General

  • Target

    2b276aee1a864ee977abec79d1324ab4a6cbb32b5d64297637502ee56fb13585

  • Size

    165KB

  • Sample

    220615-dp8yyaaccr

  • MD5

    6807409c44a4a9c83ce67abc3d5fe982

  • SHA1

    18615e01e39ecc9caab7a03d3d3f3994a0c763e3

  • SHA256

    2b276aee1a864ee977abec79d1324ab4a6cbb32b5d64297637502ee56fb13585

  • SHA512

    a90b7277c7f072f3205dabab8b116edecfedcc6a154a90dae3018abaae67d07d6b5d4cd83d7946e1698ea7719b9ef137147b9427879482bb2daea90570fa3cdc

Malware Config

Extracted

Family

tofsee

C2

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

    • Target

      2b276aee1a864ee977abec79d1324ab4a6cbb32b5d64297637502ee56fb13585

    • Size

      165KB

    • MD5

      6807409c44a4a9c83ce67abc3d5fe982

    • SHA1

      18615e01e39ecc9caab7a03d3d3f3994a0c763e3

    • SHA256

      2b276aee1a864ee977abec79d1324ab4a6cbb32b5d64297637502ee56fb13585

    • SHA512

      a90b7277c7f072f3205dabab8b116edecfedcc6a154a90dae3018abaae67d07d6b5d4cd83d7946e1698ea7719b9ef137147b9427879482bb2daea90570fa3cdc

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Tasks