General

  • Target

    34d4dc94d70088a824e612804d4d3858a961a0a7a3ed8ef6b6b0f202beeae6d2

  • Size

    224KB

  • Sample

    220619-ylz7vaaehk

  • MD5

    44677e5592e39e6bd557da131ddacfdd

  • SHA1

    04a4b16d418ac4f349c6d47b1270ad31b8c94a93

  • SHA256

    34d4dc94d70088a824e612804d4d3858a961a0a7a3ed8ef6b6b0f202beeae6d2

  • SHA512

    14f1cc903d1c94dbb87e59fe894e7d15dd6edb2a559e4629d75f8353c96112d2a8cc5e49a2db502d88a477db4426c03d2e1b5860c1f03e4adfede23ed415b57b

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Targets

    • Target

      34d4dc94d70088a824e612804d4d3858a961a0a7a3ed8ef6b6b0f202beeae6d2

    • Size

      224KB

    • MD5

      44677e5592e39e6bd557da131ddacfdd

    • SHA1

      04a4b16d418ac4f349c6d47b1270ad31b8c94a93

    • SHA256

      34d4dc94d70088a824e612804d4d3858a961a0a7a3ed8ef6b6b0f202beeae6d2

    • SHA512

      14f1cc903d1c94dbb87e59fe894e7d15dd6edb2a559e4629d75f8353c96112d2a8cc5e49a2db502d88a477db4426c03d2e1b5860c1f03e4adfede23ed415b57b

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks