Overview

overview

10

Static

static

a2b8bd3ce9...e9.exe

windows7-x64

10

a2b8bd3ce9...e9.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a2b8bd3ce91ce68dd2273021409303ee64e5528a6dc5a8dd169450fd59ed43e9

  • Size

    135KB

  • Sample

    221201-y27xmabe71

  • MD5

    57098bd9d968e47a4380e4610f34e4ad

  • SHA1

    98888c4be4a6153ed2ebbbd1a146cf910756b2e9

  • SHA256

    a2b8bd3ce91ce68dd2273021409303ee64e5528a6dc5a8dd169450fd59ed43e9

  • SHA512

    3faab93be088e8dc3d8c142c0396e69f59fd9b3e51776e507322d666191b2f1706fdda9e4af8920e7b031f95bb3ce463039f70302949ed71d492e3d273442be4

  • SSDEEP

    3072:TFuAXp3T0O1+kbhDIsEuq+iLJrsJ4T6jNZIuJQk8vusHZGc:MAXBT0Abe4DiFrs9jrAkUus5

Score
10/10
tofseepersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

    • Target

      a2b8bd3ce91ce68dd2273021409303ee64e5528a6dc5a8dd169450fd59ed43e9

    • Size

      135KB

    • MD5

      57098bd9d968e47a4380e4610f34e4ad

    • SHA1

      98888c4be4a6153ed2ebbbd1a146cf910756b2e9

    • SHA256

      a2b8bd3ce91ce68dd2273021409303ee64e5528a6dc5a8dd169450fd59ed43e9

    • SHA512

      3faab93be088e8dc3d8c142c0396e69f59fd9b3e51776e507322d666191b2f1706fdda9e4af8920e7b031f95bb3ce463039f70302949ed71d492e3d273442be4

    • SSDEEP

      3072:TFuAXp3T0O1+kbhDIsEuq+iLJrsJ4T6jNZIuJQk8vusHZGc:MAXBT0Abe4DiFrs9jrAkUus5

    Score
    10/10
    tofseepersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks