General

  • Target

    f8d31e6775488ad2285818fdd4b9bb4f1480a453758a29a3755f4376954e8644

  • Size

    1.3MB

  • Sample

    240901-bz5m6axfpf

  • MD5

    91be4687221e85f24b29305c629783db

  • SHA1

    18b90d4fe92d079565ffcfc2100072bbed3dfe5d

  • SHA256

    f8d31e6775488ad2285818fdd4b9bb4f1480a453758a29a3755f4376954e8644

  • SHA512

    8b4e29269c8abb77721f29ab469bf4b5091eda124b3315afdbc8e1e3665e44ec78bcbba86413f00c6f0d38f7a64b8c98a8138070dd1b3ca71e2370f176347ac1

  • SSDEEP

    24576:mZ5vHFx1GnGTb3BDYWoHnpH/p90gSm4sU220r+Qnsz56UGSNWAq8rWH:uDwSb3BDYWIpH/p+Jsy0r+QrUWtH

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      29b0f91a35ae86daabb6e62bde864cf514549d1d3e9f0fa453521fccd389d51e

    • Size

      13.5MB

    • MD5

      46912015f4e217c84f81982305c8c6d5

    • SHA1

      ba7ccd3f4668126eed2a609eb6ac489e9893b78a

    • SHA256

      29b0f91a35ae86daabb6e62bde864cf514549d1d3e9f0fa453521fccd389d51e

    • SHA512

      83900686d98969d7a00a1b78a3e1f7aeba2b95d8f931f412787a03fd32d87dfbfeb1d0506b2a2190254b0fa88e235264e58374b353d0a5c68f0c299f7782b17e

    • SSDEEP

      49152:fyzapZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZx:fC

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks