General

  • Target

    7d33c7099e8696a3c06361ee3d4da8c45461cd3fdb6fe354d81be76fe5d8625d

  • Size

    11.2MB

  • Sample

    240924-ktpt7ayamq

  • MD5

    dc95cb1290fa14086d6e54605ef163e4

  • SHA1

    e38ae542e1c56fc2db4e3976c86af29faf48293a

  • SHA256

    7d33c7099e8696a3c06361ee3d4da8c45461cd3fdb6fe354d81be76fe5d8625d

  • SHA512

    7009d924341b95beb3fb709b6895a44364fa6f9f1f2ce019ce972cdad24870e09abc6e08064e5478a10b21253bf7126b15bab8be3eee0ef37c7ad29ccc64955a

  • SSDEEP

    1536:CpUJsMq8nDNrnUtDDqJ55fNBVcmiCxmeZUUfOxxjDRvgdi0/zvjHNq8wR4vyKT:O6nln1X17rpLfOz3t8Fbti4v

Malware Config

Extracted

Family

tofsee

C2

103.248.137.133

59.188.74.26

115.230.124.76

111.121.193.242

Targets

    • Target

      7d33c7099e8696a3c06361ee3d4da8c45461cd3fdb6fe354d81be76fe5d8625d

    • Size

      11.2MB

    • MD5

      dc95cb1290fa14086d6e54605ef163e4

    • SHA1

      e38ae542e1c56fc2db4e3976c86af29faf48293a

    • SHA256

      7d33c7099e8696a3c06361ee3d4da8c45461cd3fdb6fe354d81be76fe5d8625d

    • SHA512

      7009d924341b95beb3fb709b6895a44364fa6f9f1f2ce019ce972cdad24870e09abc6e08064e5478a10b21253bf7126b15bab8be3eee0ef37c7ad29ccc64955a

    • SSDEEP

      1536:CpUJsMq8nDNrnUtDDqJ55fNBVcmiCxmeZUUfOxxjDRvgdi0/zvjHNq8wR4vyKT:O6nln1X17rpLfOz3t8Fbti4v

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks