Overview

overview

10

Static

static

a2a4f8e26d...f7.exe

windows7_x64

10

a2a4f8e26d...f7.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a2a4f8e26d4c880ba8584c22ae531a07842fec20c72295cb8e6eaa7d507ef7f7

  • Size

    12.1MB

  • Sample

    201113-d9vcpnk4pj

  • MD5

    2809f01d292e0f6cf6dbb1e1237fe0bc

  • SHA1

    11164003530c82681901facb41627295398ae78f

  • SHA256

    a2a4f8e26d4c880ba8584c22ae531a07842fec20c72295cb8e6eaa7d507ef7f7

  • SHA512

    f12c24a726f92256544151176302fe318cfd8d20fe8719b9b5c4590e8681ed5918b674a152f00a646b1eb0fb972a250ab9eeb5616ee8c341b72e4c336724c273

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Targets

    • Target

      a2a4f8e26d4c880ba8584c22ae531a07842fec20c72295cb8e6eaa7d507ef7f7

    • Size

      12.1MB

    • MD5

      2809f01d292e0f6cf6dbb1e1237fe0bc

    • SHA1

      11164003530c82681901facb41627295398ae78f

    • SHA256

      a2a4f8e26d4c880ba8584c22ae531a07842fec20c72295cb8e6eaa7d507ef7f7

    • SHA512

      f12c24a726f92256544151176302fe318cfd8d20fe8719b9b5c4590e8681ed5918b674a152f00a646b1eb0fb972a250ab9eeb5616ee8c341b72e4c336724c273

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Modifies service

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks