MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9edbff29a53d95b7eb874b4db8cc83cae6c61f8c7e1d79176d68bf09a842167. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 9


Intelligence 9 IOCs 5 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9edbff29a53d95b7eb874b4db8cc83cae6c61f8c7e1d79176d68bf09a842167
SHA3-384 hash: 526c1366f43f157b466fff8f70e0427e6998d28a77423308f7081df2ed549b6340652ab454d378b9f06c275e3e4d6cff
SHA1 hash: 1e9ecc9e3ef63741689d7133c42a67da087fb397
MD5 hash: 261f94efe9509b20f72bb4a64c154ed3
humanhash: batman-orange-eight-march
File name:f9edbff29a53d95b7eb874b4db8cc83cae6c61f8c7e1d.exe
Download: download sample
Signature Tofsee
Create hunting rule
File size:293'376 bytes
First seen:2021-09-25 00:20:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 968069613992074265463fec272c56c9 (15 x RedLineStealer, 6 x RaccoonStealer, 2 x Tofsee)
ssdeep 3072:y19PhEcKxTEMjVHxoAlWBFZqPWu0ay/MvZLKvaXIBgd3KUQ8n1mJq4VziqCm5ejH:y/PrcEMjVHXlWb0Pkbv5C3ZQy1mFs7
Threatray 1'709 similar samples on MalwareBazaar
TLSH T119549E1077E0C039F4B712FA49BA97B8692D7EB06B3851CF62D616EA52782E4DC30357
File icon (PE):PE icon
dhash icon aad8a89cc6a68ee0 (2 x RedLineStealer, 1 x CryptBot, 1 x Tofsee)
Reporter abuse_ch
Tags:exe Tofsee


Avatar
abuse_ch
Tofsee C2:
http://185.163.204.37/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.37/ https://threatfox.abuse.ch/ioc/226142/
135.181.142.223:30397 https://threatfox.abuse.ch/ioc/226444/
178.132.3.103:80 https://threatfox.abuse.ch/ioc/226445/
65.21.231.57:60751 https://threatfox.abuse.ch/ioc/226446/
185.244.180.224:39957 https://threatfox.abuse.ch/ioc/226450/

Intelligence

File Origin
# of uploads :
1
# of downloads :
818
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f9edbff29a53d95b7eb874b4db8cc83cae6c61f8c7e1d.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-25 00:22:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2905ce7-a43f-4472-9f67-0b50bfab5aa9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191298/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.30149.1029.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1716199-a6b9-4411-ac5c-13ccd504e486
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857706
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490133 Sample: f9edbff29a53d95b7eb874b4db8... Startdate: 25/09/2021 Architecture: WINDOWS Score: 100 32 Multi AV Scanner detection for domain / URL 2->32 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 4 other signatures 2->38 7 f9edbff29a53d95b7eb874b4db8cc83cae6c61f8c7e1d.exe 2->7         started        10 fihiats 2->10         started        process3 signatures4 48 Detected unpacking (changes PE section rights) 7->48 12 f9edbff29a53d95b7eb874b4db8cc83cae6c61f8c7e1d.exe 7->12         started        50 Machine Learning detection for dropped file 10->50 52 Contains functionality to inject code into remote processes 10->52 54 Injects a PE file into a foreign processes 10->54 15 fihiats 10->15         started        process5 signatures6 56 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->56 58 Maps a DLL or memory area into another process 12->58 60 Checks if the current machine is a virtual machine (disk enumeration) 12->60 17 explorer.exe 2 12->17 injected 62 Creates a thread in another existing process (thread injection) 15->62 process7 dnsIp8 26 naghenrietti1.top 45.143.136.144, 80 GARANT-PARK-INTERNETRU Russian Federation 17->26 28 xadriettany3.top 17->28 30 9 other IPs or domains 17->30 22 C:\Users\user\AppData\Roaming\fihiats, PE32 17->22 dropped 24 C:\Users\user\...\fihiats:Zone.Identifier, ASCII 17->24 dropped 40 System process connects to network (likely due to code injection or exploit) 17->40 42 Benign windows process drops PE files 17->42 44 Deletes itself after installation 17->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->46 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9edbff29a53d95b7eb874b4db8cc83cae6c61f8c7e1d79176d68bf09a842167/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-09-25 00:21:08 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hw374u2kpmvw7vyos2nxdgihsxgyypyy7q5pelw22f7bgueeftq._file
Verdict:
malicious
Similar samples:
286ac923f7619b720847b3820652ca94b3b09ee4885e581ced04e8f1395713b9
Tofsee
39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b
Tofsee
4ce736beca7ebfdae1fca1c504ef9482ada58dbf573fd57434aef6de2b36c9d6
Tofsee
79df67c7efab39b9b413c0844b58b8597c32ff7870225bbc1d2e300416ec5b4e
Tofsee
7dc5a00ea0996d4edb8fbee2a9d2caa97ece60b4d5f755c3e82a06205ee2a385
Tofsee
843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0
Tofsee
a98b37b337927ef6cea8a053a4ea676646de4dfbf6ce9619593246a1ecc362b6
Tofsee
e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143
Tofsee
ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549
Tofsee
fe7e25d0fd410494f9d8299439faf7d89edb627b494c882d2b33c94625c7c35c
Tofsee
+ 1'699 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/210925-ancbssabbk/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Unpacked files
SH256 hash:
2fead9437f15e057951fd6a02ab05076e38db13483df0191787c21c79343b9e7
MD5 hash:
1c90f3a3fcd93ee08b2154cbcff49085
SHA1 hash:
73ac881633a13c3c31c1153d8105b8ecbb60961e
Link:
https://www.unpac.me/results/3d32486c-7b5f-406e-b40b-0d1c76a80569/
SH256 hash:
f9edbff29a53d95b7eb874b4db8cc83cae6c61f8c7e1d79176d68bf09a842167
MD5 hash:
261f94efe9509b20f72bb4a64c154ed3
SHA1 hash:
1e9ecc9e3ef63741689d7133c42a67da087fb397
Link:
https://www.unpac.me/results/3d32486c-7b5f-406e-b40b-0d1c76a80569/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f9edbff29a53/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9edbff29a53d95b7eb874b4db8cc83cae6c61f8c7e1d79176d68bf09a842167

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Tofsee

Executable exe f9edbff29a53d95b7eb874b4db8cc83cae6c61f8c7e1d79176d68bf09a842167

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1639930/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191298/

Comments