General

  • Target

    f497600b793c965a69df6cbc73af3df664b635fd098e463fab3d9badf0dccea4.exe

  • Size

    11.0MB

  • Sample

    241122-k7qnmsxrfv

  • MD5

    3a73e3f5ff0ad1e222cac36e03b9fe66

  • SHA1

    155126c64e86e8f6830dd377417bd750b3f0b6e3

  • SHA256

    f497600b793c965a69df6cbc73af3df664b635fd098e463fab3d9badf0dccea4

  • SHA512

    b97bd61b89eafacf4e652a8f0ab9b284018d18911f4a5604a4e1ff3d16cbb4d1345265ee226d0dd26d1690fe4e3056ed682c659207b7a60ccd1a0e9ec73abc1c

  • SSDEEP

    49152:wNxtFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFg:WO

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      f497600b793c965a69df6cbc73af3df664b635fd098e463fab3d9badf0dccea4.exe

    • Size

      11.0MB

    • MD5

      3a73e3f5ff0ad1e222cac36e03b9fe66

    • SHA1

      155126c64e86e8f6830dd377417bd750b3f0b6e3

    • SHA256

      f497600b793c965a69df6cbc73af3df664b635fd098e463fab3d9badf0dccea4

    • SHA512

      b97bd61b89eafacf4e652a8f0ab9b284018d18911f4a5604a4e1ff3d16cbb4d1345265ee226d0dd26d1690fe4e3056ed682c659207b7a60ccd1a0e9ec73abc1c

    • SSDEEP

      49152:wNxtFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFg:WO

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks