General

  • Target

    2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172

  • Size

    176KB

  • Sample

    220621-24f4gaedej

  • MD5

    69149d4fbc2666bd9beb761b3337e6fe

  • SHA1

    f27c17a5e9b3d77a6049637b54ff9d56c4b91785

  • SHA256

    2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172

  • SHA512

    833db5449a8f6333ff13127334e19fc105a6a473552f395d39101ab19e7e0c094f514459294f41b1ee4c7388ad120b31484ebbeeefa8bb6ebe13fc488a814e72

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Targets

    • Target

      2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172

    • Size

      176KB

    • MD5

      69149d4fbc2666bd9beb761b3337e6fe

    • SHA1

      f27c17a5e9b3d77a6049637b54ff9d56c4b91785

    • SHA256

      2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172

    • SHA512

      833db5449a8f6333ff13127334e19fc105a6a473552f395d39101ab19e7e0c094f514459294f41b1ee4c7388ad120b31484ebbeeefa8bb6ebe13fc488a814e72

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks