Overview

overview

10

Static

static

63b79b71cb...76.exe

windows7_x64

10

63b79b71cb...76.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    63b79b71cb84b6ebe5708776b4834ce9e103f24f58f9f1c7f867c60be020a676

  • Size

    12.1MB

  • Sample

    201113-ftjt6wkkxe

  • MD5

    0ac0af0d8d5a45c4a2ff02c51a618f58

  • SHA1

    222eb9c628d571d03f0a82ef5df961e066a8d8cd

  • SHA256

    63b79b71cb84b6ebe5708776b4834ce9e103f24f58f9f1c7f867c60be020a676

  • SHA512

    ff30925e35fb3388eaaa3a8953ea235c3baf51b6262e4c5f94d69830a92ccf62c9b2c2bcd2588737cb98d29283d114eb6f5cfd3cfcc11b24114f9c98c49c0437

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Targets

    • Target

      63b79b71cb84b6ebe5708776b4834ce9e103f24f58f9f1c7f867c60be020a676

    • Size

      12.1MB

    • MD5

      0ac0af0d8d5a45c4a2ff02c51a618f58

    • SHA1

      222eb9c628d571d03f0a82ef5df961e066a8d8cd

    • SHA256

      63b79b71cb84b6ebe5708776b4834ce9e103f24f58f9f1c7f867c60be020a676

    • SHA512

      ff30925e35fb3388eaaa3a8953ea235c3baf51b6262e4c5f94d69830a92ccf62c9b2c2bcd2588737cb98d29283d114eb6f5cfd3cfcc11b24114f9c98c49c0437

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Modifies service

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks