General

  • Target

    4b2eae5f660d21810fb7d69e18c361751faa4bc3518d6803c64984cdd6cac5a8.exe

  • Size

    333KB

  • Sample

    241124-fb44ya1kbj

  • MD5

    76a120236d4a3c44182016bd9a05417c

  • SHA1

    c548777e9a3fb26597525edee630c79231357a5b

  • SHA256

    4b2eae5f660d21810fb7d69e18c361751faa4bc3518d6803c64984cdd6cac5a8

  • SHA512

    e773fa8ed3eeb3aae4ce818553f5f06a9f3c8f7e7b89135c10743bffb989b16862d0e29d855194203aef3a1fe19420308bddad92922b3b1bd1a6357e09ffe246

  • SSDEEP

    6144:xOYmVlRyNQpj0ViCx2xKxc9Sh/KXl/wLWlWC8RzZap6j:xW7Rw2j0VmKqgJKXlwGeVZL

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

    • Target

      4b2eae5f660d21810fb7d69e18c361751faa4bc3518d6803c64984cdd6cac5a8.exe

    • Size

      333KB

    • MD5

      76a120236d4a3c44182016bd9a05417c

    • SHA1

      c548777e9a3fb26597525edee630c79231357a5b

    • SHA256

      4b2eae5f660d21810fb7d69e18c361751faa4bc3518d6803c64984cdd6cac5a8

    • SHA512

      e773fa8ed3eeb3aae4ce818553f5f06a9f3c8f7e7b89135c10743bffb989b16862d0e29d855194203aef3a1fe19420308bddad92922b3b1bd1a6357e09ffe246

    • SSDEEP

      6144:xOYmVlRyNQpj0ViCx2xKxc9Sh/KXl/wLWlWC8RzZap6j:xW7Rw2j0VmKqgJKXlwGeVZL

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks