Overview

overview

10

Static

static

c1567cb139...f6.exe

windows7_x64

10

c1567cb139...f6.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c1567cb139d3b8cff3f496db92e0fcb186408e940d51c8cc975d939f1212d5f6

  • Size

    11.3MB

  • Sample

    201114-bgwrazn8da

  • MD5

    25c0ecfe708eabf65b3329c261f4ea4c

  • SHA1

    76f921182a5262fbfc9688b2cd991ab18cb1fa26

  • SHA256

    c1567cb139d3b8cff3f496db92e0fcb186408e940d51c8cc975d939f1212d5f6

  • SHA512

    09aac55683604e59af43c698f4ddbaec9c61b7e274c13b1571c9ed07086e3e27f3512a4db6ba5c9a819419a5e357c167773f195f6d7bd93cd0bad515348b604e

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Targets

    • Target

      c1567cb139d3b8cff3f496db92e0fcb186408e940d51c8cc975d939f1212d5f6

    • Size

      11.3MB

    • MD5

      25c0ecfe708eabf65b3329c261f4ea4c

    • SHA1

      76f921182a5262fbfc9688b2cd991ab18cb1fa26

    • SHA256

      c1567cb139d3b8cff3f496db92e0fcb186408e940d51c8cc975d939f1212d5f6

    • SHA512

      09aac55683604e59af43c698f4ddbaec9c61b7e274c13b1571c9ed07086e3e27f3512a4db6ba5c9a819419a5e357c167773f195f6d7bd93cd0bad515348b604e

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Modifies service

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks