General

  • Target

    bce3694725d1ffe6c07fdfaa7b72f20ae3b458bbd713bcb12aa6f0692d1f4794.exe

  • Size

    10.0MB

  • Sample

    241124-e68vyazrbn

  • MD5

    e73ea7459977529317345e65c0f15267

  • SHA1

    345f6930733b34578650cb65168ee93aa45457eb

  • SHA256

    bce3694725d1ffe6c07fdfaa7b72f20ae3b458bbd713bcb12aa6f0692d1f4794

  • SHA512

    1e89c8bac3fbfe785d271ba48680b50c259438b7816429b6dfa5d976fc46276a4749c837576667fac90249e50182691d52cee0d11b6d8ef1db97dedcf16113f0

  • SSDEEP

    49152:bkHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHP:I

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      bce3694725d1ffe6c07fdfaa7b72f20ae3b458bbd713bcb12aa6f0692d1f4794.exe

    • Size

      10.0MB

    • MD5

      e73ea7459977529317345e65c0f15267

    • SHA1

      345f6930733b34578650cb65168ee93aa45457eb

    • SHA256

      bce3694725d1ffe6c07fdfaa7b72f20ae3b458bbd713bcb12aa6f0692d1f4794

    • SHA512

      1e89c8bac3fbfe785d271ba48680b50c259438b7816429b6dfa5d976fc46276a4749c837576667fac90249e50182691d52cee0d11b6d8ef1db97dedcf16113f0

    • SSDEEP

      49152:bkHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHP:I

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks