Overview

overview

10

Static

static

2faab8b22d...68.exe

windows7_x64

10

2faab8b22d...68.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2faab8b22d14dd97d72730e486c036743b1cd987146438dbc6e32ecfddd84a68

  • Size

    10.3MB

  • Sample

    201115-787v7qes82

  • MD5

    da27a5c1d9a98aff0dfac99dfe082706

  • SHA1

    76b7addfd3472df3fc609debde21e296314aa97c

  • SHA256

    2faab8b22d14dd97d72730e486c036743b1cd987146438dbc6e32ecfddd84a68

  • SHA512

    448a55a95ab81a22f740bd2dd124c1f20df817016d5ca962513959cc0cc328cb9ea71cae4f0b22fe0688efe2b22342666a7899dfc4f0fec7ccb825fc12e2c500

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Targets

    • Target

      2faab8b22d14dd97d72730e486c036743b1cd987146438dbc6e32ecfddd84a68

    • Size

      10.3MB

    • MD5

      da27a5c1d9a98aff0dfac99dfe082706

    • SHA1

      76b7addfd3472df3fc609debde21e296314aa97c

    • SHA256

      2faab8b22d14dd97d72730e486c036743b1cd987146438dbc6e32ecfddd84a68

    • SHA512

      448a55a95ab81a22f740bd2dd124c1f20df817016d5ca962513959cc0cc328cb9ea71cae4f0b22fe0688efe2b22342666a7899dfc4f0fec7ccb825fc12e2c500

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Modifies service

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks