f27da59d0c8e19b30e94dd80adf5b6e981adcd85b74ba230ae74fccabda56b3c

General
Target

f27da59d0c8e19b30e94dd80adf5b6e981adcd85b74ba230ae74fccabda56b3c

Size

295KB

Sample

211125-tsrrtsfgbp

Score
10 /10
MD5

75297b62bc49e2e03e350466349c4736

SHA1

f7c2f9140746f35cb9a310b18d5c2a82dd1d566a

SHA256

f27da59d0c8e19b30e94dd80adf5b6e981adcd85b74ba230ae74fccabda56b3c

SHA512

73855d458ba87d26cec322a4522b2566018f763826f10d82c8b5646947f35e0d8b62cf71baf152e0eaeee9522c7e279538975c0d84f461e93e470d8aa4ba0aab

Malware Config

Extracted

Family tofsee
C2

quadoil.ru

lakeflex.ru

Targets
Target

f27da59d0c8e19b30e94dd80adf5b6e981adcd85b74ba230ae74fccabda56b3c

MD5

75297b62bc49e2e03e350466349c4736

Filesize

295KB

Score
10 /10
SHA1

f7c2f9140746f35cb9a310b18d5c2a82dd1d566a

SHA256

f27da59d0c8e19b30e94dd80adf5b6e981adcd85b74ba230ae74fccabda56b3c

SHA512

73855d458ba87d26cec322a4522b2566018f763826f10d82c8b5646947f35e0d8b62cf71baf152e0eaeee9522c7e279538975c0d84f461e93e470d8aa4ba0aab

Tags

Signatures

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • XMRig Miner Payload

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Deletes itself

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1