General

  • Target

    94c44c1feea87dc133e282cc400aa42253437a7507e322bdd4bb9b0f1583c43c.exe

  • Size

    13.0MB

  • Sample

    241123-vyrvfsvmgk

  • MD5

    69c888117b9871c18a2e6bcdd3daf0ed

  • SHA1

    73d9450909f4e5720dc710634bd5a600f55b2d65

  • SHA256

    94c44c1feea87dc133e282cc400aa42253437a7507e322bdd4bb9b0f1583c43c

  • SHA512

    6f4fe3799aea3821aa6b4e9562ab2f7ef36b664baad502f2dd24489f9b31c84f85bb8d3a2f97361247a664ab23d7557983bd2c8176810f25454985eeb2a2110b

  • SSDEEP

    196608:lYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYU:e

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      94c44c1feea87dc133e282cc400aa42253437a7507e322bdd4bb9b0f1583c43c.exe

    • Size

      13.0MB

    • MD5

      69c888117b9871c18a2e6bcdd3daf0ed

    • SHA1

      73d9450909f4e5720dc710634bd5a600f55b2d65

    • SHA256

      94c44c1feea87dc133e282cc400aa42253437a7507e322bdd4bb9b0f1583c43c

    • SHA512

      6f4fe3799aea3821aa6b4e9562ab2f7ef36b664baad502f2dd24489f9b31c84f85bb8d3a2f97361247a664ab23d7557983bd2c8176810f25454985eeb2a2110b

    • SSDEEP

      196608:lYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYU:e

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks