General

  • Target

    8fcd431b3939e62180adfe1473fbd7bd18afd42145d85c2c7b9c68c0262dcd61.exe

  • Size

    13.9MB

  • Sample

    241123-gv37esznaz

  • MD5

    79dc2160ea73f5a008c5a7b25fb1f1ec

  • SHA1

    329fd850c1dd7541b67ff9b76d532645549a69e0

  • SHA256

    8fcd431b3939e62180adfe1473fbd7bd18afd42145d85c2c7b9c68c0262dcd61

  • SHA512

    02554429e5526535d1e82feb39b24f88a4bd068355a46efe3b335a57bd417276d4ae8d976a28bb26913c37d55ccb90898c0b115057d1e3924eb795b76db3bb6e

  • SSDEEP

    49152:2yzapZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZy:2CF

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      8fcd431b3939e62180adfe1473fbd7bd18afd42145d85c2c7b9c68c0262dcd61.exe

    • Size

      13.9MB

    • MD5

      79dc2160ea73f5a008c5a7b25fb1f1ec

    • SHA1

      329fd850c1dd7541b67ff9b76d532645549a69e0

    • SHA256

      8fcd431b3939e62180adfe1473fbd7bd18afd42145d85c2c7b9c68c0262dcd61

    • SHA512

      02554429e5526535d1e82feb39b24f88a4bd068355a46efe3b335a57bd417276d4ae8d976a28bb26913c37d55ccb90898c0b115057d1e3924eb795b76db3bb6e

    • SSDEEP

      49152:2yzapZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZy:2CF

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks