MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcf033c333e8ffd69ca46ac386dc5a058d9a516983cefb61a210d67d5bc3e8b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcf033c333e8ffd69ca46ac386dc5a058d9a516983cefb61a210d67d5bc3e8b6
SHA3-384 hash: 6b1a3ca48aa6b5b6801399c4f4ff4d5c48aab83f8667015a30e670b6e0f79f2061c68183076bfcbdb0a7c4e1b8b4ad9c
SHA1 hash: 48d5afa6e339e8e40c2dce01b81dc02c52d1088c
MD5 hash: 42d1f59bd9027984edcfef168f8e86a4
humanhash: autumn-mountain-wisconsin-three
File name:XMZTSVYE_l10_wix4_dash.exe
Download: download sample
Signature Tofsee
Create hunting rule
File size:2'578'630 bytes
First seen:2025-03-07 16:25:17 UTC
Last seen:2025-03-07 17:41:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 657e40fb09b2c5e277b865a7cf2b8089 (6 x AsyncRAT, 4 x Arechclient2, 3 x DanaBot)
ssdeep 49152:sTuaAhwBhBtOWQY7pJWJv8m+GTJSKOemwfaaG7RPuvpcAwyYdD4MqQUn71r9:sKaAh0hV7+Gm+KbmwSaGwvjQcA2h9
Threatray 303 similar samples on MalwareBazaar
TLSH T1BCC50231A152303FE6F529F3F950D2303D6DA2142B5889AEC6D0DC1D39685C6AEFB35A
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon b2e1b496a6cada72 (13 x LummaStealer, 13 x AsyncRAT, 11 x HijackLoader)
Reporter aachum
Tags:exe Tofsee


Avatar
iamaachum
https://github.com/legendary99999/dsfksdfkds/releases/download/dsfdsfdsdf/XMZTSVYE_l10_wix4_dash.exe

Tofsee C2:
vanaheim.cn
http://37.27.142.100/internals/api/ip?1741363695176390116
http://37.27.142.139/internals/api/ip?1741363702581691662
http://intersoft.solucionempresarial.cl/mysql/js/openlayers/src/openlayers/lib/OpenLayers/BaseTypes/library.php
www.restoklinika.lt
flagmancasino1.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
449
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
tofsee
Create hunting rule
ID:
1
File name:
XMZTSVYE_l10_wix4_dash.exe
Verdict:
Malicious activity
Analysis date:
2025-03-07 16:21:17 UTC
Tags:
tofsee advancedinstaller
Link:
https://app.any.run/tasks/89d8322d-8947-4237-8ac1-789cc18aac42

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cb1cfcc8d04e92a4bfcec2
Tags:
phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Creating a file
Unauthorized injection to a recently created process
Launching a process
Launching a service
Connection attempt
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context CAB crypto expand explorer fingerprint fingerprint installer lolbin microsoft_visual_cc msiexec overlay packed packed packer_detected regedit rundll32 runonce
Link:
https://www.filescan.io/uploads/67cb1e2cf8726576332e2c87/reports/1e170e4f-8cf9-4213-a6f4-9f0239148923/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fcf033c333e8ffd69ca46ac386dc5a058d9a516983cefb61a210d67d5bc3e8b6
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95e65303-3fb5-470b-9cc0-6bb2d65c489e
Result
Threat name:
Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1632001
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1632001 Sample: XMZTSVYE_l10_wix4_dash.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for dropped file 2->85 87 5 other signatures 2->87 11 XMZTSVYE_l10_wix4_dash.exe 8 2->11         started        14 Dashboard.exe 1 2->14         started        17 Dashboard.exe 1 2->17         started        process3 file4 69 C:\Windows\...\XMZTSVYE_l10_wix4_dash.exe, PE32 11->69 dropped 19 XMZTSVYE_l10_wix4_dash.exe 16 11->19         started        109 Maps a DLL or memory area into another process 14->109 111 Found direct / indirect Syscall (likely to bypass EDR) 14->111 23 cmd.exe 2 14->23         started        25 cmd.exe 2 17->25         started        signatures5 process6 file7 57 C:\Windows\Temp\...\msvcr80.dll, PE32 19->57 dropped 59 C:\Windows\Temp\...\UXCore.dll, PE32 19->59 dropped 61 C:\Windows\Temp\...\Periclase.dll, PE32 19->61 dropped 63 C:\Windows\Temp\...\Dashboard.exe, PE32 19->63 dropped 93 Multi AV Scanner detection for dropped file 19->93 27 Dashboard.exe 6 19->27         started        65 C:\Users\user\AppData\Local\Temp\efawd, PE32 23->65 dropped 95 Writes to foreign memory regions 23->95 97 Maps a DLL or memory area into another process 23->97 31 PatchHost.exe 23->31         started        33 conhost.exe 23->33         started        67 C:\Users\user\AppData\Local\Temp\onmtuiiksw, PE32 25->67 dropped 35 PatchHost.exe 25->35         started        37 conhost.exe 25->37         started        signatures8 process9 file10 71 C:\Users\user\AppData\Roaming\...\msvcr80.dll, PE32 27->71 dropped 73 C:\Users\user\AppData\Roaming\...\UXCore.dll, PE32 27->73 dropped 75 C:\Users\user\AppData\...\Dashboard.exe, PE32 27->75 dropped 105 Switches to a custom stack to bypass stack traces 27->105 39 Dashboard.exe 1 27->39         started        107 Found direct / indirect Syscall (likely to bypass EDR) 31->107 42 WerFault.exe 21 31->42         started        44 WerFault.exe 16 35->44         started        signatures11 process12 signatures13 99 Maps a DLL or memory area into another process 39->99 101 Switches to a custom stack to bypass stack traces 39->101 103 Found direct / indirect Syscall (likely to bypass EDR) 39->103 46 cmd.exe 4 39->46         started        process14 file15 77 C:\Users\user\AppData\Local\...\kjuftonkyyw, PE32 46->77 dropped 79 C:\Users\user\AppData\Local\...\PatchHost.exe, PE32 46->79 dropped 113 Writes to foreign memory regions 46->113 115 Found hidden mapped module (file has been removed from disk) 46->115 117 Maps a DLL or memory area into another process 46->117 119 Switches to a custom stack to bypass stack traces 46->119 50 PatchHost.exe 46->50         started        53 conhost.exe 46->53         started        signatures16 process17 signatures18 89 Switches to a custom stack to bypass stack traces 50->89 91 Found direct / indirect Syscall (likely to bypass EDR) 50->91 55 WerFault.exe 21 16 50->55         started        process19
Score:
79%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fcf033c333e8ffd69ca46ac386dc5a058d9a516983cefb61a210d67d5bc3e8b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcf033c333e8ffd69ca46ac386dc5a058d9a516983cefb61a210d67d5bc3e8b6/
Threat name:
Win32.Ransomware.QilinCrypt
Create hunting rule
Status:
Malicious
First seen:
2025-03-07 13:05:40 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tydhqzt5d75nhfenlbynxc2awgzuuljqphpwynccdlh2w6d5c3a._file
Verdict:
malicious
Label(s):
tofsee
Create hunting rule
Similar samples:
069a58a7ed424c5da0fedc7310f757d1080f5baeb731465552518c6fbb3d9d2f
Tofsee
322a2b32005029ca49715f5d66f87e5a2b446dd5106b0397d3c7b11766f28c8d
Tofsee
3785dc3dbc0410893f31c71fa977648063f1e498e28e6783261d81c7ab21c075
Tofsee
4f66bca89e4beb33758a46fb192b744779052b2e5e2e96e2b41d2fd093f61074
Tofsee
af2810e059a92dc105b3f161c9d24f0b0fdb7308605a8ccc7fd040afc8afc0e3
Tofsee
de53f6f359af6ccc361faf2aa74690c9575b987a01f1250a6eb042cf9d4ea4af
Tofsee
ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec
Tofsee
error
Tofsee
f126d4312330243b4e9179f9b5f3482ca95c19163e99ec4d0e33be523b8c0cec
Tofsee
+ 293 additional samples on MalwareBazaar
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:tofsee discovery trojan
Link:
https://tria.ge/reports/250307-txkjbas1ex/
Behaviour
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Tofsee
Tofsee family
Malware Config
C2 Extraction:
vanaheim.cn
jotunheim.name
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/69825b4d-c345-4acb-8cfd-5834b3863592
Unpacked files
SH256 hash:
fcf033c333e8ffd69ca46ac386dc5a058d9a516983cefb61a210d67d5bc3e8b6
MD5 hash:
42d1f59bd9027984edcfef168f8e86a4
SHA1 hash:
48d5afa6e339e8e40c2dce01b81dc02c52d1088c
Link:
https://www.unpac.me/results/12f4a174-0ae7-4755-af4e-e9b3da1ac350/
SH256 hash:
4437726f54bc9f908d0c260c970ed5f759acbb956951423ee20d512d1c60623d
MD5 hash:
4b08d24da7657e35ee913801273ce0d2
SHA1 hash:
d837fa5565e2644f4c49f5dab3e5f52b04acd842
Link:
https://www.unpac.me/results/12f4a174-0ae7-4755-af4e-e9b3da1ac350/
SH256 hash:
ff27460bf37c097a1283c1a9719e9d069477b1f89670fd90efdfa64cd041d48e
MD5 hash:
37bda666174fd10f9062d0d9e7fd876c
SHA1 hash:
79aa46caf7ad6d0a2ad93830e62103f3dc7422cc
Link:
https://www.unpac.me/results/12f4a174-0ae7-4755-af4e-e9b3da1ac350/
SH256 hash:
82dadce224036ef832ae1c901ede5cf8e7f7e6aa4b22cc5328928471cdca6863
MD5 hash:
5ac28cb701d1ceef93713d4b488350d7
SHA1 hash:
b5cc82c5b8478bdf52876f0d2d614a76999ba332
Link:
https://www.unpac.me/results/12f4a174-0ae7-4755-af4e-e9b3da1ac350/
SH256 hash:
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03
MD5 hash:
43143abb001d4211fab627c136124a44
SHA1 hash:
edb99760ae04bfe68aaacf34eb0287a3c10ec885
Link:
https://www.unpac.me/results/12f4a174-0ae7-4755-af4e-e9b3da1ac350/
SH256 hash:
1bc0822346386ec0baf1d7026802fe3d881645a8683fb42b82dd4bfd8a2d67bf
MD5 hash:
c4597e560f36c97aff02edbb27be8f75
SHA1 hash:
942dee5c0600f06b2b7ae6a25eaa4f74ba159cd7
Link:
https://www.unpac.me/results/12f4a174-0ae7-4755-af4e-e9b3da1ac350/
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/12f4a174-0ae7-4755-af4e-e9b3da1ac350/
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/12f4a174-0ae7-4755-af4e-e9b3da1ac350/
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fcf033c333e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcf033c333e8ffd69ca46ac386dc5a058d9a516983cefb61a210d67d5bc3e8b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Tofsee

Executable exe fcf033c333e8ffd69ca46ac386dc5a058d9a516983cefb61a210d67d5bc3e8b6

(this sample)

  
Link
https://tria.ge/250307-tjdtlssyh1/behavioral1
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3470621/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
ADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::SetEntriesInAclW
ADVAPI32.dll::SetEntriesInAclA
ADVAPI32.dll::SetNamedSecurityInfoW
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::IsWellKnownSid
ADVAPI32.dll::SetSecurityDescriptorDacl
ADVAPI32.dll::SetSecurityDescriptorGroup
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt FilesADVAPI32.dll::DecryptFileW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptCreateHash
ADVAPI32.dll::CryptGetHashParam
ADVAPI32.dll::CryptHashData
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::ControlService
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
ADVAPI32.dll::QueryServiceStatus
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments