Overview

overview

10

Static

static

5843747cb5...ef.exe

windows7_x64

10

5843747cb5...ef.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef

  • Size

    14.1MB

  • Sample

    220622-2kr2madeb7

  • MD5

    0e23bc0be4b1ddfa9fb1b05987dc7894

  • SHA1

    a7e8682f89910271a131f67cf7bd2ac4c250fe77

  • SHA256

    5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef

  • SHA512

    c6d18bff9c8d9ca5b443a9d19dd3b1e99fa028ca514ac28e6e8093217b9e0fa257bd9e80c31200431b322fa5fd94d6cfad750f2a4a5d259445ed64a285914429

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

103.248.137.133

43.231.5.6

115.230.124.76

Targets

    • Target

      5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef

    • Size

      14.1MB

    • MD5

      0e23bc0be4b1ddfa9fb1b05987dc7894

    • SHA1

      a7e8682f89910271a131f67cf7bd2ac4c250fe77

    • SHA256

      5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef

    • SHA512

      c6d18bff9c8d9ca5b443a9d19dd3b1e99fa028ca514ac28e6e8093217b9e0fa257bd9e80c31200431b322fa5fd94d6cfad750f2a4a5d259445ed64a285914429

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks