Overview

overview

10

Static

static

4737b9c167...fc.exe

windows7_x64

10

4737b9c167...fc.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4737b9c167d5f4f7a88173edb826c210db23cf5209e36c792294ec16ef8463fc

  • Size

    177KB

  • Sample

    220714-h8exescbhp

  • MD5

    8fb14c353edbf22083fb850c404960e1

  • SHA1

    26a73188db4e760cded73de71bb0434f0326ed2e

  • SHA256

    4737b9c167d5f4f7a88173edb826c210db23cf5209e36c792294ec16ef8463fc

  • SHA512

    b5a23b86a4abf91aa5b016dcc851d1b9ba2565c48a9088bbd9c2cb1e7c633b72b778a0eebaf61415d04e74abca3e0980d6915a63c1288a439d80de7a369b358a

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      4737b9c167d5f4f7a88173edb826c210db23cf5209e36c792294ec16ef8463fc

    • Size

      177KB

    • MD5

      8fb14c353edbf22083fb850c404960e1

    • SHA1

      26a73188db4e760cded73de71bb0434f0326ed2e

    • SHA256

      4737b9c167d5f4f7a88173edb826c210db23cf5209e36c792294ec16ef8463fc

    • SHA512

      b5a23b86a4abf91aa5b016dcc851d1b9ba2565c48a9088bbd9c2cb1e7c633b72b778a0eebaf61415d04e74abca3e0980d6915a63c1288a439d80de7a369b358a

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks