ScreenShot
| Created | 2023.06.29 13:34 | Machine | s1_win7_x6401 |
| Filename | tofsee.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 61 detected (Tofsee, TofseePMF, S28195247, FDRN, SpamBot, Save, malicious, confidence, 100%, None, Eldorado, Ascesso, Windows, score, jkpmhc, BackdoorX, Tinba, R002C0CKL22, moderate, Static AI, Suspicious PE, Invader, Indus, @1qrzi1, Coinminer, Detected, R284452, BScope, ai score=80, unsafe, Genetic, CLASSIC, GenAsa, XvO1cEIyueE, susgen, ZexaF, eqW@aiBfOGn) | ||
| md5 | 92e466525e810b79ae23eac344a52027 | ||
| sha256 | 96baba74a907890b995f23c7db21568f7bfb5dbf417ed90ca311482b99702b72 | ||
| ssdeep | 1536:6k6s21VCn63TxSYWz+XTjFWL9ydpIcUc:6PVCnQxSYO+XF3pIH | ||
| imphash | 0bdef4d92a94790d7d279561a490c5bb | ||
| impfuzzy | 48:i+FDidfc6gOuJQnxCXo2vEYncAKQHAEdFm6mUj:io+fcB1JQxCXH8UcPQAEdFm6me | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 61 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Operates on local firewall's policies and settings |
| notice | A process created a hidden window |
| notice | Creates a service |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win_PWS_Dexter_Zero | Win PWS Dexter | binaries (download) |
| danger | Win_PWS_Dexter_Zero | Win PWS Dexter | binaries (upload) |
| danger | win_tofsee | Tofsee malware | binaries (download) |
| danger | win_tofsee | Tofsee malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
WS2_32.dll
0x4101f0 ioctlsocket
0x4101f4 __WSAFDIsSet
0x4101f8 WSAStartup
0x4101fc send
0x410200 connect
0x410204 setsockopt
0x410208 ind
0x41020c listen
0x410210 accept
0x410214 getsockname
0x410218 htonl
0x41021c gethostname
0x410220 socket
0x410224 select
0x410228 recv
0x41022c ntohs
0x410230 htons
0x410234 sendto
0x410238 gethostbyaddr
0x41023c inet_ntoa
0x410240 gethostbyname
0x410244 inet_addr
0x410248 getpeername
0x41024c closesocket
dbghelp.dll
0x410254 StackWalk64
KERNEL32.dll
0x410088 GetVolumeInformationA
0x41008c GetComputerNameA
0x410090 GetTickCount
0x410094 GetCurrentProcess
0x410098 GetModuleHandleA
0x41009c GetSystemInfo
0x4100a0 GetVersionExA
0x4100a4 lstrcmpiA
0x4100a8 lstrlenA
0x4100ac Sleep
0x4100b0 lstrcpynA
0x4100b4 InterlockedExchange
0x4100b8 GetCurrentThreadId
0x4100bc ExitProcess
0x4100c0 GetOverlappedResult
0x4100c4 WaitForSingleObject
0x4100c8 GetLastError
0x4100cc WriteFile
0x4100d0 ReadFile
0x4100d4 CreateFileA
0x4100d8 DisconnectNamedPipe
0x4100dc ConnectNamedPipe
0x4100e0 CreateNamedPipeA
0x4100e4 CloseHandle
0x4100e8 LoadLibraryA
0x4100ec GetEnvironmentVariableA
0x4100f0 DeleteFileA
0x4100f4 IsBadWritePtr
0x4100f8 IsBadCodePtr
0x4100fc lstrcpyA
0x410100 lstrcmpA
0x410104 VirtualProtect
0x410108 IsBadReadPtr
0x41010c VirtualFree
0x410110 WriteProcessMemory
0x410114 VirtualAllocEx
0x410118 VirtualAlloc
0x41011c SetFilePointer
0x410120 GetFileSize
0x410124 SetFileAttributesA
0x410128 GetDiskFreeSpaceA
0x41012c GetWindowsDirectoryA
0x410130 GetProcAddress
0x410134 LocalFree
0x410138 GetFileAttributesExA
0x41013c LocalAlloc
0x410140 CreateProcessA
0x410144 GetTempPathA
0x410148 SystemTimeToFileTime
0x41014c GetSystemTime
0x410150 DeviceIoControl
0x410154 CreateFileW
0x410158 GetModuleFileNameA
0x41015c ResumeThread
0x410160 SetThreadContext
0x410164 TerminateProcess
0x410168 GetThreadContext
0x41016c lstrcatA
0x410170 CreateThread
0x410174 GetDriveTypeA
0x410178 GetCommandLineA
0x41017c SetUnhandledExceptionFilter
0x410180 SetErrorMode
0x410184 InterlockedIncrement
0x410188 GetLocalTime
0x41018c GetTimeZoneInformation
0x410190 FileTimeToLocalFileTime
0x410194 FileTimeToSystemTime
0x410198 InterlockedDecrement
0x41019c HeapSize
0x4101a0 GetSystemTimeAsFileTime
0x4101a4 MultiByteToWideChar
0x4101a8 lstrlenW
0x4101ac GetStartupInfoW
0x4101b0 GetProcessHeap
0x4101b4 HeapAlloc
0x4101b8 HeapReAlloc
0x4101bc HeapFree
0x4101c0 FreeLibrary
0x4101c4 CreateEventA
0x4101c8 GetSystemDirectoryA
USER32.dll
0x4101e4 wsprintfA
0x4101e8 CharToOemA
ADVAPI32.dll
0x410000 ConvertSidToStringSidA
0x410004 AllocateAndInitializeSid
0x410008 CreateProcessWithLogonW
0x41000c RegCreateKeyExA
0x410010 StartServiceCtrlDispatcherA
0x410014 RegisterServiceCtrlHandlerA
0x410018 SetServiceStatus
0x41001c RegDeleteValueA
0x410020 RegGetKeySecurity
0x410024 RegSetKeySecurity
0x410028 RegSetValueExA
0x41002c GetLengthSid
0x410030 GetFileSecurityA
0x410034 GetSecurityDescriptorOwner
0x410038 EqualSid
0x41003c InitializeSecurityDescriptor
0x410040 SetSecurityDescriptorOwner
0x410044 SetFileSecurityA
0x410048 GetSecurityDescriptorDacl
0x41004c GetAce
0x410050 DeleteAce
0x410054 SetSecurityDescriptorDacl
0x410058 RegQueryValueExA
0x41005c RegEnumKeyA
0x410060 RegOpenKeyExA
0x410064 RegEnumValueA
0x410068 GetUserNameW
0x41006c LookupAccountNameW
0x410070 LookupAccountNameA
0x410074 GetUserNameA
0x410078 RegCloseKey
0x41007c CheckTokenMembership
0x410080 FreeSid
SHELL32.dll
0x4101d8 ShellExecuteA
0x4101dc ShellExecuteExW
OLEAUT32.dll
0x4101d0 SysAllocStringByteLen
EAT(Export Address Table) is none
WS2_32.dll
0x4101f0 ioctlsocket
0x4101f4 __WSAFDIsSet
0x4101f8 WSAStartup
0x4101fc send
0x410200 connect
0x410204 setsockopt
0x410208 ind
0x41020c listen
0x410210 accept
0x410214 getsockname
0x410218 htonl
0x41021c gethostname
0x410220 socket
0x410224 select
0x410228 recv
0x41022c ntohs
0x410230 htons
0x410234 sendto
0x410238 gethostbyaddr
0x41023c inet_ntoa
0x410240 gethostbyname
0x410244 inet_addr
0x410248 getpeername
0x41024c closesocket
dbghelp.dll
0x410254 StackWalk64
KERNEL32.dll
0x410088 GetVolumeInformationA
0x41008c GetComputerNameA
0x410090 GetTickCount
0x410094 GetCurrentProcess
0x410098 GetModuleHandleA
0x41009c GetSystemInfo
0x4100a0 GetVersionExA
0x4100a4 lstrcmpiA
0x4100a8 lstrlenA
0x4100ac Sleep
0x4100b0 lstrcpynA
0x4100b4 InterlockedExchange
0x4100b8 GetCurrentThreadId
0x4100bc ExitProcess
0x4100c0 GetOverlappedResult
0x4100c4 WaitForSingleObject
0x4100c8 GetLastError
0x4100cc WriteFile
0x4100d0 ReadFile
0x4100d4 CreateFileA
0x4100d8 DisconnectNamedPipe
0x4100dc ConnectNamedPipe
0x4100e0 CreateNamedPipeA
0x4100e4 CloseHandle
0x4100e8 LoadLibraryA
0x4100ec GetEnvironmentVariableA
0x4100f0 DeleteFileA
0x4100f4 IsBadWritePtr
0x4100f8 IsBadCodePtr
0x4100fc lstrcpyA
0x410100 lstrcmpA
0x410104 VirtualProtect
0x410108 IsBadReadPtr
0x41010c VirtualFree
0x410110 WriteProcessMemory
0x410114 VirtualAllocEx
0x410118 VirtualAlloc
0x41011c SetFilePointer
0x410120 GetFileSize
0x410124 SetFileAttributesA
0x410128 GetDiskFreeSpaceA
0x41012c GetWindowsDirectoryA
0x410130 GetProcAddress
0x410134 LocalFree
0x410138 GetFileAttributesExA
0x41013c LocalAlloc
0x410140 CreateProcessA
0x410144 GetTempPathA
0x410148 SystemTimeToFileTime
0x41014c GetSystemTime
0x410150 DeviceIoControl
0x410154 CreateFileW
0x410158 GetModuleFileNameA
0x41015c ResumeThread
0x410160 SetThreadContext
0x410164 TerminateProcess
0x410168 GetThreadContext
0x41016c lstrcatA
0x410170 CreateThread
0x410174 GetDriveTypeA
0x410178 GetCommandLineA
0x41017c SetUnhandledExceptionFilter
0x410180 SetErrorMode
0x410184 InterlockedIncrement
0x410188 GetLocalTime
0x41018c GetTimeZoneInformation
0x410190 FileTimeToLocalFileTime
0x410194 FileTimeToSystemTime
0x410198 InterlockedDecrement
0x41019c HeapSize
0x4101a0 GetSystemTimeAsFileTime
0x4101a4 MultiByteToWideChar
0x4101a8 lstrlenW
0x4101ac GetStartupInfoW
0x4101b0 GetProcessHeap
0x4101b4 HeapAlloc
0x4101b8 HeapReAlloc
0x4101bc HeapFree
0x4101c0 FreeLibrary
0x4101c4 CreateEventA
0x4101c8 GetSystemDirectoryA
USER32.dll
0x4101e4 wsprintfA
0x4101e8 CharToOemA
ADVAPI32.dll
0x410000 ConvertSidToStringSidA
0x410004 AllocateAndInitializeSid
0x410008 CreateProcessWithLogonW
0x41000c RegCreateKeyExA
0x410010 StartServiceCtrlDispatcherA
0x410014 RegisterServiceCtrlHandlerA
0x410018 SetServiceStatus
0x41001c RegDeleteValueA
0x410020 RegGetKeySecurity
0x410024 RegSetKeySecurity
0x410028 RegSetValueExA
0x41002c GetLengthSid
0x410030 GetFileSecurityA
0x410034 GetSecurityDescriptorOwner
0x410038 EqualSid
0x41003c InitializeSecurityDescriptor
0x410040 SetSecurityDescriptorOwner
0x410044 SetFileSecurityA
0x410048 GetSecurityDescriptorDacl
0x41004c GetAce
0x410050 DeleteAce
0x410054 SetSecurityDescriptorDacl
0x410058 RegQueryValueExA
0x41005c RegEnumKeyA
0x410060 RegOpenKeyExA
0x410064 RegEnumValueA
0x410068 GetUserNameW
0x41006c LookupAccountNameW
0x410070 LookupAccountNameA
0x410074 GetUserNameA
0x410078 RegCloseKey
0x41007c CheckTokenMembership
0x410080 FreeSid
SHELL32.dll
0x4101d8 ShellExecuteA
0x4101dc ShellExecuteExW
OLEAUT32.dll
0x4101d0 SysAllocStringByteLen
EAT(Export Address Table) is none