hunting rule
Author:Florian Roth
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269221/

Comments