General

  • Target

    c8b505762941917003a601f5528107f2f8430f28ba872d46402ae0e2072f73d0.exe

  • Size

    12.7MB

  • Sample

    241122-mt58aavpbp

  • MD5

    e2151306920f0b6337def574ee7008d6

  • SHA1

    8679ca5f98cfc2b88fc988b79c5bf9a36c7d3775

  • SHA256

    c8b505762941917003a601f5528107f2f8430f28ba872d46402ae0e2072f73d0

  • SHA512

    97fc4eb0636c5917c5aadb433a90a89412a86ed731782347d6c7f6dc19ba8090972c6fa2a7dde6a05d10d1e35f5c637cb3a961f823592ab47f65daaab491bca1

  • SSDEEP

    49152:TP1IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIK:c

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      c8b505762941917003a601f5528107f2f8430f28ba872d46402ae0e2072f73d0.exe

    • Size

      12.7MB

    • MD5

      e2151306920f0b6337def574ee7008d6

    • SHA1

      8679ca5f98cfc2b88fc988b79c5bf9a36c7d3775

    • SHA256

      c8b505762941917003a601f5528107f2f8430f28ba872d46402ae0e2072f73d0

    • SHA512

      97fc4eb0636c5917c5aadb433a90a89412a86ed731782347d6c7f6dc19ba8090972c6fa2a7dde6a05d10d1e35f5c637cb3a961f823592ab47f65daaab491bca1

    • SSDEEP

      49152:TP1IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIK:c

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks