MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff81ffadca4321934eb5717361e5c696a2dd939dbb92a004d8b3efeb7cc6dc3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff81ffadca4321934eb5717361e5c696a2dd939dbb92a004d8b3efeb7cc6dc3b
SHA3-384 hash: d1895502ecffb7f46928711371e2f2cb6a5f4ae376f98970446f56dae166673e89c21e3601dcdb3bdcc7575c5c91b662
SHA1 hash: f76d4bdeb41d75a5c79135128dfa110125ac2f63
MD5 hash: 3d09b3a529a699338f7932223b357372
humanhash: blossom-crazy-yankee-delta
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:211'456 bytes
First seen:2022-09-09 09:28:37 UTC
Last seen:2022-09-09 11:13:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f01abba712e2454333b4e9c03c9ed2c (9 x Smoke Loader, 4 x RecordBreaker, 2 x CoinMiner)
ssdeep 3072:Ps4PwupuFqzG658POKkl5m7TFMNlyZ3FduQkDbQUcfaTUbDVv:3GFa5Lm37ZycJb
Threatray 310 similar samples on MalwareBazaar
TLSH T10024CFA2BDE0CC32D5E245308074D7A46E7BFC612A34558BB794BB6E6E302D02AF5357
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c01edecea68c8ccc (154 x RedLineStealer, 98 x Smoke Loader, 36 x Stop)
Reporter andretavare5
Tags:CoinMiner exe


Avatar
andretavare5
Sample downloaded from http://176.113.115.153:9080/13.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
341
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
tofsee
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-09 09:31:38 UTC
Tags:
tofsee miner trojan
Link:
https://app.any.run/tasks/7c7196fa-1b2d-4904-804c-bd7f0c10790d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308956/
Detection(s):
SecuriteInfo.com.Win32.RansomX-gen.23234.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the Windows subdirectory
Creating a service
Launching the process to change the firewall settings
Launching a service
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Forced system process termination
DNS request
Sending a custom TCP request
Creating a file in the Windows subdirectories
Creating a file in the system32 subdirectories
Creating a file
Connecting to a cryptocurrency mining pool
Sending an HTTP GET request
Possible injection to a system process
Enabling autorun for a service
Unauthorized injection to a system process
Adding exclusions to Windows Defender
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37189/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/631b07d9a90642bcbbf4b26c/reports/8db22611-20af-41dd-a496-d0e063f3580b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Tofsee
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b68f1151-ae40-4d67-bf10-1f6a8aede465
Result
Threat name:
Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067682
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 700212 Sample: file.exe Startdate: 09/09/2022 Architecture: WINDOWS Score: 100 43 microsoft-com.mail.protection.outlook.com 2->43 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 6 other signatures 2->55 8 bjgxdhit.exe 2->8         started        11 file.exe 2 2->11         started        signatures3 process4 file5 57 Detected unpacking (changes PE section rights) 8->57 59 Detected unpacking (overwrites its own PE header) 8->59 61 Found API chain indicative of debugger detection 8->61 67 3 other signatures 8->67 14 svchost.exe 1 8->14         started        41 C:\Users\user\AppData\Local\...\bjgxdhit.exe, PE32 11->41 dropped 63 Uses netsh to modify the Windows network and firewall settings 11->63 65 Modifies the windows firewall 11->65 18 cmd.exe 1 11->18         started        21 netsh.exe 3 11->21         started        23 cmd.exe 2 11->23         started        25 3 other processes 11->25 signatures6 process7 dnsIp8 45 svartalfheim.top 195.2.73.33, 443, 49681, 49683 VDSINA-ASRU Russian Federation 14->45 47 microsoft-com.mail.protection.outlook.com 40.93.207.0, 25, 49680 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->47 69 System process connects to network (likely due to code injection or exploit) 14->69 71 Deletes itself after installation 14->71 39 C:\Windows\SysWOW64\...\bjgxdhit.exe (copy), PE32 18->39 dropped 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11
Detection:
tofsee
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff81ffadca4321934eb5717361e5c696a2dd939dbb92a004d8b3efeb7cc6dc3b/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-09-09 09:29:10 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=76a77lokimqzgtvvofzwdzogs2rn3e45xojkabgywpx6w7gg3q5q._file
Verdict:
malicious
Similar samples:
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
CoinMiner
429223f2374f630c661714caef8e3247bbb6cfd6b0354bf4529233a66f46c228
CoinMiner
595982459a97cabf6595a5f82c48792597daf94200017847e3604aabfc39800e
CoinMiner
652fae58f7ac9de569b984e21793446e89f97792ebfbc0e3fd49a7586a927d06
CoinMiner
71441d638739eed387dff61d6192e9c816f06adaf89e95b611623de941543563
CoinMiner
7de37231a94f222b1a252cca37125b8f344c8f81bb8e5ba3208b8a4f60bda1d9
CoinMiner
925c11560a88096bc28480d802d69da132ff883236e0d8dfaf9a367fa07cc245
CoinMiner
aab8db9599eb5be0582cca71e217d64e595e8e85f9b2e28e91e90fabc113b3d2
CoinMiner
de5704d6579398a4b51f7458c105759c46096567661a26bffe1159ef11a16eb8
CoinMiner
f456da0a6b3237fc4f0cd0c2ccc440acd6fb56377dab0d37b86f777f4fe1bd7f
CoinMiner
+ 300 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:tofsee family:xmrig evasion miner persistence trojan
Link:
https://tria.ge/reports/220909-lfw7saghc5/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Creates new service(s)
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
XMRig Miner payload
Tofsee
Windows security bypass
xmrig
Malware Config
C2 Extraction:
svartalfheim.top
jotunheim.name
Unpacked files
SH256 hash:
021eb36d244d1bc60f8d87e2704a86738c54e1dcca10c98af6c1497eac2439cf
MD5 hash:
c24255b81c1afcc45e6cd15047c29285
SHA1 hash:
6a171c1e3ed5f05673ea9cb965eb6353a8ed891d
Detections:
win_tofsee_w0
Create hunting rule
Link:
https://www.unpac.me/results/a1423479-bf7c-4223-89fc-57cc4ec6824f/
Parent samples :
29aecf60d2b78688a409dd254eba6414e13fded9ebca1ac8beb624e252ae2f0c
7e65e3688f22f5c687cfb448d30d95b8a472d72891249e0a0b5cf2782fee6dde
00bb3c3bae3ddeb2fa90763d702fac2b04f28a6d34afdf814a7523076dc8c42a
69096338094a7462d1f10afd0bb926c797775a177082ad4961a7adc46f83fd40
f2c04ea60f51bf6eed94986ae6e211fc2c9c5386ed83877d7b9b934ad6484503
e687feecb21bcbd4d4337842b7917d1db503dce7c75d6e7f12a8878a412e809d
a30ba96e21a5300a5e4ab1a098e78f955fe8683338392b5e78b97d49f7470189
a3f9e37db86f9f1e0d9c58246cb3b75af495b6681e596d1a2c05920b56c39eb0
a96edd53cb70eb51f8bb9fbd0b9d0777e6b65c5203fb3b73229431b49da155e4
56cfd5956db2c918d9808739ee0529d998fdf99d7d80a3ea6200cef62fd2400e
7e57e1bdfbf07f24fa398b4f067fcf3f7147146c5627a6419e8c006e89d564f2
22179b5cece54e42dbc249c5112994e0e760c2435f3547579d04d19882b79b03
9ff3eb5bac86aef0116488ac380f9d7ea15d27f9d580462fcf3612293525f50f
2f5b289a8dcb26ed9389a49687e513f162ed3145469a5cb90f0aab45c699c3d9
3c38e00f572800dfdcf676a141e4b98903977368f8870cd29221b3320b640ed4
e64afadba25eededfb3259f10671cf5551e53341e13702489a7c334fcf6514b0
f16238cbe16b93a141e4e8f026b9ce3ca393f63d78c1b7b6ff2e0ed19f240f5e
904c06ae973af0c95dd7f7c3e40bf34abd58e0b0b727f23759cc0191b95d9b54
71441d638739eed387dff61d6192e9c816f06adaf89e95b611623de941543563
6b87c8fec9f33fcbacec5de7ce2754938101a0a6e8fbc67660a36002b74f99a8
5147b407e645d2368df9611d558d61050948dc5b2f9efb260980e66e59e80d38
9f123edca333046dafbc552d2dd3fe9a2089511e3f8e27e8ccebc255ac35f9b8
fc8cb7b0ff0270e5cdb051d6955cdea1d3e2cbc455cbb613c0be9f35b677d6e7
aab8db9599eb5be0582cca71e217d64e595e8e85f9b2e28e91e90fabc113b3d2
061a213194d01b8fffbd56195179fa66aab073dc42cb11525226ad58e05131fc
4956127bebe58360b8094d4be53319577fe21dd4e6c0b7336f7eea24d3ed2039
79758df111ebfe294d934d23457f0092d22288f992a72e7af299a4557d69a43c
595982459a97cabf6595a5f82c48792597daf94200017847e3604aabfc39800e
64c39375b6832a6624ad00765b813c738b57e6f0d7dd23fee3d6cb4d8a4052a3
7de37231a94f222b1a252cca37125b8f344c8f81bb8e5ba3208b8a4f60bda1d9
652fae58f7ac9de569b984e21793446e89f97792ebfbc0e3fd49a7586a927d06
86c2c4d7f6bc4b3b16cfee988ca8f399a2b9c5fda10e07e3e6eedb6b468ba41c
17ad52b21df06be54ed710b3499238384b01daa7e5cfe2150c3259bf859114ad
69b5522d7ce56c945a05bbd0ebc86c699cabf3c38eade40787f74e08e938f3c4
302ca1dafea52c0039cbc171712eef95339daf45d441e669c18d629826343638
26694aa9bf49d5a0b4dd89b6c6cafabde3abb674ee302f5c35e6362ea6af9312
afa216fa5a5f2a4fcf32d1ff932166afe668941d0f9625bb11f80fde6a693bd1
cceb2387a21b76c6d768aa09c1106291b737c9e873e814e9cd6006a7ed37f63e
f456da0a6b3237fc4f0cd0c2ccc440acd6fb56377dab0d37b86f777f4fe1bd7f
02674a2f99ffa9649e3fa9b67d06138abb0fa6651a4f0a96c24a3575fa9075fd
429223f2374f630c661714caef8e3247bbb6cfd6b0354bf4529233a66f46c228
ff81ffadca4321934eb5717361e5c696a2dd939dbb92a004d8b3efeb7cc6dc3b
eade9b26302f962ba5ef6595af726808d6454e2b058ebc144dec23f36ae57fef
0ae55be26ceb1a1b09b3504a77e8d7df5c1293c3ea7af3c1dcb88ae8a645c4fd
f0b94dac29d072d1b6473f80fa74c4f9b0831b9439f8670721c6c5b5a93c6c3f
b0d7350fff8d8dfefd45647f096e893bbdf9e66f63ed78d93db443206169a8f3
768e84be2f71c0f64a4f935f7233b47125fc4bc2c34fd53b15729dca3bb43761
0fa1dab738e99ada3602bac2e6c7001d7d91be46285cf8348a993a83e0ec0bb0
5f7cd645aa2b53bc87040c514e6693e917837a8ebd0780c8d1a2bd75349a0893
0425d6d3ad13fd174b5acd57591d7c5af543d0ec87a5ba4edb1ac7684d39dd9e
SH256 hash:
ff81ffadca4321934eb5717361e5c696a2dd939dbb92a004d8b3efeb7cc6dc3b
MD5 hash:
3d09b3a529a699338f7932223b357372
SHA1 hash:
f76d4bdeb41d75a5c79135128dfa110125ac2f63
Link:
https://www.unpac.me/results/a1423479-bf7c-4223-89fc-57cc4ec6824f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff81ffadca43/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Tofsee
Create hunting rule
Author:ditekSHen
Description:Detects Tofsee
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_tofsee_w0
Create hunting rule
Author:akrasuski1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/308956/

Comments