Overview

overview

10

Static

static

a7250968f0...a2.exe

windows7-x64

10

a7250968f0...a2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a7250968f0756bdf6eb6c2662ea64c9e944e1dbd78cf53e5444e835d0fc47ba2

  • Size

    106KB

  • Sample

    221201-yq81jsad8s

  • MD5

    340e1c39a591b9685a5de3e100883817

  • SHA1

    53f1007ec62fe1d554b6681eff63c37f9bcd6d8d

  • SHA256

    a7250968f0756bdf6eb6c2662ea64c9e944e1dbd78cf53e5444e835d0fc47ba2

  • SHA512

    384799689e03f2f567e0b7273632a863ad5e15dbfe75038ea4bcb8eef3e5eb0425e770253ab518c3223175bc68248f6efe8656d04c140510b59813633ebcb026

  • SSDEEP

    1536:LMpZhSk82kttWsMbxCbp1Zped9aZ6EaM8PkXVeNsV5kLsPHQbu:LMvQtWjt6peyZ7DXVJVviu

Score
10/10
tofseepersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

188.93.235.142

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

    • Target

      a7250968f0756bdf6eb6c2662ea64c9e944e1dbd78cf53e5444e835d0fc47ba2

    • Size

      106KB

    • MD5

      340e1c39a591b9685a5de3e100883817

    • SHA1

      53f1007ec62fe1d554b6681eff63c37f9bcd6d8d

    • SHA256

      a7250968f0756bdf6eb6c2662ea64c9e944e1dbd78cf53e5444e835d0fc47ba2

    • SHA512

      384799689e03f2f567e0b7273632a863ad5e15dbfe75038ea4bcb8eef3e5eb0425e770253ab518c3223175bc68248f6efe8656d04c140510b59813633ebcb026

    • SSDEEP

      1536:LMpZhSk82kttWsMbxCbp1Zped9aZ6EaM8PkXVeNsV5kLsPHQbu:LMvQtWjt6peyZ7DXVJVviu

    Score
    10/10
    tofseepersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks