tofsee | 270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cb

General

Target

270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe
Size

94KB
MD5

78ecd98f4df225f36ad1bf18814c8360
SHA1

30e99fdb525eb0163e76c943e6db50b16dce38f7
SHA256

270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cb
SHA512

b3f3a9be6d66f697f262383553015be43bb427853399a1f774d4418d202898dd2bbdc1ef7edd899c576020746d6f2b6cd0c78d6318eb03f74a525cf8e6816aa6
SSDEEP

1536:HaT5HC7L9vnEexvevA17dfTWmU6WmQt8upcr/d:HaT5aLaexbditRtsrF

Score

10^/10

tofsee discovery persistence trojan

Malware Config

Extracted

Family

tofsee

C2

91.218.38.211

188.130.237.71

185.25.48.10

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee

Executes dropped EXE 1 IoCs

pid	Process
2812	qdivango.exe

Loads dropped DLL 2 IoCs

pid	Process
2952	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe
2952	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\qdivango.exe\""	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2812 set thread context of 2964	2812	qdivango.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdivango.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2952	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe
2812	qdivango.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2812	2952	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe	30
PID 2952 wrote to memory of 2812	2952	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe	30
PID 2952 wrote to memory of 2812	2952	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe	30
PID 2952 wrote to memory of 2812	2952	270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe	30
PID 2812 wrote to memory of 2964	2812	qdivango.exe	31
PID 2812 wrote to memory of 2964	2812	qdivango.exe	31
PID 2812 wrote to memory of 2964	2812	qdivango.exe	31
PID 2812 wrote to memory of 2964	2812	qdivango.exe	31
PID 2812 wrote to memory of 2964	2812	qdivango.exe	31
PID 2812 wrote to memory of 2964	2812	qdivango.exe	31

C:\Users\Admin\AppData\Local\Temp\270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe
"C:\Users\Admin\AppData\Local\Temp\270e15b50f3eb2895ff790fba1b9137672639bbb75d08520c26933364ab010cbN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\qdivango.exe
  "C:\Users\Admin\qdivango.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2878.bat" "
  2⤵
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2878.bat

Filesize
304B

MD5
ec810792e03a6d1301b29fa59bc47325

SHA1
db2f2b2daea6c8c4fece7a56ec632bebe31dad70

SHA256
f68525075f9d1f5a20951682abedbd9400ab0cc35f8513e311c1f14edc1cc386

SHA512
78689f139e741289cf934c117d27e6fde85b922c1df1d339a10874b5985d31c2a2e6537de93291da1f005336c7c2a5a362209f31f27b5ce31b269f8ccbe3f3a7

Download Submit
C:\Users\Admin\qdivango.exe

Filesize
20.2MB

MD5
ed7dbb89d820cfb02c8393335ae2443a

SHA1
9c36d5014117da86c120bab31c752b6d0e697c57

SHA256
8a3fc4a792be52ea600a00f46bdcf5a15de1789cd60ad5e48206a5009c942cc1

SHA512
6668ba8e110c8776475acff3016d9a221b2fa951abcec2ec7a8ab1546185a2e638446716fbd3b959e0077973c439ad21de9806c1786599e25e5ed7d21c3ac89b

Download Submit
C:\Users\Admin\qdivango.exe

Filesize
19.6MB

MD5
f63bc6cea952defabb69009e9f98aea8

SHA1
3abda7304cade23aabe86d80cb8f4d8b024d02e6

SHA256
42d2c675a7ebf321a6c1799d81075b788495c598a90d50372bc0d96715a780ab

SHA512
1c9b93326870537f390935305f31b98e1848e79fe330535ec959ee3359fcbde8f2d02d444e8ba5a73700a92c93552cfb544fabc2318d68f4801e8257dbfead7a

Download Submit
C:\Users\Admin\qdivango.exe

Filesize
17.9MB

MD5
c7321e63dbee62250a56821b86a34e23

SHA1
19cb398a9f33fd02a846b100c3a102152a971f14

SHA256
e2e9541ad4a39071516d5640fe53b8f34e1f36b39eea4bb276a29db49d771747

SHA512
39fdbf3822eecdc62e6dad66bc21fc82251fdf0add3ae0adc4bb5c6d8a3e0ef6a4f9062eda28a125b63465986df2c0824c9301151f36a6a3604d0f43970877c9

Download Submit
\Users\Admin\qdivango.exe

Filesize
19.9MB

MD5
34f41215353a90144a81f8c20793c74b

SHA1
8ca4985d8a8f703967e948d9e0507e5d66f95253

SHA256
4c3c627eb59df4c3a2d1224bb1c3fc14bada6656663b3c9b19fd0a55804246f6

SHA512
f605ed3ed74f433f4634586d154ad44a68e8f709a99475a173c521ee164ee5c94175c77941fc28f59f867c392acd2d53ba2a4a53086f8b1536509fcd2403c4d8

Download Submit
\Users\Admin\qdivango.exe

Filesize
18.3MB

MD5
ea5dcf82c429da8fba2048cf65cbec62

SHA1
0cd7c34d5d4172c6e1634124a0f67a4f9ad1fcab

SHA256
be66277125437cc7a7de5c783f91c1b263db5fee76b970c4d65864c688964439

SHA512
d07ceabef8a5ba7dee0294cbea0fe3a549f1957ae04aa34196a085e4c2fea9a879202a4282d23ebedd709e5b582cb80a800125b93e4a23e1c52d9f0268a3feaf

Download Submit
memory/2812-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2812-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2812-11-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2952-38-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2952-37-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-0-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2964-21-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2964-16-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2964-13-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2964-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2964-24-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2964-27-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2964-29-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2964-40-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads