General

  • Target

    53bba6ed24ec51b05bedfe356d3e786b58448d462d1b0fd4d4ada8e93a02d6ba

  • Size

    192KB

  • Sample

    220727-aszynabcb8

  • MD5

    34fb478b89ca67b3ac53c04ff655a7eb

  • SHA1

    f757ad8658e5af68a381aee0a126725a34060d38

  • SHA256

    53bba6ed24ec51b05bedfe356d3e786b58448d462d1b0fd4d4ada8e93a02d6ba

  • SHA512

    41050bce6eb0a639fd74ffbfcba1ad8e6dc7b04f87d2adb3f7076d6c923a52f56c314f26abbc0a91bb7de0c59d9da543f8c5374dae84b0815caf808bc4abf081

Malware Config

Extracted

Family

tofsee

C2

103.232.222.57

111.121.193.242

123.249.0.22

Targets

    • Target

      53bba6ed24ec51b05bedfe356d3e786b58448d462d1b0fd4d4ada8e93a02d6ba

    • Size

      192KB

    • MD5

      34fb478b89ca67b3ac53c04ff655a7eb

    • SHA1

      f757ad8658e5af68a381aee0a126725a34060d38

    • SHA256

      53bba6ed24ec51b05bedfe356d3e786b58448d462d1b0fd4d4ada8e93a02d6ba

    • SHA512

      41050bce6eb0a639fd74ffbfcba1ad8e6dc7b04f87d2adb3f7076d6c923a52f56c314f26abbc0a91bb7de0c59d9da543f8c5374dae84b0815caf808bc4abf081

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks