General

  • Target

    edd112e5d957e913076cb86fd6b657318987fef5e2fdd34f46c4b23cccd9ae20.exe

  • Size

    13.3MB

  • Sample

    241122-kv726atnbk

  • MD5

    57163e49f6f67475836d3d49abab1a6f

  • SHA1

    b11e58b16d751db535317a0aacca97c20ae7ba25

  • SHA256

    edd112e5d957e913076cb86fd6b657318987fef5e2fdd34f46c4b23cccd9ae20

  • SHA512

    32f162b0b70ad5efe95974078d446d836cb7665db344a93295e7fc2f4a738f661ea79c67ac7ea30ace95d5834ef6f491f5b291f0e5072ff8c43e6545957bc256

  • SSDEEP

    49152:f1m333333333333333333333333333333333333333333333333333333333333w:l

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      edd112e5d957e913076cb86fd6b657318987fef5e2fdd34f46c4b23cccd9ae20.exe

    • Size

      13.3MB

    • MD5

      57163e49f6f67475836d3d49abab1a6f

    • SHA1

      b11e58b16d751db535317a0aacca97c20ae7ba25

    • SHA256

      edd112e5d957e913076cb86fd6b657318987fef5e2fdd34f46c4b23cccd9ae20

    • SHA512

      32f162b0b70ad5efe95974078d446d836cb7665db344a93295e7fc2f4a738f661ea79c67ac7ea30ace95d5834ef6f491f5b291f0e5072ff8c43e6545957bc256

    • SSDEEP

      49152:f1m333333333333333333333333333333333333333333333333333333333333w:l

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks