General
-
Target
2025-03-30_3984de03446668e2855f8a137422130e_amadey_rhadamanthys_smoke-loader
-
Size
12.7MB
-
Sample
250330-k9gthsvyct
-
MD5
3984de03446668e2855f8a137422130e
-
SHA1
86477a07c4adb55a4f1cd6bfcdff69af4784c0d7
-
SHA256
91c46b2cafc037c13f3cc3f28b09af4abf9db3b1b5793a0d3a89d42b2a44f2ea
-
SHA512
e87d0d6f7fbeef21eeacb75a57407169f70425f0272efc92dd8ca84167372f537414cb7f594cc363ffa224d57d247d1ee0640d6a43ddb442d4e829852a4a0d13
-
SSDEEP
12288:TQy+PKMBWNKZ8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8L:TQy+Pcy
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
2025-03-30_3984de03446668e2855f8a137422130e_amadey_rhadamanthys_smoke-loader
-
Size
12.7MB
-
MD5
3984de03446668e2855f8a137422130e
-
SHA1
86477a07c4adb55a4f1cd6bfcdff69af4784c0d7
-
SHA256
91c46b2cafc037c13f3cc3f28b09af4abf9db3b1b5793a0d3a89d42b2a44f2ea
-
SHA512
e87d0d6f7fbeef21eeacb75a57407169f70425f0272efc92dd8ca84167372f537414cb7f594cc363ffa224d57d247d1ee0640d6a43ddb442d4e829852a4a0d13
-
SSDEEP
12288:TQy+PKMBWNKZ8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8Z8L:TQy+Pcy
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2