General
-
Target
2cb8331dab2c0c108691947e56b4172716b1d23fd064a932d6202f7cf76feb39
-
Size
172KB
-
Sample
221124-ll3lrahd2w
-
MD5
dafc043be699b11f059f25d3df8360d0
-
SHA1
973a61daf7a94734fb1c8244b66042658f2642ce
-
SHA256
2cb8331dab2c0c108691947e56b4172716b1d23fd064a932d6202f7cf76feb39
-
SHA512
6e69e2488f170d9c453e8a41ce1a53ec372d097b1587c7c4351fc1b04fd1852e8ac23cfbfb11b02fd6627d2b67975b56450bc3f07058ee2c78b1e2b182eec9e2
-
SSDEEP
3072:P6oBRcjQ0GCmBrGltChf8jytCeJxyYVCK+mQEryy:P61mBrGbywejyjKpOy
Malware Config
Extracted
tofsee
111.121.193.238
202.146.217.143
188.190.113.149
188.165.132.183
213.155.0.208
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Targets
-
-
Target
2cb8331dab2c0c108691947e56b4172716b1d23fd064a932d6202f7cf76feb39
-
Size
172KB
-
MD5
dafc043be699b11f059f25d3df8360d0
-
SHA1
973a61daf7a94734fb1c8244b66042658f2642ce
-
SHA256
2cb8331dab2c0c108691947e56b4172716b1d23fd064a932d6202f7cf76feb39
-
SHA512
6e69e2488f170d9c453e8a41ce1a53ec372d097b1587c7c4351fc1b04fd1852e8ac23cfbfb11b02fd6627d2b67975b56450bc3f07058ee2c78b1e2b182eec9e2
-
SSDEEP
3072:P6oBRcjQ0GCmBrGltChf8jytCeJxyYVCK+mQEryy:P61mBrGbywejyjKpOy
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-