General

  • Target

    c205b7fe1ffd71e1a00dbd175dde5352aa7e7e7c81754994c5ad0923e629d591.exe

  • Size

    10.5MB

  • Sample

    241122-rmt9naslcs

  • MD5

    f437958a717001f8bb29ca023faf9bb7

  • SHA1

    6771eacfab06f9290ca7276974e206316739e8bb

  • SHA256

    c205b7fe1ffd71e1a00dbd175dde5352aa7e7e7c81754994c5ad0923e629d591

  • SHA512

    37b3ea8fe4ac0288611010d69da0556c105eb3a886c512d4047f70f335dee9ce4cf76d5eda46d627a0d2965a187aa6ce0f434c279d8c64db25b8b4dcc059c6ff

  • SSDEEP

    12288:jnWdwQB3a1ZAXYlVR7jbMviJvK3SRL/R/R/R/R/R/R/R/R/R/R/R/R/R/R/R/R/D:jnWdFB3a1ZLlsviJv9

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      c205b7fe1ffd71e1a00dbd175dde5352aa7e7e7c81754994c5ad0923e629d591.exe

    • Size

      10.5MB

    • MD5

      f437958a717001f8bb29ca023faf9bb7

    • SHA1

      6771eacfab06f9290ca7276974e206316739e8bb

    • SHA256

      c205b7fe1ffd71e1a00dbd175dde5352aa7e7e7c81754994c5ad0923e629d591

    • SHA512

      37b3ea8fe4ac0288611010d69da0556c105eb3a886c512d4047f70f335dee9ce4cf76d5eda46d627a0d2965a187aa6ce0f434c279d8c64db25b8b4dcc059c6ff

    • SSDEEP

      12288:jnWdwQB3a1ZAXYlVR7jbMviJvK3SRL/R/R/R/R/R/R/R/R/R/R/R/R/R/R/R/R/D:jnWdFB3a1ZLlsviJv9

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks