General

  • Target

    4d55358286fd76967fae14a6475c84db7ae260f4658900c333e73517aa342179.exe

  • Size

    14.9MB

  • Sample

    241123-raryrswlcs

  • MD5

    ba9e3af2c7d730fa19561efec03a010b

  • SHA1

    27b233843d99bb472e12080564613cf356e4a6a1

  • SHA256

    4d55358286fd76967fae14a6475c84db7ae260f4658900c333e73517aa342179

  • SHA512

    3c98f8d2a528f34a9aae207df7cc1dc893746baf417a7f28c822197c853fbbedc6dfcea149d50c0ebc6e754f985263eb3ec15f2134bce1e23b04d950c6a4363d

  • SSDEEP

    196608:bpWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWk:d

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      4d55358286fd76967fae14a6475c84db7ae260f4658900c333e73517aa342179.exe

    • Size

      14.9MB

    • MD5

      ba9e3af2c7d730fa19561efec03a010b

    • SHA1

      27b233843d99bb472e12080564613cf356e4a6a1

    • SHA256

      4d55358286fd76967fae14a6475c84db7ae260f4658900c333e73517aa342179

    • SHA512

      3c98f8d2a528f34a9aae207df7cc1dc893746baf417a7f28c822197c853fbbedc6dfcea149d50c0ebc6e754f985263eb3ec15f2134bce1e23b04d950c6a4363d

    • SSDEEP

      196608:bpWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWk:d

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks