Overview

overview

10

Static

static

38ff1ccc22...7d.exe

windows7_x64

10

38ff1ccc22...7d.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    38ff1ccc229dd0ee592d9bd47c4ec4fbcc418fb385d7dea4bd72d1120651cb7d

  • Size

    11.3MB

  • Sample

    201112-w745d8hb22

  • MD5

    9c19fce163a1ae66e4be70fd7dfc003a

  • SHA1

    22c4f9f5c37574df08d676ff9cab6f50b7c01321

  • SHA256

    38ff1ccc229dd0ee592d9bd47c4ec4fbcc418fb385d7dea4bd72d1120651cb7d

  • SHA512

    03392ceb68aca7832a903a3c00977c6b6e33f531112c1b7b6a5b6ff46ca9272f0b6e3235682d3ad64be4aa02657f70d6cf0469789162157f35f499a96481337a

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Targets

    • Target

      38ff1ccc229dd0ee592d9bd47c4ec4fbcc418fb385d7dea4bd72d1120651cb7d

    • Size

      11.3MB

    • MD5

      9c19fce163a1ae66e4be70fd7dfc003a

    • SHA1

      22c4f9f5c37574df08d676ff9cab6f50b7c01321

    • SHA256

      38ff1ccc229dd0ee592d9bd47c4ec4fbcc418fb385d7dea4bd72d1120651cb7d

    • SHA512

      03392ceb68aca7832a903a3c00977c6b6e33f531112c1b7b6a5b6ff46ca9272f0b6e3235682d3ad64be4aa02657f70d6cf0469789162157f35f499a96481337a

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Modifies service

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks