MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 13


Intelligence 13 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
SHA3-384 hash: c21dc7f9e55b2f9c621196e59442b16fb430c80f7628961336f2e79af0074e428dbe7a4f7e198aec8894a75edfd3c296
SHA1 hash: 4ee6395a020864269d200d116501dc3e112874b6
MD5 hash: b0e8bc965e47df21b2fa203a708f86c3
humanhash: minnesota-triple-louisiana-fix
File name:b0e8bc965e47df21b2fa203a708f86c3.exe
Download: download sample
Signature Tofsee
Create hunting rule
File size:4'054'508 bytes
First seen:2022-07-21 03:00:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JN7F5tonp787nmU3K4sKg0ZFLc8P6HGNgSjoj+xa4bqdu4LulEM8R:JN55Gn+mUa0gorPJySjoSTGEd9e
TLSH T1A71633B41B78E4ABD08C17BE193E07E96795E4F9E6E4510B23B04239B1B9D0B510EB37
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe Tofsee


Avatar
abuse_ch
Tofsee C2:
185.173.37.28:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.173.37.28:80 https://threatfox.abuse.ch/ioc/838807/
185.106.92.226:40788 https://threatfox.abuse.ch/ioc/838881/

Intelligence

File Origin
# of uploads :
1
# of downloads :
409
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293039/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
barys overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62d8c1af8fbcdde36061e1cd/reports/e5c4f9ee-764f-4659-b061-6d5bbb7d0c50/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4024b47d-137b-47db-97a9-9419ea6f2433
Result
Threat name:
Nymaim, RedLine, Socelars, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1038240
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 670735 Sample: ZErNFYRzCC.exe Startdate: 21/07/2022 Architecture: WINDOWS Score: 100 110 Snort IDS alert for network traffic 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 Antivirus detection for URL or domain 2->114 116 22 other signatures 2->116 12 ZErNFYRzCC.exe 10 2->12         started        15 rundll32.exe 2->15         started        17 WmiPrvSE.exe 2->17         started        process3 file4 90 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->90 dropped 19 setup_installer.exe 19 12->19         started        22 rundll32.exe 15->22         started        process5 file6 72 C:\Users\user\AppData\...\setup_install.exe, PE32 19->72 dropped 74 C:\Users\user\...\Sun15ff63f98fd3e9d.exe, PE32+ 19->74 dropped 76 C:\Users\user\...\Sun15aa5186f3f5f.exe, PE32 19->76 dropped 78 14 other files (9 malicious) 19->78 dropped 25 setup_install.exe 1 19->25         started        120 Creates a thread in another existing process (thread injection) 22->120 signatures7 process8 dnsIp9 106 127.0.0.1 unknown unknown 25->106 108 hsiens.xyz 25->108 148 Performs DNS queries to domains with low reputation 25->148 150 Adds a directory exclusion to Windows Defender 25->150 29 cmd.exe 1 25->29         started        31 cmd.exe 1 25->31         started        33 cmd.exe 25->33         started        35 12 other processes 25->35 signatures10 process11 signatures12 38 Sun153de1559d38.exe 29->38         started        43 Sun15734835738.exe 31->43         started        45 Sun154cafc1e47980.exe 33->45         started        118 Adds a directory exclusion to Windows Defender 35->118 47 Sun159319d627a27a.exe 35->47         started        49 Sun1565982f09e.exe 7 35->49         started        51 Sun15ff63f98fd3e9d.exe 35->51         started        53 6 other processes 35->53 process13 dnsIp14 92 163.123.143.12, 49789, 49802, 80 ILIGHT-NETUS Reserved 38->92 94 193.106.191.81 BOSPOR-ASRU Russian Federation 38->94 96 16 other IPs or domains 38->96 80 C:\Users\user\AppData\Local\...\kfc[1].exe, PE32 38->80 dropped 82 C:\Users\user\AppData\Local\...\6523[1].exe, PE32 38->82 dropped 84 C:\Users\user\AppData\Local\...\1407[1].exe, PE32 38->84 dropped 88 25 other files (7 malicious) 38->88 dropped 122 Antivirus detection for dropped file 38->122 124 May check the online IP address of the machine 38->124 126 Creates HTML files with .exe extension (expired dropper behavior) 38->126 128 Disable Windows Defender real time protection (registry) 38->128 55 WerFault.exe 38->55         started        130 Machine Learning detection for dropped file 43->130 132 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 43->132 134 Checks if the current machine is a virtual machine (disk enumeration) 43->134 57 explorer.exe 43->57 injected 146 2 other signatures 45->146 98 2 other IPs or domains 47->98 59 WerFault.exe 47->59         started        61 WerFault.exe 47->61         started        100 2 other IPs or domains 49->100 136 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 49->136 102 3 other IPs or domains 51->102 138 Tries to harvest and steal browser information (history, passwords, etc) 51->138 104 8 other IPs or domains 53->104 86 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 53->86 dropped 140 Detected unpacking (changes PE section rights) 53->140 142 Detected unpacking (overwrites its own PE header) 53->142 144 Creates processes via WMI 53->144 63 mshta.exe 53->63         started        file15 signatures16 process17 process18 65 cmd.exe 63->65         started        file19 70 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 65->70 dropped 68 conhost.exe 65->68         started        process20
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-10 23:59:00 UTC
File Type:
PE (Exe)
Extracted files:
112
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6m6jy3yhpn73jusdsjp6jc4hkwa3xcxunzcswon5jiwd3vupb34q._file
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:privateloader family:redline family:socelars botnet:ani aspackv2 discovery evasion infostealer loader main spyware stealer trojan upx
Link:
https://tria.ge/reports/220721-dhwd9sccf4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
OnlyLogger payload
Modifies Windows Defender Real-time Protection settings
OnlyLogger
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
Socelars
Socelars payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
45.142.215.47:27643
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
http://212.192.242.41/proxies.txt
http://193.233.177.215/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
212.192.242.47
Unpacked files
SH256 hash:
0e2e68dc9724fc97647db64d367e7eed6ecf41b6cfe23fef257260607f86445d
MD5 hash:
91220afa4a880b7fb2d1b6a5117bf30d
SHA1 hash:
486b03728efe58dfbe19078bceb412e43eb153dd
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
c8afcdf046c8f341ba02dc56abaa08b4b7cc0df34087c22d11236d16011eb3e6
MD5 hash:
5f2ddd37132f21311b5cc07f94952faf
SHA1 hash:
9af762055be8491978955640a56b58a9b2ad488c
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
9ca53571a96d09feb51063cbf584abe0e42d694bf37d3f863823f37e82290e5e
MD5 hash:
83232615635e6c41718cb89cba5770e1
SHA1 hash:
608eb41afe1bfe9aa4f6b4d6e68b97a5a4894cc0
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
bc6dfe9ae53c745b83810c092635dee8d3a5e58fda2e91552cc5683399568c09
MD5 hash:
8c9e935bccc4fac6b11920ef96927aac
SHA1 hash:
38bd94eb5a5ef481a1e7c5192d9f824b7a16d792
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
333fbed50d5b25da329302214c3fca37095f2b0c17a812b32357f9682e7d665c
MD5 hash:
8fc1ae705e28239c524396ff18ac890f
SHA1 hash:
2c2e50879d071c659fe1f2efa671a4442c26dc8b
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
4d122504d709e4b3c9bf75835b9453aab45dc8fc748f2745e5ad31c6ba09cf92
MD5 hash:
f9d11f710246b5647625e117f42deb2a
SHA1 hash:
b37aa574bc9b6661bb1967d266b358caab2aa591
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
f88a5b0f2fe50c2e5395d52900e4be833d6949cde00693c427f082e485ccccc5
MD5 hash:
2db1acb1fe9e25e3152a6472be03b182
SHA1 hash:
43b107d892145037b11672ed76a105e8af9dd1ca
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
62a82cbc7580ae5d495e172c6b1955776c6c8021951e35726bc65ae7d7bd9fc1
MD5 hash:
f4e8a359e8fe058547601e5111f2423f
SHA1 hash:
c88091bbb85f8b0ff1afd8ff586ac5259f3eae10
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
c0e6d2317adf3ed23d36ea9270af4b54143649d4ef0c83c0ebc949f7c3caba57
MD5 hash:
8a1e3b7c4c785eca5cb83d177abb865d
SHA1 hash:
1b4e401db44809e41c995d69922c62376cd56c0d
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
SH256 hash:
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
MD5 hash:
b0e8bc965e47df21b2fa203a708f86c3
SHA1 hash:
4ee6395a020864269d200d116501dc3e112874b6
Link:
https://www.unpac.me/results/23eaf9e4-7a94-47c9-87b0-8b2dbd0e5411/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f33c9c6f077b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293039/

Comments