General

  • Target

    03a239c50ad79fc193158e7b7750bc9c950ff2efa27003f80c54993a4605c1b0.exe

  • Size

    12.9MB

  • Sample

    241122-hx2xtaslan

  • MD5

    8556b989b136705da62e8181b8e1b066

  • SHA1

    8ab93dd9d5bd43efb00c8d027f08ecd5d1adf96b

  • SHA256

    03a239c50ad79fc193158e7b7750bc9c950ff2efa27003f80c54993a4605c1b0

  • SHA512

    e45b2343243e9a73f6edbdd75ace557bd33b887adc29408378d606246227f6b4ed5d006b14b8a37c62a165bdccafa46271a86aa1cb138573066553dda5159cf7

  • SSDEEP

    49152:ukHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHP:N

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      03a239c50ad79fc193158e7b7750bc9c950ff2efa27003f80c54993a4605c1b0.exe

    • Size

      12.9MB

    • MD5

      8556b989b136705da62e8181b8e1b066

    • SHA1

      8ab93dd9d5bd43efb00c8d027f08ecd5d1adf96b

    • SHA256

      03a239c50ad79fc193158e7b7750bc9c950ff2efa27003f80c54993a4605c1b0

    • SHA512

      e45b2343243e9a73f6edbdd75ace557bd33b887adc29408378d606246227f6b4ed5d006b14b8a37c62a165bdccafa46271a86aa1cb138573066553dda5159cf7

    • SSDEEP

      49152:ukHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHP:N

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks